Episode 1 Rip Off Britain

We asked you to tell us what's left you feeling ripped off,

and you contacted us in your thousands.

You've told us about the companies you think get it wrong,

and the customer service that is simply not up to scratch.

They should be looking after their customers, and they don't.

Loyalty to the customers is a very low priority.

You've asked us to track down the scammers who stole your money,

and investigate the extra charges you say are unfair.

Big companies, big corporations, are more into the money and the numbers

than they are about the people.

And when you've lost out, but no-one else is to blame,

you've come to us to stop others falling into the same trap.

It genuinely feels like I'm getting ripped off.

So, whether it's a blatant rip-off or a genuine mistake,

we're here to find out why you're out of pocket,

and what you can do about it.

Your stories, your money. This is Rip-Off Britain.

Hello and welcome to Rip-Off Britain, where it's our job to make sure

your money stays very firmly where it belongs, in your pocket,

and that it doesn't become easy pickings for unscrupulous crooks.

But it's not always just your cash that the fraudsters are after.

So, today, we're on the trail of the people

determined to steal something just as valuable - your identity.

And, as we'll see, they don't always have to go to great lengths

to actually do it.

But if all of that sounds a bit terrifying,

don't worry too much, because we've been seeking out the best tips

and advice to make sure that your personal details,

not to mention your savings, can be kept safe.

Coming up - phantom postboxes mysteriously stuck to your home

with a sinister purpose.

They were hanging around in the area,

waiting for the post to be delivered,

and were then going to remove the box with the stolen mail inside it.

And what to do if scammers hold your computer to ransom.

I decided that I wasn't going to give in to these cyber-terrorists,

these people bullying.

They're not going to get my money.

Now, it seems that the days when cash was king

are well and truly over.

At the start of 2016, one in every ten card payments

was made with one of these - a contactless payment card.

Just six months later, that had shot up

to one in every six payments,

and they're getting more popular every day.

But while for many people,

going contactless is both simple and convenient,

there are still those who remain rather sceptical,

and I'm one of them, and after what I found out making this next film,

I can't imagine changing my mind any time soon.

They're quick, easy, and more people now shop with them than ever before.

But quite a few people still have doubts about using them.

Can I ask you if you ever use a contactless credit card

-when you're...?

-No.

-You don't?

-Why don't you use them?

-I don't trust them.

-Why don't you trust them?

-Because I'm of a certain age.

-They're dangerous.

-Why are they dangerous?

Because if you lose it, which I have on occasion,

somebody else can pick it up and just tap, tap, tap, tap. £30 a time.

They can just steal it, and then they can use my card,

and I can't have that.

A recent survey claimed that one in five people

won't use a contactless card

because of worries that they're not completely safe.

Press reports have been quick to add fuel to that particular fire,

suggesting the simplicity of the cards can make it easy

for crooks to take advantage of them.

And if you think that sounds far-fetched,

well, I'm about to discover exactly how such a scam could work,

indeed, how straightforward the process can be.

I've been asked to come to this cafe here in East London,

and my director has given me his contactless payment card.

I'm not quite sure what I'm supposed to do with it,

because I don't use these things

but, I tell you what, now I've got it,

this is going to buy me a very large slice of cake.

Little did I know then that I was walking into a trap -

one that would see the details from that contactless card

in my pocket spirited away without the card so much as moving.

The team told me they were just getting ready

for us to start filming,

and introduced me to a fraud expert called Gary Fenton,

who I'd be interviewing later, but while I chatted to Gary,

I was the target of a not entirely successful sting,

as Gary brushed his phone against the pocket

where I was keeping the contactless card.

Now, it takes more than a few hidden cameras

and an unusually prompt camera crew to fool me,

because straightaway, I guessed that something fishy was going on.

But not yet entirely sure of what it all meant,

I didn't let on that I'd spotted anything.

Instead, I went off to buy a drink with the director's card,

leaving Gary mysteriously fiddling with his laptop.

OK, so I've been using this contactless payment card.

Tell me how they work.

