Over the summer, RTÉ Radio One’s Liveline uncovered a sophisticated text scam targeting hundreds of Bank of Ireland customers. What made the fraud so effective was the way it convincingly piggybacked on the bank’s text service, making the messages appear genuine.
The texts warned customers that their account had been compromised and that they must move fast to secure it. Clicking on the link in the text redirected them to an authentic-looking website where they were required to input their details.
In doing so, they unwittingly gave criminals the power to defraud them. Some customers lost thousands of euros.
Figures released by the gardaí showed that while rates of other crimes declined during the pandemic, online fraud spiked by about 50pc. This includes ‘phishing’, where fraudulent websites and emails are used to steal personal banking information, and ‘smishing’ texts like those used in the Bank of Ireland scam.
In September, the Garda National Economic Crime Bureau (GNECB) issued a warning about rising levels of online investment fraud. This came after a spate of internet scams throughout the summer designed to exploit markets that had expanded in response to the pandemic.
These included staycation hotel scams and online dating fraud. Gardaí warned that using the internet in the assumed safety of one’s home — often when working from home — can produce a false sense of security.
Donal Killackey from Limerick was one of the first callers on Liveline to talk about the Bank of Ireland text scam. He contacted the show after his daughter, Vanessa, had almost €3,000 wiped from her account.
“I know some people will point the finger and say, hey, she was foolish, she allowed herself to be sucked in by this but it seemed to be from the Bank of Ireland,” he says.“It’s very clever. The text states there’s been a suspicious transaction on your account, click here if you want to reverse it or you want to query it. Straightaway you’re sucked in.”
Killackey says the level of information provided by the scammers about his daughter’s account added to the sense that the text was real and required urgent action:
“When she clicked it, it threw up a sum of money that it said was the subject of the transaction and the sum of money was within €60 of the limit of the balance on her account. You’re thinking, this must be real, they seem to know how much money I have in my account.”
Vanessa, a college student, was at home when she received the fraudulent text. After responding to it, she came downstairs to tell Donal, who was suspicious. They contacted the bank, who told them it was a scam.
After his initial contact with the bank, Killackey was hopeful they would be able to recover the money. He wrote letters to Bank of Ireland and contacted the ombudsman. His frustration growing, he called Liveline.
“When you’ve got time on your hands, you do these things,” he says. “Over the following 10 days or so, there was a barrage of similar scenarios.”
Louis Heneghan in Mayo was one of hundreds of people who received the Bank of Ireland smishing text.
“I was looking at it and it was like the official website and everything,” he said. “It was a bit weird in that it didn’t send me to an app, it sent me to a website.”
Second-guessing his actions saved him from a financial headache: “I nearly had all [my details] in and then I was like, hold on a minute, they’ve never asked for all this before. I called Bank of Ireland and the guy told me it was a scam. I was one digit away from putting it all in.”
In August Bank of Ireland pledged to reimburse about 300 customers who had money stolen through the smishing scam to a total of about €800,000.
Many victims are not so lucky. As online scams become more sophisticated, people who thought they could never be duped are finding the opposite is true.
Maryrose Lyons, who runs Brightspark Consulting and lives in the Midlands, says: “I’ve been a digital marketer since 1999. I see people talking about online scams and I sort of think, I must remind my 89-year-old mother not to give out her credit card number on the phone.
“I did not think that I would actually not notice this one myself. It’s embarrassing.”
Earlier this month, a client asked her to look at a demand-for-payment email relating to their website, which she helps manage. It appeared to be from a hosting company well-known to her.
“It was written like, you have three days to pay the money now. There was urgency around it,” she says. “If you weren’t a clued-up digital person like myself, you’d probably think you’d have to do something about it.”
Maryrose went on social media to criticise the company for what she regarded as a heavy-handed approach. It was only then she discovered that what she had assumed was legitimate correspondence was in fact a phishing scam.
“In older days, all you had to do is look at the sender email address and it was like ‘gxy74’ and you go, ah that’s a scam,” she says. “But this didn’t have the hallmarks of a scam.”
She describes it as a “very smart set-up”: “The [payment] is not too dear, it’s something that an office admin would have the power to spend without needing approval.”
Her experience prompted a rethink: “It made me go like, ‘my God, I can be got’. The lesson learned is to be a bit more humble — it doesn’t just happen to older people.”
For gardaí, tackling online fraud is challenging because the scams are always evolving. Detective Chief Superintendent Patrick Lordan of the GNECB tells Review: “They vary week to week, month to month. They keep changing.”
Lordan cautions that people of all ages are vulnerable.
“We’re seeing people as young as 20 losing money. What we have to ask everybody is, stop and think before you answer this email or answer this text message.”
Falling for a scam can be humiliating. Talking about it is often the last thing victims feel like doing, but it can help to increase awareness.
“It’s so important to say it to your friends, even to say it to your family, to help them not make the same mistake,” says Muriel Dolan of the Competition and Consumer Protection Commission.
She urges consumers to be vigilant. They should check out the website if using it for the first time, find out where it is based and read the website’s reviews.
A Bank of Ireland spokesperson told Review: “Smishing is serious criminal activity which unfortunately targets customers of a range of institutions — including banks, postal authorities, social welfare payments, and tax collection. The level of smishing attempts has increased significantly. Unfortunately it impacts customers of all banks on an ongoing basis.
“It is extremely important that customers don’t divulge their personal login details, confidential account details or One Time Passcodes, to anyone. The bank will never text, send emails or call a customer looking for these details.”
Customers are advised to contact the bank if they are concerned that their account has been compromised.
As the pandemic rages and reliance on the internet grows, adages like “think before you leap” and “if it sounds too good to be true, it probably is” are a sobering reminder that what you see online is not necessarily you get. In a time of scams, it pays to click carefully.