How easily my bank account was very nearly hacked
My personal bank account was hit by fraudsters yesterday and, although I feel stupid telling you how and why it happened, I feel it's a story of "our times" and a wake up call for vigilance.
By the way, there is a happy ending. Hats off to Barclays who picked the transactions up literally within minutes, connected with me and we had the situation resolved within an hour.
So let me take you back to my mistake and set the scene:
Like everyone, there is hardly a day goes by that we don't greet at least one (or more) delivery drivers at the front door - DPD, The Post Office, Amazon Prime, supermarkets et al. We actually know our DPD driver on first name terms now;
Sometimes, Annie might be out and I may be on a call, in which case the doorbell may ring, the dogs bark and the driver leaves another parcel in our covered porch;
On Wednesday I opened an email from DPD, explaining that they had tried to deliver a parcel for which a signature was required and that nobody had answered the door (strange - I don't remember a doorbell);
Here comes the scam - and I repeat below the text of the email if not the graphics:
1. The receiver was absent, meaning there was no one at the address to receive the parcel. 2. The delivery address was incorrect/incomplete. 3. The courier could not access the delivery location. If the courier driver tried to deliver a parcel but was unsuccessful, there are three things that can happen. Read on to stay with us and find out what you can do if you face in case of a failed delivery attempt. As we have been unable to determine the full address for this package, the parcel has remained in our depot. From here, you can take several different options:
Update and complete the delivery address provided here > LINK
Then arrange delivery of the parcel to an alternative address
Like you - I'm running fast every day - dealing with multiple messages across various broadcast channels - email, Messenger, Slack, Facetime, Zoom, notifications.
So I saw the email from DPD - assumed it was kosher, wanted to get it dealt with so that I could move on and, when asked to confirm my personal details, including a payment of £2.20 to have the parcel redelivered (I know, I know - stupid) - it was only half way through the transaction that I suddenly stopped and thought "this doesn't make sense - nobody from DPD ever charged me for redelivery before?"
I did stop. I did delete the email and block the sender - but not before I had entered my debit card number (although no other details) on to a screen that I deleted before pressing any send or submit button.
Too late - damage done.
At the time - I thought nothing more of it - and returned to my daily activity.
At 15:00 yesterday I was being interviewed by Andy Legg for The Campbell Academy podcast.
At 15:01 the first of three payment authorisations were requested for transactions with Next Directory.
At 15:04 Barclays sent me a text message to tell me they had blocked my account, pending confirmation that the payments were genuine (pretty good eh?).
At 15:45 I had concluded my interview and immediately called Barclays, where Andy (from Barclays, not the dentist) and I spent 30 minutes reviewing, confirming the fraud and taking the necessary action to prevent further abuse and issue a new debit card.
One of the three payments to Next Directory was declined - the other two are still sat there in my pending transactions and Barclays tell me that if they simply expire, there will be no fraud as such - only if the money leaves my account will I have to reconnect and start formal proceedings. They reassured me that, in the latter event, the funds will be returned come what may.
By all means, go ahead and call me a mug - it's OK.
I think I'm savvy enough to spot this, particularly false emails.
This one got through, largely because I'm busy, rather than irresponsible or naive.
Be vigilant - even when you are working at speed;
Thank you Barclays Bank - excellent system and equally excellent customer service