The card will talk to a scanner, and it just reads the information

off the card without necessarily physically touching the card.

But what are the drawbacks?

You see, I won't have one of these,

because I think... I think they're open to all kinds of abuse.

Right, you're not wrong.

The information can be read, and it can actually be read freely

by a mobile app that anyone could actually download.

The same technology that's built into contactless bank cards

and card terminals is also built into many mobile phones.

It's called Near Field Communication, or NFC for short.

It allows card details to be read over short distances,

which, when you're buying a coffee and a slice of cake,

can make things relatively easy.

But it also means that anyone with the right technology

can make their phones act like a contactless card reader.

When I met you, you made a point of bumping into me

-when you had your telephone in your hand.

-I did.

You're very observant.

And I do have your card information on my mobile phone,

and I can check with you - are the last four digits 6008?

Yes, they are. Let me have a look at the rest of it, though.

I'm not going to read it out cos this is somebody else's card,

but you're absolutely right.

OK, you've got the app, I've got the card. Show me how you do it.

OK, if you put the card onto the table...

Phone just needs to hover itself above the card, and that's it.

-As quick as that?!

-Even quicker. It took less than half a second.

Gary's phone has picked up the card number and expiry date

from my director's card. It didn't take his name

or the three-digit security code from the back of the card.

And without that last figure, in particular,

you'd be forgiven for thinking that no-one could do very much

with stolen details, but you'd be wrong,

because after he'd swiped them from the card in my pocket,

20 minutes earlier, Gary had gone shopping.

I actually went online and made a purchase using your card,

and I bought something from Amazon.

-For how much?

-It was just under £30.

-And they accepted that?

-They did.

It went through straightaway, and it said to wait for delivery now.

Gary had used a fake Amazon account,

a fake name, and the stolen details on the card to buy me a gift,

which was due to be delivered to our offices the following day.

And he'd done it without being asked

for the three-digit security code on the back of the card.

Why does a company like Amazon,

which must do millions of transactions,

not ask for that security number? That's why it's there.

That's an important question,

and I'm afraid you'll just have to ask Amazon,

because I have no idea why they're not doing these security checks.

So, we did just that, and Amazon assured us

that it has sophisticated and rigorous measures in place

to prevent and detect fraud,

which provide layers of protection

beyond the use of those three-digit security codes.

But for what it called "obvious reasons,"

it wouldn't comment on the specifics of what they are.

So, I suppose the 64,000 question is

how safe are these things, then, for people to be using?

-And they're being used all over the place.

-They are.

They can be safe if they're used properly. If these are unprotected,

then the card information can be scanned without people realising.

So what sort of precautions can people take

to make sure that their card stays safe?

You could keep your card in a protective wallet or a shield

to protect it from being scanned.

So, for example...

here's a shield here,

and you would put your card into this,

and it would be protected.

It would be impossible to scan the card

-if it's in one of these little wallets.

-Right.

Now, nobody can read that now with any kind of app?

No, it's completely protected.

If you wanted to make a genuine purchase, you would take it

out of here and use it, put it back in here, and it can't be scanned.

Prove to me that that really protects it. There we go.

-Let's put it down.

-OK.

-Have another go.

We just put the phone over it, and as you can see...

-Nothing is happening.

-Nothing at all.

Gary's organisation, Online Watch Link,

sells one version of this protective cover for £1,

either online or from your local Neighbourhood Watch group.

And there are plenty of similar products widely available.

We spoke to the UK Cards Association

about the potential risks contactless card users face.

It stressed that...

..adding that...

It went on to say that there has never been an actual case

of card details being obtained and used to make an online purchase

in the way that we demonstrated in our test.

And it was keen to reassure anyone with a contactless card

that, even if someone did scan it in this way,

only information from the front of the card could be obtained,

and not the more sensitive details, like the security code

on the back, which it pointed out IS required

to make a purchase from the vast majority of retailers.

And where it's not, as of course happened in our test,

were a genuine fraud to take place, then the retailer would be liable.

And if none of that reassures you,

remember you don't HAVE to have a contactless card.

