Spanish banking giant Santander has announced the first graduate from the Santander Scam Avoidance School. Alex Daniels, 86, sent a phishing email and breached a public Wi-Fi hotspot in 16 minutes 40 seconds. All of this took place under the guidance of security expert Marcus Dempsey.
Chris Ainsley, Head of Fraud Strategy at Santander UK, commented: “Our experiment demonstrates just how easy it is for criminals to send phishing emails and hack WiFi hotspots.
“We have seen the devastating results that fraud and scams can have on our customers and how much damage can be done if hackers get hold of even a small amount of personal detail.
“It’s great to have Alec on board to help out – having talked about scams with thousands of over 60s through our SAS it is good to get him involved to help spread the word. Raising awareness and educating people on how to protect themselves is vital to effectively tackling the criminals who ruin people’s lives.”
What did Daniels do as part of the Santander SAS?
Prior to taking part in the Santander SAS, Daniels had little experience of computing. After a little work with Dempsey, Daniels was given two timed challenges.
Challenge one: Write and distribute a phishing email. Using online search tools, Daniels was able to find templates and guides on how to create a realistic and believable phishing email. The email pretended to come from a fictitious company called MoneySpark. It asked for bank account information and had a link that recipients could click on. This took 13 minutes.
Challenge two: Hack a public Wi-Fi hotspot. Once again, Daniels used the Internet to find a guide. He created a rogue access point to conduct a man-in-the-middle attack. He then used that to capture and intercept traffic from a laptop. This took just 3 minutes and 40 seconds.
Carried out under controlled conditions both tests highlight some serious concerns. Phishing emails drop into inboxes on a daily basis. Many are poorly written and easily spotted. However, an increasing number are so professional they can be hard to distinguish from real emails.
Certified ethical hacker Marcus Dempsey commented: “Unsecured public Wi-Fi networks can be easy pickings for criminals. By inputting passwords, bank details and confidential information into online banking or shopping websites over a public WiFi, people could be unknowingly putting their finances and identities in the hands of hackers.
“Perhaps even easier than hacking WiFi is sending scam correspondence, particularly phishing emails. If Alec, with no previous knowledge of how to do this, can write and distribute a convincing phishing email in a matter of minutes, it’s worrying to imagine the potential damage that actual scammers could be doing.”
Staying safe online
Santander and Dempsey have given their recommendations on staying safe online:
Wi-Fi hotspot protection
- Ensure a WiFi hotspot is genuine: it’s easy to set up official-looking networks, so verify with shop staff before logging on. Providers can help by displaying the network name in store.
- HTTPS: If you need to use your card details online make sure the website you are on has ‘HTTPS://’at the start and has a green padlock against it.
- Get a Virtual Private Network (VPN): Not all sites will display the HTTPS lock symbol, but a VPN will act as an intermediary between your device and the internet server, putting up a further block for any would-be eavesdroppers or hackers.
- Forget the network: don’t just log off – ask your device to forget the network so it doesn’t automatically log on if you’re within range later.
A genuine bank or organisation will never contact you unsolicited to ask for your PIN, full password or to move money to another account. Don’t give out personal or financial details including passwords and PINs unless it’s to use a service you have signed up to, and you’re sure that the request for your information is directly related to that service.
- Never click on a link or download anything in an unsolicited email. Doing so could let scammers infect your computer with malicious software that will swipe your personal details or could allow criminals to access your device remotely.
- If you get an email from somebody asking you to change some payment details, don’t do this without checking it out thoroughly first. The email may have been sent by a hacker rather than the genuine supplier.
What does this mean
Phishing emails are a daily annoyance for most people. They drop into inboxes just as easily as junk mail comes through letterboxes. While most are easy to spot, the level of professionalism in some is worrying. Detecting the difference means careful reading of the email. However, with the amount of email people get, they don’t have the time to read carefully. This means that phishing emails will still continue to harvest personal data from individuals.
The use of public Wi-Fi to get online is no longer a nice to have but a must for most people. They often switch from mobile data to a Wi-Fi hotspot for more speed and reliability, especially in city centres. It makes them an easy target for hackers in coffee shops, cafes, hotels, railway stations and many other places. As Santander and Dempsey say, use a VPN. These are available for all operating systems today. They are cheap and most are easy to use.
As with everything online, assume it has risk attached. With that approach in mind, it is possible to avoid the worst of the Internet.