Topical hacking

Let’s roll back a week when everything was rosy in the English garden – well, at least in terms of football. The nation was on a high as a victory over Denmark in the European Championships Semi-Final would see the country take on Italy for the right to be proclaimed Champion of Europe. Talk was of trying to find tickets and replica shirts, both as rare as an England appearance in the final itself.

With little chance of finding a current replica shirt, unless you were a politician where it seemed you only had to stand in front of a camera to get a “box fresh” one, complete with creases, fans looked at the next best thing and went retro. Like any sporting side, there have been a fair few terrible kit designs over the years mixed in with a few design classics. Thankfully, most of the latter (and some of the former), have been produced again and sold through websites over the last few years. In fact, the retro sporting shirt market is probably as strong today as it ever has been, with many fans shunning the incredibly expensive new shirts and preferring the bygone day look.

One company that has been providing this retro shirts for many years is Classic Football Shirts. They offer a fantastic range of replica shirts (over 30,000 different shirts), at decent prices and are an example of a small business that has found its niche and become quite big (remember my adage of “Get Big, Get Niche or Get Out”? Here’s an example of how being niche can lead to growing big). With the whole nation becoming gripped with football fever, what better time to buy a retro shirt?

Sensing the demand out there, as if by magic emails started appearing in inboxes from the company offering a 15% cash back on previous orders to customers – what a fantastic gesture. Except it wasn’t from Classic Football Shirts. The emails looked like they were but there were some tell-tale signs that it wasn’t from them. The emails were phishing attempts, looking to cash in on the football euphoria and a short supply of the replica England shirts.

The email address it came from had an extra “s” in – classicsfootballshirts.co.uk – a domain name registered on the 25th June and at first glance doesn’t raise any red flags. The email itself contained poor grammar that should have been a warning sign for a scam but many customers, not based in the UK or who may not be fluent in English, it was an offer too good to miss. All they needed to do was click on a link in the email and complete the form to get their 15% cash back.

The firm reacted quickly when it became aware of the issue (within 30 minutes of emails being received by customers), promising an immediate investigation. They took the correct course of action in contacting the authorities and informing customers of the situation. What is clear is this was a very deliberate and targeted attack, with the fraudsters taking advantage of the footballing euphoria in the country. The domain name still appears to be registered although any website attached to it has been removed.

Whilst there are still ongoing investigations on the source of the attack and what data was used by the scammers, it is a timely reminder to all of us about taking a moment to check any similar offers that appear to be too good to be true. In this case, asking yourself why the company would simply be giving free money away, rather than discounting future orders for instance? It doesn’t matter how small or big an organisation is – one of their core objectives is to make money and giving it away is contrary to that strategy.

A week on and we are all footballed out. The bunting has come down, the wallcharts put away and those little flags you attach to the windows in your car lay discarded on roads up and down the country. Security incidents like this remind us that no firms are safe from the eyes of the fraudsters and that we, as consumers, need to be cautious about any too good to be true offers we receive. In doing so we all become part of the solution rather than the growing problem of online fraud.

It’s coming home…but is it real?

After 18 months of restrictions, regulations and down right misery for many in England, the performance of the England National Football Team in the European Championships has been a source of escapism for many and downright joy and national pride for the rest. In case you didn’t already know, It’s coming home* this week. Should England overcome Denmark at Wembley on Wednesday night they will face a final in London on Sunday night against either Italy, the favourites, and previous winners, Spain. It’s a tough ask, but the team under the management of Gareth Southgate, has given the nation hope at a time when it was seriously lacking. Good times indeed. But good times also bring bad people out in force, looking to exploit the situation and profit from the opportunity.

The interest and support for the England team has led to unprecedented demand both for tickets for games to see them play at Wembley and for replica shirts. Prior to the tournament, an official Nike England shirt (adult size) would cost a minimum of £70, and there was stock with most of the online retailers. Three weeks later and it is almost impossible to find one in the same stores.

