How being a victim of cyber crime made me an even bigger target for hackers

Computing's Danny Palmer almost found out the hard way how cyber criminals are getting craftier...

I don't know who they are, I don't know what exactly they wanted, but someone, somewhere managed to steal my bank details.

It might not stand alongside the greatest ever cases of financial fraud, but someone had tried to use my bank details to pay the grand total of $4.23 to what appeared to be a small pizza restaurant somewhere in Tampa, Florida.

Sure, it wasn't the crime of the century, but the very idea that someone had somehow got hold of my personal details was worrying. The small transaction must have been a test of the banking details - an attempt to see if it could really be used.

How had someone got hold of this information, I wondered? Was I affected by the Hilton Hotels data breach? It only impacted on US branches of the resort chain, but had I stayed at one while covering a conference? I don't think so.

I have a Sony PlayStation, but my bank details were changed following the infamous PlayStation Network hack. But had hackers been able to breach the system again? The worry is always there with Sony, especially as the company gets targeted so often.

The most infamous data breach of recent months was the Ashley Madison hack and well, certainly I've never been a member of that particular 'service', so the nature of my data loss was a mystery.

But unfortunately, somehow, my details were stolen. However, I'm not the first person to have been the victim of cyber vandals in this way. And I certainly won't be the last.

"There's a lot of smart people out there who get defrauded in cyberspace," Andre McGregor, director at enterprise security firm Tanium and a former FBI cyber special agent, told me.

He described a scheme he'd previously witnessed which successfully conned people into handing over their details to cyber criminals via email.

"We had a situation in 2008 to 2009, when our economy was at the lower end and there were cyber actors who were purporting to be from a defence company which was hiring people.

"They were telling them that if they were interested in a job, they should send their resume [CV], social security number and all their personal information for the job," he said.

Here, cyber criminals were essentially targeting the vulnerable people who were desperate to find work at a time when gainful employment was hard to come by.

"But for people who are out of a job, they're not looking at the email and thinking who's on the other end," said McGregor.

Cyber criminals, hackers and other ne'er-do-wells certainly are looking to take advantage of us and will do so in any way they believe gives them an advantage - i.e. a better chance of stealing your information.

Following every big data breach, there's often reports of scam emails claiming to be from the affected company, instructing you to login via a link they provide, which in reality simply logs your details into a third party system. It's a ruse on a ruse - an opportunist phishing attack on the back of the - usually unconnected - hack that came before it.

That's how they almost got me a second time in as many days.

Perhaps foolishly, I decided to use Twitter to announce the fact that someone had tried to use my details to buy pizza in Florida, alongside an image of a popular Liam Neeson based meme.

It turns out alerting publicly searchable social media that you've potentially been the victim of cyber crime isn't the best idea, not even for the sake of a cheap gag. This indiscretion had apparently put scammers searching Twitter for key words on high alert, as I discovered the next day.

I just happened to check a secondary email account. There was the usual glut of newsletters and pointless marketing material, but something stood out from the crowd.

It was an email apparently from PayPal thanking me for purchasing an $85 television antenna which was about to be sent to the Niagara Falls area. I panicked - the pizza buyer had struck again, I thought, and I immediately went to call my bank to tell them about this latest indiscretion.

But then I checked the email a second time, looked more closely and there were tell-tale signs that this wasn't the same hustler attempt to make another purchase with my cash, but it was in fact other petty criminals trying to milk me at a time I'd revealed to the world I'd been compromised.

The sender was supposedly PayPal, but the ‘From' box in the email was just a sequence of random characters. Not only that, but hovering over the link to visit PayPal to cancel the purchase - or report the email for being spam - told me it was directed to a suspicious looking non-PayPal address, making the whole thing an obvious attempt to steal my details.

Then there's the fact that the particular email address in question wasn't even connected to a PayPal account - which should have been the initial spark which set me off to this scam I had just narrowly avoided - just, despite the panic.

But many, many people wouldn't think to look for the tell-tale signs of a scam. That was certainly evident when the bank employee on the end of the phone started to try and explain to me what phishing - a subject I have often written about - is.

Until those changes - until people know to be more careful about what emails to trust, and how to recognise even well-targeted phishing scams, there will always be a risk.

"We definitely haven't adapted to the fact the internet is a scary place sometimes and people are out there looking to take advantage of us," said McGregor.

Just one compromised machine on an enterprise network is all it takes for cyber criminals to gain access to everything.

But with cyber crime and data breaches becoming ever more frequent and more directly targeted at users, there's a long way to go before networks are fully protected, especially from human error.