Are telecoms companies protecting your data enough?

Synthespian

We all know that scam calls are a problem, but they're incredibly well oiled machines now and they know a lot of the tricks in order to convince you enough to hand over your details and fall victim.  If you're one of the more vulnerable in society (especially with cognitive challenges - like one of my relations) then it's so easy to fall victim.

But, how are they getting the information to call you?
I had, within in the space of a few months, two sets of these calls.

The first, pretending to be my service provider.
When checking "who called me" it was on a number seemingly operated by that provider (different thread, but interesting the reported number still wasn't closed after 3 years from the first report).

They knew my name, the exact structure of the contract(s) I had with them, and were probing to get into my account with the enticement of a lower priced upgrade.

I'm no fool, and I didn't give any info that would open me up to fraud.

I told them I didn't take calls like this and if it was a genuine offer I should be able to call the main number and get back thru to the team.

There is (IMHO) an inherent flaw in how legislation means outbound calls from companies still ask the consumer to verify their identity, when there should be an agreed way all companies can verify their genuine status.  Again, another thread, but I believe we could massively cut out scam calls in this scenario. As long as it's in law and all companies follow the same process.  That would help all people, especially those more vulnerable cos it's then one UK wide process.

I rang customer service, to ask if the call was genuine and reported the number on the fraud text service and also gave to the operator on the phone. I was clear my account was not compromised, but concerned they had the specific details of my account that could only have come from the provider's database.  The provider then shut down my account on a phising concern (despite me saying to the contrary) and removed some of my data (as part of their processes), despite me being clear I knew my account was safe.

Due to that and some shocking customer service (grass isn't always greener fyi), I terminated my out-of-contract account and moved (for the first time in decades) to another provider.

SEVEN WEEKS after switching ... I received a call from a different number proclaiming to be the new provider.  Yes, scammers don't stop, but here is the key point:

As part of my move to the new provider, there was a offer that changed the number of contracts/numbers I had with the new provider.  The person on the end of the phone knew this.  They knew the exact structure of my now different contract(s) that I had. If data was old, they'd have the structure wrong. No, they knew it had changed.

I don't post anywhere publicly with a "look at me with my great deal and new structure" or wave a leaflet in front of my friends and acquaintances.  There are only two possible sources of that new updated information and this is either the provider's database OR the data that is shared when numbers are provisioned in the telecoms system.

That means that the system itself is the one opening up this data to fraudsters. It's not consumers (always) being sloppy with their data, it's centrally from within that we allow our data to get into the hands of fraudsters.

Concerns raised with both providers, but both despite clear "it's your data breach not mine" instructions, have treated it like it's my phishing mistake and that their processes are always followed correctly. 
Both have rejected any issue of their own, and in the case of one repeatedly ignored my communications to them to explain their response did not answer the clear statement of the problem, and both reported to ombudsman for (different) poor customer service impacts.

Also reported to ICO, in the hope that this wider issue is looked into.

Thoughts?

zagfles

Did the contracts get emailed to you? If so it could be your email that is compromised.

AnnaWatts

It's truly concerning how scam calls have become increasingly sophisticated. It's clear they have access to detailed personal information, often related to services we use. I completely agree that there's a critical need for more robust processes to verify the authenticity of outbound calls, a standardized approach that all companies must follow could be a game-changer. The fact that these scammers have access to updated data after you switched providers is particularly alarming. It highlights a systemic issue within the telecoms system. It's essential to hold providers accountable and address these data breaches at the source to protect consumers, especially the more vulnerable ones. Reporting to the ICO is a good step toward a more comprehensive investigation into this issue.

Synthespian

zagfles said:

Did the contracts get emailed to you? If so it could be your email that is compromised.

It's a good question. Anything is possible in today's society, right!  The tech world is always getting more intricate and we're always on catch up to safeguard.

Given everything else that goes thru my email, I think if it was compromised I'd have much more attempts than just these two in the last year.

But again, I don't click links I don't know. I don't answer to surveys from my bank because they use a "slightly" different email address than the other notifications / put the link on my customer portal.  
We have the tech to be so much more secure, but no one company or industry seems willing to take the lead to protect everyone.  And yes, I've made similar suggestions re verification to EVERY company that ever calls me. It's just common sense.  Most operatives on the phone concur, but all they can do is pass it up the chain.
We need wider action.

iniltous

Scam phone calls , emails , etc are not originated in this country , so any legislation raised in this country in relation to UK based enterprises will have zero effect on these people/ businesses.

