Warning to mobile banking customers over sinister ‘shoulder surfing’ method criminals use to gain access to victims’ cash – with one target waking up to find £73,000 gone from his accounts

  • People warned that criminals are getting better at exploring human behaviour 
  • Have you been a victim of mobile fraud? Email [email protected] 

Mobile banking customers have been issued a stark warning telling them to be vigilant of criminals using a sinister ‘shoulder surfing’ method to gain access to victims’ cash – with one target waking up to find £73,000 missing from his accounts.

While the technology of smartphones is secure criminals are now getting better at exploiting human behaviour, experts have said. 

‘Shoulder surfing’ thieves typically note the victims phone pin before grabbing the device.

Jacopo de Simone fell victim to the crime when he was pickpocketed on a night out last year, only to wake up the next day to discover all his money had been stolen.

Mr de Simone then endured a 10-month battle with his bank to prove he was innocent.

Another victim, going only by the name Nick, had £70,000 nicked from his account after his phone was stolen, while Marcus Pearce’s ‘thief took nearly £12,000’ from his account through 30 different transactions. 

Jacopo de Simone (pictured with his girlfriend Alicia) had £22,000 stolen from his bank account after his phone was pickpocketed on a night out 

Marcus Pearce also is a victim of ‘shoulder surfing’, with £12,000 being stolen from his bank accounts

Mobile banking customers have been issued a stark warning them to be vigilant of criminals using a sinister ‘shoulder surfing’ method to gain access to victims’ cash

How to protect yourself from mobile phone fraud 

There are a number of ways you can protect yourself from mobile phone fraud:

  • Use biometric data (face or finger print) ID if possible
  • Remove bank apps from your phone and keep them on devices, such as laptops, that stay at home
  • Use different pin numbers for unlocking your phone and banking apps
  • Don’t store passwords or pins on your phone
  • Be vigilant of your surroundings when accessing banking apps 

Mr de Simone told the BBC: ‘I was stopped in my tracks a little bit, I froze and tried to regain my thoughts and thought “OK, what’s the best approach here?”.

‘I was completely frightened and alarming to see all your hard-earned money taken away from you.

‘I was in complete shock about how it could have happened.’

As a result, the victim is more wary about he uses his mobile phone while he is in public.

He added: ‘This has completely changed how I use my banking apps today.

‘I try not to [keep] the apps on the phone themselves.

‘I find the threat of losing your phone and losing all your money is not worth having it all so easily accessible to you.’

It was a similar story for 46-year-old Nick from Somerset.

He fell victim to ‘shoulder surfing’ whilst he was at a very busy London pub.

Not only was his phone stolen but more than £70,000 was taken from his bank accounts.

Of this £15,000 had been stolen from his personal account, with £58,000 grabbed from his business account.

The fraudster had used his passcode to gain access to his Barclays app, The Times reported.

The criminal then added themselves as a new payee, before setting Nick’s password on a business payment system.

There were no added security texts and while the bank sent a SMS warning, as the phone was in the criminals hands it did not work.  

Nick, whose last name was not given, told Which?: ‘The worst part of the experience for me was not so much the crime itself, but the disgraceful treatment I received from Barclays’.

Who are the victims of ‘shoulder surfing’?

Cybersecurity experts and police officers have warned mobile banking customers to become more vigilant of ‘shoulder surfing’ criminals trying to steal phone PINs and access online banking.

Jacopo de Simone:

Mr de Simone’s phone was stolen while he was on a night out. 

The next day he woke up to find £22,000 had been stolen from his account.

Finally after a 10-month ordeal with his bank he managed to retrieve his money, but tries not to use mobile banking anymore.

Nick, from Somerset:

Nick ‘shoulder surfing’ whilst he was at a London pub.

More than £70,000 was taken from his personal and business bank account.

Marcus Pearce: 

Marcus Pearce was also on a night out when his phone was snatched while he was making a call.

The thieves went on to steal £12,000 from his bank accounts.

Marcus Pearce had his phone snatched from his hand while on a night out in March but also blames his bank, TSB, for how they handled the ordeal. 

He wrote on Twitter: ‘I had my phone stolen out of my hand whilst on the phone on a night out in March and thief’s took nearly £12,000 from my account in 30 different transactions.

