Santander Scam Avoidance School (SAS) graduate turns ethical hacker to help the fight against fraud

  • Alec Daniels, 86, successfully sent a ‘controlled’ phishing email and breached a public WiFi hotspot in only 16 minutes 40 seconds
  • 41 per cent of people regularly use public WiFi hotspots to access the internet putting their online security at risk(2)
  • 74 per cent of Britons have been targeted by scammers with phishing emails, smishing texts and vishing calls(3) 

Do you ever log on to a public WiFi hotspot to check on your bank balance, transfer money or maybe make online purchases? If the answer to these questions is yes, then according to Santander, your personal or online banking security could be compromised in just minutes.

As part of Santander’s campaign to raise consumer awareness of how to avoid scams, Santander challenged SAS1 graduate 86 year old Alec Daniels from Hampshire, to write and distribute a pretend phishing email, as well as hack into a public WiFi hotspot, despite having little knowledge of computers.

Working with network security expert Marcus Dempsey, Alec used information and guides easily available online and completed both tasks in 16 minutes 40 seconds. These are two of the most common means fraudsters use to get an individual’s bank account details.

Research by Santander shows that 41 per cent of those surveyed(2) regularly use public WiFi hotspots to access the Internet on their phones and computers to carry out financial transactions, whether that’s to check bank balances, make online purchases or manage money transfers. Of those, over one in 10 admit to logging on to unsecure WiFi networks several times each and every day, increasing their chances of getting hacked. 
The project follows on from the bank’s Scam Avoidance School (SAS)(3) earlier in the year where around 12,000 over 60s (including Alec) attended free lessons run on how to avoid scams.

Alec’s First Test: Devise and distribute a scam phishing email 
Despite having little knowledge of operating computers, Alec learned how to write and distribute a mock phishing email in only 13 minutes. He achieved this with minimal input from the expert, instead using instructions freely available via an online search.

The email Alec wrote claimed to be from the fictitious company MoneySpark, asking recipients for their bank account information and supplying a fraudulent link. Given that phishing emails are so quick and easy to make regardless of technical ability, it goes some way to explain how 74 per cent have been targeted this way.

Alec’s Second Test: hack a public Wi-Fi hotspot
With research from Santander revealing that 36 per cent don’t have any concerns about the security of their data when using public WiFi, the bank also wanted to raise awareness of just how effortlessly hackers can compromise these hotspots.

In the controlled experiment Alec managed to capture and intercept web traffic from a willing participant's laptop while they were connected to an open Wi-Fi network – designed to replicate those found on the high street. Alec, under instruction, set up a rogue access point – frequently used by attackers to activate what is known as a “man in the middle” attack – to begin eavesdropping on traffic. He achieved all of this in in just 3 minutes and 40 seconds.

Chris Ainsley, Head of Fraud Strategy at Santander UK, commented: “Our experiment demonstrates just how easy it is for criminals to send phishing emails and hack WiFi hotspots.
We have seen the devastating results that fraud and scams can have on our customers and how much damage can be done if hackers get hold of even a small amount of personal detail.

“It’s great to have Alec on board to help out – having talked about scams with thousands of over 60s through our SAS it is good to get him involved to help us spread the word. Raising awareness and educating people on how to protect themselves is vital to effectively tackling the criminals who ruin people’s lives.”

Certified ethical hacker Marcus Dempsey added: “Unsecured public Wi-Fi networks can be easy pickings for criminals. By inputting passwords, bank details and confidential information into online banking or shopping websites over a public WiFi, people could be unknowingly putting their finances and identities in the hands of hackers. Perhaps even easier than hacking WiFi is sending scam correspondence, particularly phishing emails.

“If Alec, with no previous knowledge of how to do this, can write and distribute a convincing phishing email in a matter of minutes, it’s worrying to imagine the potential damage that actual scammers could be doing.”