That is excellent news for Nike, the manufacturer, the retailers and also the Football Association who will also get a cut from each sale. But it is also excellent news for the scammers and counterfeiters who will play on that increased demand and limited supply to fill the vacuum. There have been adverts on social media in recent weeks, carefully designed to say they aren’t selling the actual Nike replica shirts, but using language and imagery that suggests they are. Many of these stores will be genuine, but the products not what people are expecting. But there will also be online retailers who are offering what appears to be the genuine items but nothing will ever arrive – they have been scammed out of personal and financial information. That is hardly a feel-good moment. Unfortunately, it doesn’t take much searching to find websites selling the shirts at what appears to be too good to be true pricing (search “cheap England replica shirt” and see for yourself), whilst a search on some of the more popular market place websites review very cheap products, but using imagery from the back which means the images avoid detection from brand recognition software and also allows the sellers to ship low quality goods.

The cheap and often infringing merchandise situation is nothing new. In the US, Operation Team Player is the annual crackdown on merchandise around the Super Bowl. In the days leading up to the last Super Bowl in Tampa in February 2021, over 169,000 counterfeit items, with a street value of $44 million were seized. The war on counterfeits continues, fuelled by rampant demand for products such as the replica shirts.

It isn’t only fake merchandise which will cause issues in the next week for football fans. Whilst the number of fans allowed into Wembley has increased as social distancing regulations have been relaxed, the 90,000 capacity stadium will not be full, which means tickets will be at an extra premium. The face value price for tickets for the Final on Sunday range from £250 to approximately £815. Ticket resale websites are selling them from £1,800 per ticket up to £15,000.

If England do beat Denmark then demand for a place at Wembley for the team’s biggest game in over 50 years will be huge. The good news is that Covid-19 has meant that paper tickets have been replaced by e-tickets, which can be transferred securely via the UEFA App, so the sight of ticket touts/scalpers, on the way to the stadium with fistfuls of tickets is thankfully a thing of the past. However, like genuine buyers, they too have gone digital and will claim to be able to transfer tickets immediately to a willing buyer.

With entry on digital devices by QR Codes, the danger is that rather than tickets being sold, they are screenshots of a genuine ticket, sold multiple times, which can only be verified as genuine on arrival at the stadium and presentation of the QR code. If it has already been used, then access will be denied, meaning someone could have paid a huge sum for what appears to be a genuine ticket, only to find out at the last minute it is counterfeit.

Unfortunately, there is very little that can be done to stop this happening – should England lose to the Danes then that is one way whereby demand will fall very quickly, but even then tickets will be changing hands about face value for the final.

The message hasn’t changed – if something looks too good to be true it probably is, whether that is an England shirt for a big discount or tickets to the sold out final. Whilst we all want to play our part in supporting our nation in what could be our biggest and most successful week of football since 1966, we also need to be pragmatic enough not to be part of the problem fuelling intellectual property infringements and making the lives of the fraudsters easier and richer.

Enjoy the games and Come On England!

And yes, I do believe It’s Coming Home*

*It’s coming home is the opening line to a song, first released back in 1996 by Frank Skinner, David Baddiel and The Lightning Seeds for the 1996 European Championships held in England, and re-released two years later for the 1998 World Cup. Unfortunately, England didn’t manage to bring the trophy home on either occasion, nor at any subsequent tournament they have taken part in.

Copy that. No return on investment from cloned firms

Investment scams have been with us for hundreds of years. The South Sea Bubble investment scam dates back to 1720 and cost hundreds of investors their life savings. Ponzi schemes were the flavour of the times at the turn of the millennium to entice innocent investors to art with their money, whilst the current trend of cryptocurrency based fraud is a major concern for authorities.

The 2000 film ‘The Boiler Room’ focused on the a chop stock brokerage firm that runs a “pump and dump”, using brokers to create artificial demand in the stock of delisted or fake companies. When the firm is done pumping the stock, the firm founders sell and trade for legitimate stocks for record profits. However, the investors then have no one to sell their shares to in the market when the price of the stock plummets, causing them to lose their investment.

