Croydon Council has issued a warning to the public, after fraudsters used what appeared to be a council email address to con more than £1,000 each from at least six vulnerable local residents.
The scam involves an email sent using a forged address, one using the name of a genuine council employee from the adults commissioning team, to ask for payment from people with learning disabilities and their carers.
The practice is known as spoofing, and exploits a security flaw that exists because most email protocols do not have any mechanism to authenticate the sender. It is a form of spam which can mislead the recipient about the origin of the message, getting them to click on links which might give up their passwords or financial details, or in the Croydon cases, simply send off a payment.
Millions of such emails are sent out by fraudsters – or at least computer bots – every hour, often with the appearance of being from a major service supplier or bank.
There are some measures which organisations can take to reduce the possibilities of their email addresses being misused in this manner, so Croydon’s warning this week is hardly a ringing endorsement of the management of its IT systems by Crapita, who are three years in to an eight-year £73million “megadeal” with the council.
The council says that one of the spoofers’ emails said this:
“Good day. This is a friendly reminder to let you know that your invoice is 3 days past due. Please pay this immediately or if you have any questions, please contact us to discuss. Total amount due: £1183.10.”
The fraudster then included a link to view and pay the “invoice”, signing off using a council email address format.
To be fair, just a cursory glance at the language used (“Good day”? “Friendly reminder”? “Past due”?) suggests that it is less than genuine, drafted by someone who has never worked in a south London council and for whom English may not be a first-language. And besides, what organisation sends out reminders for payments after three days?
The council says that its adults commissioning team has already contacted approximately 200 people and organisations who use their service to warn them about the scam.
There are some simple measures which email users can use to protect themselves:
- Commonsense. If an unsolicited email from an unfamiliar sender does not appear genuine, then be cautious and for goodness sake, don’t click on anything.
- Use an email service which has strong filters. GMail is highly recommended.
- Never click on unfamiliar links or download unfamiliar attachments, especially if it asks for personal information.
- Use your spam filters and junk boxes provided by nearly every free email service. If something goes into your junk email folder even if it looks like it is from someone you know, make sure it really did come from that person and that they intended to send it to you.
- Test email message headers. Run your cursor over the sender’s email address. Does it show something which doesn’t match what appears in the sender’s address box? If the email addresses displayed are not identical, then it is most likely to be a scam.
To report a scam, contact Action Fraud on 0300 123 2040 or report it online at http://www.actionfraud.police.uk.
Or you can contact the council’s trading standards team via Citizens’ Advice consumer service on 03454 040506.
- Inside Croydon is a member of the Independent Community News Network
- Inside Croydon is the borough’s only independent news source, and still based in the heart of Croydon
- From April to July 2017, we averaged 33,000 page views every week
- If you have a news story about life in or around Croydon, a residents’ or business association or a local event to publicise, please email us with full details at firstname.lastname@example.org