Fraud - Starling Bank

Hi Everyone,

I’m sorry to create a new thread, though I wanted to ask you all for help regarding fraud. I woke up this morning after having received a call from “GoDaddy”. It appeared genuine, though of course you never know with these things. The fella was asking me about my website hosting etc and asked me to confirm my email which I did. I said I didn’t need any help and that was that. I gave no card information or bank account details, I merely verified my email address.

Long story short…ten minutes later, my Starling app beeps and beeps and beeps. I have several notifications of payment to several different companies, all of which seemed to have legitimate names like “Comodo”, “ExpressVPN” and one called “Wowza Media”. All of my money was spent, as well as a huge chunk of my overdraft.

I have contacted Starling, frozen and ultimately cancelled my account with the “Lost/stolen” button in the app. I changed my app password and have reported the crime to ActionFraud. I have gone around and changed my passwords for all services I use such as Amazon, eBay, Netflix, PayPal etc. Is there anything else you recommend? Are there any other steps I can take? Starling is currently looking into it all. Slightly panicking, though weirdly one saving grace is that I had £250 saved in my Spaces, which has not been taken. I therefore have some money at least.

The Payments are still “Pending” and so hopefully Starling can cancel the payments and return the money/overdraft etc.

Talk to me lovely people, I need comfort :grimacing:

Card payments or transfers?
Sounds like you’re card has been cloned to me
Be very careful if you’re asked whether you used it over the phone
Ultimately all the charges will get cancelled but it’s a bit unnerving.

Very strange. You’re lucky as Starling had delays with their notifications this morning (reliability really is becoming an issue) so you might not have noticed for a few hours - or are the in-app transaction times much earlier than the notifications?

If you just confirmed your email address to ‘godaddy’ then I can’t see how it’s anything more than a coincidence.
Was your Starling password the same as the others you changed?

1 Like

Why would GoDaddy need to confirm your email?

Thanks for the input guys.

They were card payments weirdly and not transfers.

I’d be surprised if my card has been cloned, though it’s always a possibility. I usually use contactless NFC for payments using my smartphone. My card I keep in my wallet, and I have an RFID blocker in there with it to apparently shield it so…who knows?

Moronically, my password is the same for everything. Rookie mistake I know. I always use really obscure passwords like you’d see on the base of a WiFi router and I change it when I can.

I think the GoDaddy thing my just be a coincidence. I’m just racking my brain to try and figure out how on earth my details could have been obtained. After doing a bit of research on an alternate computer (in fear of having malware on the other), I have been able to login to all accounts and change passwords to something new. Trying to cover all bases but I’m so confused.

I opened a hosting account for a friend in his name, though using my bank details. I did this last year. I have had several calls from GoDaddy but usually dodge them as I can’t be arsed to talk to them about nonsense. They wanted to speak to my friend who’s email is on file, though I informed them I opened the account and so gave them my email address so they can forward me info regarding SEO. I received his email as promised, though it was around this time that all my money started being spent in large amounts. That is why I was curious. I am now feeling it was a coincidence, though I’m still so confused and angry.

Sounds like they’ve just guessed your card number or seen it somewhere. It’s no big deal, doesn’t sound like they know your personal details or password.

Did the notifications come through promptly for you?

Well of course “Comodo” provides SSL certificates, “ExpressVPN” do VPNs and “Wowza Media” do media streaming - It’s all on a theme. I’d say if the GoDaddy call really was an un-related coincidence then it was a particularly timely one - everything seems to line up.

I know it doesn’t help you in this instance - but if somebody calls me and asks me to confirm anything I always decline. The amount of times I’ve had to tell NatWest that ‘they could be anyone’ is astonishing - and more than once I’ve been told ‘look at the caller ID’ (which as somebody who manages a PBX system knows is trivial to spoof).

I’ve tried to get out of the habit of using the same passwords in multiple places.

Have you checked haveibeenpwned.com to see if the email you use is listed?

I know mine is (5 times)!

2 Likes

This isn’t good enough. Get a password manager.
They only need your password from one account, which they almost certainly have as breaches happen from time to time. Once they have it they can use it anywhere. In some respects it doesn’t matter what your password is depending on how it was compromised.

Get a password manager, it’s far better than anything else you can do for securing your accounts.

1 Like

Mate, I’ve certainly been PWNED. Yeah I’m listed. 8Fit, Adobe, DailyMotion and DubSmash. They all got hacked apparently and I’m guessing my info was stolen from one of them. It’s mental how on top of security you need to be these days. Even when you are covering all the bases, companies you’ve entrusted with your information go and get hacked! Jesus!

I know, you’re totally right. At the very least, your email password should be different from everything else, and yet here I am with the same for everything. Same password for this forum even. Not anymore of course but…very rookie. As @Liam pointed out, it appears my information was stolen due a company I have previously used being hacked. It’s such a cluster ■■■■.

Every time I used my Co-op business banking debit card, I received a call from their fraud department asking me to confirm details.

I always declined any information and tell them the same amounts went out to the same companies every month and they’d see this if they checked. I always refused to confirm any personal information though.

I would speak to them saying that their methods were similar to those used by fraudsters and they weren’t helping the problem.

I doubt I had any effect on them but they eventually stopped phoning me every time I made a card payment and they allowed them to continue.

It happens, I’m listed on half a dozen breaches.

I only remember three passwords. My bank, my primary email, and my password manager master password. Everything else is on a password manager, it remove all the hassle of having to manage your accounts.

2 Likes

Good work!

Mine are UnderArmour/MyFitnessPal, lasf.fm, adobe and a couple of generic collections that could have come from anywhere.

Interestingly, the MyFitnessPal one is from this year. I don’t remember them notifying me of the hack.

I used to get automated ones - but they didn’t ask me to confirm personal data, just would read me two or three amounts and ask me to press 1,2 or 3 which would correspond to an ammout I’d just paid. I was happy to play that game, but if you’re going to ring me I’m not giving you squat.

For God Sake! I also have MyFitnessPal. I cancelled it earlier in the year but I’m guessing that’s where it is from. I hadn’t paid the other companies. Never had a subscription with 8Fit or gave them my details and I don’t recall giving DailyMotion, Adobe or DumSmash any cash either. Bloody UnderArmour. For a company with Armour in the name, they don’t seem so secure.

1 Like

Dosn’t look like card details are in this particular breach. Having email and password (assuming reuse) does give plenty of opportunity though.

:open_mouth:

Can you recommend a password manager at all? Something I can use for both Windows and on Android? Cheers fella!

Have a look at Bitwarden.

1 Like

I’d recommend 1Password. I let is generate loooooongggg complex passwords. The only one I know is the vault password

1 Like

1Password all the way :+1:

1 Like

Anything you need in particular?

Bitwarden is decent, I found that 1Password and Dashlane to be a little more integrated and polished but they have a cost. Bitwarden is worth the cost if you find you like it. It will only exists if the developer can feed his family.

There’s LastPass as well but I’ve not been happy with their ongoing support of their platform.

Right now I’ve personally been using 1Password as I like how it works on Apple. But I’m on a bit of a long term trial of them all.