Whilst the film focused on the fictitious investment firm “J.T Marlin” and their illegal practices, it isn’t a pure work of fiction. Rogue investment companies exist today, to such an extent that the Financial Conduct Authority (FCA) have issued a report on clone investment scams.

In 2020 scammers sold more than £78 million in fake investment products in the UK alone, with the average loss to victims over £45,000. Some may think a 20 year old film was a work of fiction but it seems that clone investment firm scams are closer to the truth than we all believe.

The modus operandi used by many of these fraudulent firms is in the first instance to replicate/copy/rip-off legitimate firms, licensed in the case of the UK by the FCA. Websites can be quickly copied, replacing the name of the firm and the logo within a few minutes. Domain names can be easily registered, now using relevant gTLDs such as .Fund or .Investments, investment material and fake prospectuses can be generated quickly. It doesn’t take too long, too much investment and too many innocent victims for a fraudulent financial services firm to be making a profit.

The concept of the “Boiler room”, a high pressured, cold calling sales environment is often the starting point for the fraudsters, using cheap labour to plough through lists that have been bought, often segmented through social media interactions and profiles so that the calls are never truly random. But the nature of that conversation will be very much focused on the hard sell of these “once in a lifetime” investments.

They’ll try to convince you that they work for a genuine company and use high-pressure selling tactics to get you to buy ‘investments’. These ‘investments’ are worthless and often aren’t even offered by the company they’re pretending to be. Some may make multiple calls to build that element of a relationship and thus credibility. However, the investment and the subsequent promised high returns don’t exist.

Whilst most of us will say we wouldn’t fall for such a scam, we do. As the figures from the FCA prove, this is a highly lucrative business for the fraudsters, one that has delivered at least £78 million in the last twelve months to them, and that is only the cases that have been reported to them.

The common sense approach is if something sounds too good to be true, especially financial investments, it probably is. Regulated investment firms in the UK operate to a Code of Conduct and will not simply call anyone up randomly and ask them to invest over the phone. Virtually all regulated financial services companies will contact you via secure message. They certainly won’t ask for deposits to be sent via Paypal, Western Union or normally bank transfer.

If you are in any doubt, check their details on the FCA website (www.fca.org.uk). If they do appear on their register but you are still unsure, look up their details and call them or email using those to check if the approach was genuine. Incoming phone numbers are easily spoofed by fraudsters to make it appear they’re calling from the expected location or company, as too are emails.

A few minutes of research could save you being the victim of a scam that could cost you thousands.

The sheer AUDAcity of scammers

Two weeks ago auDA, the organization that has responsibility over the Australian ccTLD, .au, implemented a new set of rules on ownership of its domain names. Whilst the changes have been controversial within Australia, it has also led to an increased threat from scammers who have been exploiting the implementation of new rules by demanding the sharing of personal information from registrants.

From the 12th April, all new registrants of .AU domain names, and those renewing existing registrations need to comply with a number of registration criteria, designed to protect Intellectual Property holders. Whilst the sentiments behind this are good, those hell-bent on causing issues are utilising the new rules to try to attempt to hoodwink unsuspecting domain name owners.

The new rules state that to be eligible to hold any name in the .au ccTLD you must first meet the Australian Presence requirement. For organisations, this means being able to meet the Australian Presence requirement by holding an Australian trademark (including a pending application) that appears on the Australian IP database.

Prior to the 12th April, the domain name could be “closely and substantially connected” to the trademark registered, which gave organisations the opportunity to register misspellings and domains with subtle differences, providing additional protection against Typosquatting. The new rules state that domain names now need to be an exact match of the registered trademark (there is some leeway in the use of punctuation and common adjuncts). If an organisation isn’t able to provide the necessary trademark registration then it will lose their domain name.