Marcus Dempsey and Santander give their tips for staying safe online:

Wi-Fi hotspot protection

1. Ensure a WiFi hotspot is genuine: it’s easy to set up official-looking networks, so verify with shop staff before logging on. Providers can help by displaying the network name in store.
2. HTTPS: If you need to use your card details online make sure the website you are on has ‘HTTPS://’ at the start and has a green padlock against it.
3. Get a Virtual Private Network (VPN): Not all sites will display the HTTPS lock symbol, but a VPN will act as an intermediary between your device and the internet server, putting up a further block for any would-be eavesdroppers or hackers.
4. Forget the network: don’t just log off – ask your device to forget the network so it doesn’t automatically log on if you’re within range later.

Email protection

A genuine bank or organisation will never contact you unsolicited to ask for your PIN, full password or to move money to another account. Don’t give out personal or financial details including passwords and PINs unless it’s to use a service you have signed up to, and you’re sure that the request for your information is directly related to that service.

1. Never click on a link or download anything in an unsolicited email. Doing so could let scammers infect your computer with malicious software that will swipe your personal details or could allow criminals to access your device remotely.
2. If you get an email from somebody asking you to change some payment details, don’t do this without checking it out thoroughly first. The email may have been sent by a hacker rather than the genuine supplier.

Look out for tell-tale signs that an email may not be genuine, for example:

- The sender’s email address doesn’t match the website address of the organisation it says it’s from
- The email is impersonal and doesn’t address you by your name e.g. just says Dear Sir/Madam
- There are spelling or grammatical mistakes

- Ends -

The information contained in our press releases is intended solely for journalists and should not be used by consumers to make financial decisions.

Notes to Editors

1. In March 2018, Santander’s branch network launched fraud awareness campaign, Scam Avoidance School. In one week over 700 bespoke lessons about how to avoid scams were delivered to over 11,000 people. The lessons were targeted at the over 60s (although open to anybody) and since launch the campaign has continued to roll out across our branch network with over 12,000 people now attending classes.
2. Research carried out on behalf of Santander by Opinimum in May 2017. Sample size was 2,005 British Adults.
3. Research undertaken by OnePoll on behalf of Santander UK in September 2017. The sample was 2,000 British adults aged 18 – 55+.

About Alec Daniels
Alec is originally from South East London and now lives in Hampshire. He had a career in photography throughout his life and upon retirement became a tennis coach. He owns a computer and usually only uses it to access emails and research holidays – but usually asks his son for help. He has never been a victim of fraud and has no coaching on the methods used in the experiment.

About Marcus Dempsey
Marcus Dempsey is a Certified Ethical Hacker as well as being a Microsoft certified professional since 1999. Having initially starting his IT career as a computer programmer, he gradually moved on to supporting and managing corporate infrastructure. As the Internet gained momentum and his interest in IT security was awakened and continues to learn and help protect other companies. He’s a father of two and lives in Newcastle.

About us
Santander UK is a financial services provider in the UK that offers a wide range of personal and commercial financial products and services. It has brought real competition to the UK, through its innovative products for retail customers and relationship banking model for UK SMEs. At 31 March 2018, the bank has c19,500 employees. It serves around 14 million active customers, via a nationwide branch network, telephone, mobile and online banking; and 64 regional Corporate Business Centres. Santander UK is subject to the full supervision of the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) in the UK. Santander UK plc customers are protected by the Financial Services Compensation Scheme (FSCS) in the UK.

About Us 
Banco Santander (SAN SM, STD US, BNC LN) is a leading retail and commercial bank, founded in 1857 and headquartered in Spain. It has a meaningful market share in 10 core countries in Europe and the Americas, and is the largest bank in the euro zone by market capitalization. At the end of 2017, Banco Santander had EUR 986 billion in customer funds (deposits and mutual funds), 133 million customers, 13,700 branches and 200,000 employees. Banco Santander made attributable profit of EUR 6,619 million in 2017, an increase of 7% compared to the previous year.

Media Enquiries
Miranda Seymour      T: 020 7756 4189      M: 07860 857 999      E: 
Cecilia Cran      T: 020 7756 4209      M: 07789 651947      E: 
The press office operates from 8.00am to 6.00pm. Outside of these hours please call 0800 5877708.