You're perfectly entitled to ask your bank for an alternative

that doesn't have that technology built in.

If you remember, back in the cafe, Gary ordered something online

with the details that he'd swiped from that card

that was in my pocket. Well, here it is.

He said it was a gift for me, so shall we see what it is?

What is it? Oh!

SHE LAUGHS

Now, there's clever!

Ooh, blimey, it weighs a ton! Ah, there you go.

It's an electronic safe!

You know, we've been doing this programme long enough

for us to think that there weren't too many types of scam

we hadn't heard of before,

whether the fraudsters behind them were after your cash,

your personal details, or both.

But a few months ago, we came across something that is completely new,

and indeed, dare I say it, quite extraordinarily inventive.

The barefaced cheek of it, I think, is going to take your breath away.

But when the residents affected

first noticed something very odd happening,

establishing exactly what was going on

raised more questions than answers.

A quiet, leafy suburb in Chorlton in Greater Manchester.

But behind these peaceful surroundings lurks a crime spree.

I'm mystified that anyone would think they could attach a postbox

to someone's house, and get away with it.

No-one knows how many people have been affected or even how much money

may have been lost. In fact, one of the few things that is clear

about this most mysterious of scams is that whoever was behind it

had been watching the comings and goings

on these streets very carefully indeed

in order to use the residents' identities for their own ends.

-Hello.

-Good to meet you. Come in.

-Thank you.

Alan Dunn was the first to notice that something was amiss

when he happened to be at home one afternoon.

My daughter had been out for lunch,

and she came back after about an hour, and as she walked up the path,

there was somebody stood on the doorstep, and she said,

"Oh, can I help you?" And he said, "Oh, I'm sorry,

"I think I might be in the wrong place. Uh..."

And left quite quickly.

Alan's suspicions were aroused, and he popped outside to take a look,

and immediately noticed that a small black letterbox had been stuck

to the outside of his house.

Baffled as to where it had come from and why,

Alan prised the letterbox away from the wall and took it inside.

He soon discovered that the postman had dropped the family's mail

for the day inside the new box, rather than,

as usual, through the letterbox on the front door,

and amongst that mail was something very odd indeed.

What sort of letters were they?

It was a letter from the TSB saying

I'd opened a new account with them,

and I had negotiated an overdraft for £1,000.

Neither Alan nor his partner Linda banks with TSB,

and they knew for sure they hadn't opened a new account there.

Putting two and two together,

they deduced that Alan's identity had most likely been stolen,

and the crooks behind it had applied to borrow money in his name.

But of course, they couldn't activate the account

or spend the overdraft without the cards, paperwork and PIN number

that would all be sent through the post.

So they'd added their own postbox

to make sure they could get their hands on what they needed.

At that moment, we realised that the letterbox had been put up

to intercept the mail.

In that letterbox, we had a confirmation letter

and the online PIN number for internet banking,

and we imagine that the person that Bethan encountered on the doorstep

was probably in the process of retrieving the mail at that moment,

-so she spooked him.

-How did you feel when you realised

you'd come very close to being scammed?

Well, I was quite relieved, in a way, that we'd stopped it happening.

They obviously knew the delivery times for the postman on that day.

It was a little window of an hour where they stick it up,

and the postman was still in the street as they are retrieving it.

They're following him round, almost, retrieving the mail.

But Linda and Alan weren't the only people that the scammers

had in their sights, because guess what?

Another box appeared round the corner just a couple of days later.

Retired university professor Harold Somers lives one street away

from Alan and Linda, and he too had initially been confused to find one

of the strange and scruffily-numbered letterboxes

outside his house.

It was Saturday afternoon, and I was on my way out

to an important show that we were doing that evening with my band,

and as I went out the door, I noticed, stuck to the wall,

was this metal postbox that I'd never seen before,

and it had a crudely-painted house number on it,

so my first instinct was that perhaps it had been put there

by mistake, and the delivery people had installed it in the wrong house.

Hoping to find out who the box really belonged to,

Harold took to his local community's Facebook page, where he learned

the same thing had happened to Alan and Linda.