‘Had no help from the bank and having to go to the financial ombudsman. I have been made out to be the criminal and not the victim.’ 

Another victim called Debolina Guha Majumdar, wrote on Facebook in 2021 that her phone had been stolen near Tower Bridge in London, and that the criminals had gone on to access her bank details.

She wrote: ‘This is a serious cyber crime gang which sent advanced Phishing messages and now has access to my Apple account, all data, bank cards, security information, social media.’

Shoulder surfing is when a criminal will look over a victims shoulder to learn their phone PIN before they steal their phone.

They then use the PIN to unlock the phone before trying the same number to access banking accounts.

The criminals will also search the individuals notes on their phone to see if banking passwords are jotted down anywhere.

Cyber security expert Jake Moore, who works for the company ESET and previously was in charge of Dorset Police’s digital forensics unit warned that it can be ‘difficult to catch those people in the act’.

He told MailOnline: ‘Shoulder surfing is when criminals view victims’ passcodes to unlock their phones so they can access the phone once it is stolen. 

‘The same number can also open up the password vault on the phone and that is where criminals can use those passwords to enter bank accounts and even move money.

‘If any fraud warnings are sent via a text message the criminal is still in possession of the phone to accept or even ignore SMS text.

‘It is difficult to catch those people in the act of doing so but the moment you may find your phone missing it is worth contacting your bank to make them aware that they can freeze it. 

Detective Superintendent Roch (pictured), who is head of economic crime at the Metropolitan Police in London, warned that unless the right security protections are in place on their phones, people are ‘essentially walking around with a big bag of cash’

Jake Moore, security specialist at ESET (pictured), warned that it can be ‘difficult to catch those people in the act’

While the technology of smartphones is secure criminals are now getting better at exploiting human behaviour

‘If you have your bank cards attached to your phone via Apple Pay or Google Pay you want to freeze those as well.’

Mr Moore explained that people can put in place protections to prevent thieves from accessing their banking details, for example by using a two-factor authentication that relies on an app or key, rather than an SMS text.

The cybersecurity whizz also said that using fingerprint or face ID is safer to unlock devices.

He added: ‘For my job I carried out testing on this, with people’s permission.

‘I once was able to shoulder surf someone when a code was sent to their mobile phone from their PayPal account. I was then able to access their account and move money.

‘I then had full access to the person’s information and private details and could go on to all the accounts that were connected to it.

‘I spoke to PayPal about it but they tend to say the onus in on the victims and people should be more aware of their surroundings which I don’t think is good enough.’ 

Detective Superintendent Roch, who is head of economic crime at the Metropolitan Police in London, warned that unless the right security protections are in place on their phones, people are ‘essentially walking around with a big bag of cash’.

What is ‘shoulder surfing’? 

Shoulder surfing is when a criminal will look over a victims shoulder to learn their phone PIN before they steal their phone.

They then use the PIN to unlock the phone before trying the same number to access banking accounts.

The criminals will also search the individuals notes on their phone to see if banking passwords are jotted down anywhere.

He told the broadcaster: ‘It’s only a phone… but if you take that out without the right precautions and protections around it you are essentially walking around with a bag of cash.

‘If you start to think of it like that, would you walk into a bar, put it down and turn your back on it? Probably not.

‘It’s not on a massive scale, it’s a crime that exists and we do see it… [but] the potential outcome is devastating for victims’

It comes as figures last month revealed that a mobile phone is stolen every six minutes in London. 

That’s 91,000 phone thefts in 2022 alone, according to data previously revealed by the BBC.

And only 2 per cent of victims are reunited with their mobile – a figure previously described as ‘unacceptable’ by HM Chief Inspector of Constabulary Andy Cooke.

He said: ‘Phone theft is not a minor crime, it strikes at the heart of how safe people feel in their own communities.

‘There needs to be a concerted drive to address this because it directly affects the public’s confidence in the police’s ability to keep them safe.’

The Metropolitan Police said officers ‘run daily operations to target offenders’.

Westminster (25,899 thefts), Camden (7,892) and Hackney (4,618) were among the worst hit boroughs last year.

Barclays, TSB PayPal have been contacted for a statement.  

Source: Read Full Article