Watch the video hereThis ethical experiment follows research that 41% regularly use public WiFi hotspots to access the internet on their phones and computers to carry out financial transactions and a staggering 74% have been targeted by scammers with phishing emails, smishing texts and vishing calls.
First test: Devise and distribute a scam phishing emailDespite having little knowledge of operating computers, Alec learned how to write and distribute a mock phishing email in only 13 minutes. He achieved this with minimal input from the expert, instead using instructions freely available via an online search. The email Alec wrote claimed to be from the fictitious company MoneySpark, asking recipients for their bank account information and supplying a fraudulent link.
Given that phishing emails are so quick and easy to make regardless of technical ability, it goes some way to explain how 74% have been targeted this way.
Second test: Hack a public Wi-Fi hotspotHackers can effortlessly compromise public Wi-Fi hotspots, as demonstrated by Alec in his second test. In the controlled experiment Alec managed to capture and intercept web traffic from a willing participant’s laptop while they were connected to an open Wi-Fi network – designed to replicate those found on the high street.
Alec, under instruction, set up a rogue access point – frequently used by attackers to activate what is known as a “man in the middle” attack – to begin eavesdropping on traffic. He achieved all of this in in just 3 minutes and 40 seconds.“Our experiment demonstrates just how easy it is for criminals to send phishing emails and hack WiFi hotspots,” Chris Ainsley, Head of Fraud Strategy at Santander UK, said. “We have seen the devastating results that fraud and scams can have on our customers and how much damage can be done if hackers get hold of even a small amount of personal detail.” Certified ethical hacker Marcus Dempsey added: “Unsecured public Wi-Fi networks can be easy pickings for criminals. By inputting passwords, bank details and confidential information into online banking or shopping websites over a public WiFi, people could be unknowingly putting their finances and identities in the hands of hackers. Perhaps even easier than hacking WiFi is sending scam correspondence, particularly phishing emails.
“If Alec, with no previous knowledge of how to do this, can write and distribute a convincing phishing email in a matter of minutes, it’s worrying to imagine the potential damage that actual scammers could be doing.”
Wi-Fi hotspot protectionEnsure a WiFi hotspot is genuine – it’s easy to set up official-looking networks, so verify with shop staff before logging on. Providers can help by displaying the network name in store.
HTTPS – If you need to use your card details online make sure the website you are on has ‘HTTPS://’at the start and has a green padlock against it.
Get a Virtual Private Network (VPN) – Not all sites will display the HTTPS lock symbol, but a VPN will act as an intermediary between your device and the internet server, putting up a further block for any would-be eavesdroppers or hackers.
Forget the network:don’t just log off – Ask your device to forget the network so it doesn’t automatically log on if you’re within range later.
Email protectionA genuine bank or organisation will never contact you unsolicited to ask for your PIN, full password or to move money to another account. Don’t give out personal or financial details including passwords and PINs unless it’s to use a service you have signed up to, and you’re sure that the request for your information is directly related to that service. Never click on a link or download anything in an unsolicited email. Doing so could let scammers infect your computer with malicious software that will swipe your personal details or could allow criminals to access your device remotely. If you get an email from somebody asking you to change some payment details, don’t do this without checking it out thoroughly first. The email may have been sent by a hacker rather than the genuine supplier. Look out for tell-tale signs that an email may not be genuine, for example:
- The sender’s email address doesn’t match the website address of the organisation it says it’s from
- The email is impersonal and doesn’t address you by your name e.g. just says Dear Sir/Madam
- There are spelling or grammatical mistakes
Share this story