As money goes digital, new threats and challenges arise as scam-artists seek new ways to profit at the cost of innocent victims. Charmaine Oak (CO) was curious to understand about the so-called “Ukash Virus” and interviewed David Cox (DC) of Ukash to find out about the origin of this term, the newly launched “AvoidOnlineScams” site and the investment that Ukash is making towards the safety of their customers.
CO: David, could you please tell us a bit about Ukash, and the origin of the term “Ukash Virus” ?
DC: Ukash was created to provide a safe and secure payment method for consumers to spend their cash online and we want to maintain this. However, to rip-off innocent consumers, criminals have begun to request payment by Ukash and other online payment methods, in their scams.
David Cox is Head of Customer Experience, Ukash. Helping customers to use their cash online, safely and securely, has been David’s primary objective since joining Ukash in 2006. This extends to providing practical advice and assistance to avoid online scams. David works closely with the Ukash security team, and liaises with law enforcement and consumer protection agencies, to promote online payments best practice.
One of the most common and quickly spreading scams we are seeing, using Ukash as a payment method, is malware demanding payment of a fine, seemingly sent from the local police authority. Ukash is widely available and is the brand leader in e-money, so unfortunately some have referred to this ‘Reveton’ ransomware strain as the ‘Ukash Virus’.
Malware scams generally take the form of a Trojan, typically picked up from malicious online adverts or from file-sharing sites, which locks the infected computer and then demands a fine or ‘ransom’ for unlocking - this is known as ‘ransomware’. This malware often displays a message that claims to be from the police, saying the computer has been targeted for legal reasons.
Payment by online cash is then requested, and even if payment is made the computer remains infected. Ransomware will use alarming messages and scare tactics to frighten internet users into paying the fine, something that we see as a growing problem. Of course no genuine law enforcement agency operates online fines without evidence or a right to appeal, and the on-screen messages are very badly written, so unlikely to be genuine.
CO: I recall similar “offline scam” cases (not virus associated) under which victims receive requests to pay, using Western Union for example ..
DC: Yes, criminals target consumers via ‘offline’ methods and often use traditional methods of communication to do so. For instance the prominence of the miss-sold payment protection insurance scandal in the UK has led some criminals to create a new telephone scam, targeting vulnerable groups such as the elderly. These victims are asked to pay an advance fee, via Ukash or another payment method perceived as being untraceable, in return for a much bigger pay-out, even if they have never had a product with PPI.
Other scams have involved individuals handing over Ukash codes as advance fees for loans and job applications. Every Ukash receipt has clear warnings printed against never giving codes to anyone and only using Ukash online and at genuine merchants, but unfortunately not everyone heeds the advice.
CO: Has this changed in recent times causing scams to be online as well as offline?
DC: With the advances in technology and the increased use of the internet, these traditional ‘confidence tricks’ have gone from offline to online. The ease of the technology also means that more people, of all ages and abilities are using the internet and can ultimately put their details online and become a target for fraudsters.
But the criminals are exploiting their victims in imaginative ways, such as encouraging non-internet users to use an online-only payment scheme such as Ukash, as in the PPI scam. Despite the warnings to only use Ukash online, the majority of victims do not perform any research or ask advice before handing over the Ukash code, as the criminal has created a level of trust where their instructions are followed without question.
The developers of the Reveton Trojan use the internet to distribute the malware as if it was a legitimate software product and even provide technical support! It is attractive to low-level criminals as they can buy at low cost the code to infect the sites where large numbers of internet users will visit, and then receive payment from those that fall for the scam, making it scalable and profitable.
CO: How have producers of viruses sought to monetise through the development of new payment services? How are they seeking to “Get credibility” by using trusted brands (Metro police & yourselves)?
DC: The original malware developers are running a business distributing the trojan code. They’ve designed the malware to use popular payment brands, such as Ukash and Moneypak, to make getting payments as easy as possible. The wide availability and consistent branding of the payment options is intended to make the ‘lock screen’ appear genuine.
CO: Could you tell us a bit more about Ukash, what it is used for, and in which countries and partnerships?
DC: Ukash is the global online cash payments provider and internationally recognised e-commerce cash payment method that enables consumers around the world to use cash to shop, pay and play online safely, securely and conveniently. This secure payment method was developed to protect personal identity and financial information when making online transactions, reducing the threat of credit and debit card fraud for consumers and repudiations and charge-backs for retailers.
At the heart of the Ukash vision is creating a truly global solution that holds no barriers or boundaries for consumers to access the burgeoning ecommerce marketplace. Since launch in 2005 Ukash has expanded into countries on every continent. Significant investment in back-end technology and front-end customer service has enabled Ukash to achieve a 65% growth year on year, with 91% of global customers saying they would recommend Ukash to friends or family.
Ukash codes are purchased with cash in retail outlets such as shops, petrol stations and kiosks. The unique 19 digit code can then be used to pay directly on any of the thousands of websites that accept Ukash transactions worldwide, or loaded onto prepaid cards and e-wallets.
Ukash is regulated by the UK Financial Conduct Authority (FCA). The maximum single value allowed is £200/€250 or equivalent in other currencies, and the maximum amount that can be held by an individual customer is £1,000/€1,250 or equivalent in other currencies.
CO: I was interested to see your recently launched website. Why did Ukash take this initiative and how do you hope to help?
DC: Ukash joined forces with leading police authorities and anti-malware partners to create Avoidonlinescams.net, an online resource to offer internet users up-to-date news, tips and advice on the latest online scams. This includes links to instructions and free software to remove ransomware.
We want to remind consumers that Ukash must only be used to pay online and at genuine websites, never to pay fines or advance fees. One of the reasons we launched Avoidonlinescams.net was to protect consumers from these fraudsters and stop criminals in their tracks. Individuals can protect themselves online if they have access to knowledge and advice.
Most of the individuals falling victim to these scams are in vulnerable groups and not previously familiar with Ukash. We are therefore working to educate these groups in order to help them protect themselves and beat the fraudsters, including clear warnings on the Ukash receipts and initiatives with the retailers that issue Ukash.
CO: David, so what is your main advice to your customers?
DC: We advise consumers to visit Avoidonlinescams.net to learn how to remove the malware and keep themselves safe online.
Anyone who has used Ukash to pay a fine, or for any other suspicious payment, should contact Ukash immediately on 00800 247 85274, and we will attempt to block the Ukash code before it is used. It’s also vital that they report the crime to Action Fraud UK on 0300 123 2040.
We have a dedicated team working to provide intelligence, to the law enforcement agencies, on any reported crimes that use Ukash as a method of payment. This has resulted in several high-profile arrests of international criminal gangs suspected of involvement in ransomware and advance fee fraud.
Ukash is the safe way to pay, when used online at genuine merchants. But we advise that anyone unfamiliar with a payment scheme finds out how it works before they use their own money.
CO: Thanks very much David, I learnt a lot and am glad to hear about this initiative. Sounds like very useful advice.