Most network providers and service providers are proactive in attempting to stop this type of activity but it’s an impossible task , the onus has to be on the consumer to be wary , being aware that scammers can spoof their identity ( for example spoofing the displayed number of an incoming call  means that it cannot be confirmation of the identity of the caller ) , and as a rule of thumb no reputable concern will ask for things like access to your computer ( via a screen share type application ) or ask for information that can personally identify the recipient ( after all if they contact you , pretending to be a company that you already have a relationship with , why the need to provide info they should already have ) 

I know it’s unfair , especially for those that are easy to manipulate , but it’s the world we live in , I’m sure that any ‘great idea’ a layperson has for eliminating this issue, will have already been thought of by professionals/ experts who’s job it is to minimise these things, and likely dismissed as impossible to implement.
As far as the OP having been targeted by a scammer that has knowledge of a recent change of provider, there is no personal information kept by the network wholesaler , their customers the Communication Providers , any breach here would simply indicate the CP , not the individual , and obviously the individual CP’s have no common link between them , it’s most likely that any breach is on the OPs own data ( email , key logging, malware ) than any organisational data leak .

Synthespian

iniltous said:

Scam phone calls , emails , etc are not originated in this country , so any legislation raised in this country in relation to UK based enterprises will have zero effect on these people/ businesses.

Nope.
Both attempts were from UK numbers, so even if routed thru overseas there's a way to stop that additional "way to make it seem a bit more legit".

As for the rest ... I'd be being targeted a LOT if it was my email, key logging, malware.
But as I'm the sort of person who doesn't click on those sorts of links and attempts for access (having worked in IT for 20yrs inc being a strategic product manager for the financial software industry) I would guess my risk is a lot lower than someone more vulnerable.

No one talked about fairness here.
Just about risk to others.

iniltous

How do you know these scamming attempts  were originated in this country ? , did you check the ‘CLI’  , calling line information, displayed on your phone , that’s pointless, any number the scammers want can be displayed as the CLI forwarded by their equipment ( pretty much the definition of spoofing ) , did you ask the  caller where they were speaking from ? , honesty isn’t exactly scammers guiding ethos,
How did you determine that they were based in this country ?

Synthespian

lol re honesty. so true.
Sure, CLI, and other means of checking
And if it's so easy to spoof, then what's the point of reporting ANY numbers!
If you can't trace things, it shows the system isn't fit for purpose.

We can haggle back and forth, but there's a bigger question here.

zagfles

Synthespian said:

zagfles said:

Did the contracts get emailed to you? If so it could be your email that is compromised.

It's a good question. Anything is possible in today's society, right!  The tech world is always getting more intricate and we're always on catch up to safeguard.

Given everything else that goes thru my email, I think if it was compromised I'd have much more attempts than just these two in the last year.

But again, I don't click links I don't know. I don't answer to surveys from my bank because they use a "slightly" different email address than the other notifications / put the link on my customer portal.  
We have the tech to be so much more secure, but no one company or industry seems willing to take the lead to protect everyone.  And yes, I've made similar suggestions re verification to EVERY company that ever calls me. It's just common sense.  Most operatives on the phone concur, but all they can do is pass it up the chain.
We need wider action.

It not about clicking links! It's about the email being accessed or intercepted. Maybe your email provider, maybe your PC, maybe someone has access to your email.

You've had the exact same thing happen twice with two different providers. I'd start by looking at the common elements, rather than assuming two separate providers had exactly the same data leak.

Synthespian

zagfles said:

It not about clicking links! It's about the email being accessed or intercepted. Maybe your email provider, maybe your PC, maybe someone has access to your email.

You've had the exact same thing happen twice with two different providers. I'd start by looking at the common elements, rather than assuming two separate providers had exactly the same data leak.

It's possible it's anything.  Links are just a very easy phishing tool, like images in emails with hidden pixels.  There's loads.  I work in IT. I know what's installed on my PC, I know what I accept and I don't, so again, the risk is reduced.

And again ... common denominator ... if it was me, I've got more than just my mobile operators going thru my emails.  I'd be a target for a lot lot more scam calls, targetting more things. To have just two on the same industry, however easy that is ...
and I don't get credit requests against my data, or other things that would signify that people have access to more data than they should.

So before discounting any side, it's worth looking around for all scenarios.

iniltous

A favourite scammer CLI spoof , is to show the called party’s number , ( the same number they called presented as the calling line info ) , that way , if the recipient uses 1471 to get the number of the last call they received, it’s inexplicably presents the consumers own number , making these ‘who called me’ reverse routers pointless, and even if the scammers don’t go to such lengths to change the CLI on every outgoing call , provided the number presented looks like a national number , or a 0800 number , or even a UK mobile number , many will answer it whereas if it said ‘international’ they wouldn’t.
No scammers use UK based network to launch these scams, they would likely be visited by the Police pretty quickly , whereas base your operation in the sub continent ( for example ) as well as a workforce amenable to doing this illegal work , they are not likely to be visited by the local law enforcement, given they are not likely to be trying to scam their own nationals