For some registrations proof of Australian presence or citizenship is necessary, which has led to auDA, issuing another warning about the rise in malicious activities from scammers who have been contacting existing registrants and asking for copies of identification such as passports and drivers licences. The nefarious actions were first seen back in January, with very authentic and official looking emails asking registrants for this information.

Whilst the domain names themselves didn’t appear to be under threat, the fraudsters would use the personal, and in many cases, confidential information from the IDs to either resell or to assist in fraudulent activity themselves, such as applying for loans, bank accounts and other financial instruments.

The changes will impact brand holders in a number of ways. They may now need to look at alternatives as to how they hold and register their .au domain names if they are based outside of Australia as well as potential additional brand protection measures to cover typographic registrations. On the flip side, restricting registrations just to exact trademark records means additional costs for any cyber criminals looking to exploit the IP of a brand as they would need to also consider a trademark registration as well as the domain name.

For more details of the change, please go to auDA’s information page here.

How the Theory of Marginal Gains is creating a fraudsters paradise

I’m a firm believer in the power of marginal gains. The Marginal Gains Theory is concerned with small incremental improvements in any process, which, when added together, make a significant improvement. The challenge is always to break something down into small enough increments that they are easily achievable and measurable.

Another way to look at marginal gains is to measure actions by return on investments – if I invest my time/resources/cash into something, then will the return increase based on the the level of investment. For most of us, we make decisions like this multiple times a day. Should I have that extra sausage for breakfast? Should I go a bit above the speed limit to get home quicker? Should I spend an additional hour in the pub? All of these decisions potentially have marginal gains for us but the question we need to ask ourselves is whether the return, whether that is a reward or a penalty, is worth it.

If you look closely at any attempted fraud or robbery, whether physically or virtually, there is a trade off for the perpetrators of risk versus reward. The risk of getting caught or the risk of investing in a scheme more often than not far outweighs the potential reward, which can be substantial in some cases. However, the greater the risk of detection and punishment does deter the vast majority of people from committing crime. Likewise, most frauds and robberies are easy to spot and whilst the vast majority of attempts are foiled, either by the authorities or by our own knowledge, the return on investment for some is relatively small and that is why fraudsters will still attempt to create outlandish scams, knowing that a small number of people tricked gives them the reward they need.

However, there is a growing trend of people falling victim to scams that start with a legitimate looking request for a small amount of money, that soon escalates into something far more sinister and damaging. Using the surge in home deliveries as their modus operandi, scammers have been sending text messages to people informing them that they need to pay a small fee, usually less than £2, to have an item delivered. The small amount and the impression it comes from the Royal Mail (the URLs used in the message tend to feature the words “Royal Mail”) have the message believable, as too does the page whereby the receiver is asked to enter their details. But, this is a scam that does not just want your £2.

The BBC reported a story last week of a former Police Officer who received such a message and believing it to be genuine, followed the link and paid the small fee. That then opened him up to a whole multi-level scam that eventually resulted in him losing thousands of pounds. His story is not uncommon – just a few weeks ago a respected, experienced current affairs journalist and TV/Radio presenter tweeted an image of a text she had received, asking her followers if it was genuine such is the believability of the scam.

For the fraudsters behind the scams, they are looking at playing on our Marginal Gains – it surely isn’t a scam as they “only” want £1.25/£1.99/£2.50 – the risk of it being a fraud to the receiver of the text is low, or so it seems, whilst the reward is that they get the parcel or item that may have been waiting for.

The Royal Mail do not send text messages asking for payment in this way. If an item needs additional postage they will deliver a card detailing how someone can make the additional payments. Likewise, you can always check the domain name used in the URL to see when it was registered and who to. A recent text I received showed the domain name registered on the same day as the text was sent and registered to an individual in China. If in you are in any doubt on the legitimacy of any message you have received, check with Royal Mail themselves and make sure that you do not become another marginal gain for the fraudsters.