I was a bit worried that taking it down might damage the wall,

because I had assumed it was screwed onto the wall,

and I couldn't get inside it to unscrew it.

And they said, "Oh, just pull it off,

"get it off under any way possible."

And how do you feel about it now?

I'm mystified that...

anyone would think they could attach a postbox

to someone's house, and get away with it without anyone noticing,

except that, I suppose, and this is the scary bit,

what I suppose is that they were hanging around in the area,

waiting for the post to be delivered,

and were then going to remove the box, almost as quickly as they'd

attached it, with the stolen mail inside it.

And it seems that's exactly what happened,

because, after we filmed with him, it turned out that a fraudster

had opened up an account in Harold's name.

They'd gone on to successfully apply for a £1,000 overdraft,

which they'd spent.

And it was Harold who the bank contacted to pay up.

Luckily, it was accepted there'd been a fraud,

and he wasn't held responsible.

Tony Blake is a fraud prevention specialist who says that,

though the goings-on in Chorlton are relatively new,

they're certainly not isolated.

The fraudsters may target some particular area,

because they have customer information from somewhere.

They may target a particular area

because they feel it's more affluent than others.

The numbers that I'm aware of are very low for this type of crime,

but it's something we're definitely keeping an eye on.

There is a risk to doing it, but the rewards are potentially high.

You take out a loan for a few thousand pounds,

then the rewards are quite high,

so they see it that the risks are worth taking.

Back in Chorlton,

it seems the scammers have moved on to pastures new.

But if a strange new postbox appears outside your house,

watch out - it could mean someone's got their hands on your details too.

Now, you may remember in May this year, the NHS was the target

of a huge cyber-attack that saw its computers locked by a programme

demanding a ransom payment before they could be accessed again.

It was a story that completely dominated the news for days,

and yet the crime behind it

was one that we'd investigated on Rip-Off Britain before.

And that's because it isn't

something that just affects public services or industries,

although criminals do still use the same tactics against both.

It could be that your own computer suddenly is held to ransom.

And the online outlaws responsible will say that you won't be able to

open your precious files again until you come up with the cash.

Gillian Pucci from Manchester is in a race against time.

I just knew something was wrong.

In four days, she'll be permanently locked out of the files

on her own computer, thanks to cyber-criminals

who found a way to control access to what she stored there,

and are demanding a ransom to set it free.

But I know they're there...

..and that's what's heartbreaking.

It's a scam that could target you, as well - but even if she pays up,

Gillian can't be sure she will ever see her precious files again.

With any kidnapping, there's no guarantee

that, if you do pay the ransom, that you'd ever get them back.

Gillian uses her computer for everything,

from storing photos to running the accounts

for the family's restaurant.

She knows to avoid opening any suspicious e-mail,

until in June last year, one caught her out.

It was an e-mail addressed to me personally, and the heading said,

"We would appreciate prompt payment of the attached invoice."

Something inside me said, "Don't open it."

But then I was thinking,

"Well, have I ordered something, or has somebody cloned my card?

"Has something happened, and I'm being asked to pay for something

"that I haven't ordered?"

So I did, I opened it.

The attachment that Gillian clicked on was blank,

so she closed it again, and thought nothing of it.

But that one click would have disastrous consequences.

When I opened the computer the next morning, there was just writing,

information telling me that my computer had been infected

with this Cerber ransomware,

and that I would be unable to open any files or any documents.

That innocuous-looking e-mail she clicked on had contained

a software virus known as ransomware, which had encrypted

every single file, document and photograph on her computer,

converting them to a code that she simply couldn't unlock.

My heart sank. There's years and years of photographs of my children,

of my family, of my dogs.

Go! Yay!

It's devastating, it feels like you've been attacked.

I know they're only photographs,

but photographs contain memories, and they mean such a lot.

The cyber-criminals demanded that Gillian pay up

a ransom of about £600 within two weeks,

or she would lose everything.

She would need to pay using an internet currency called bitcoins,

and every week she delayed, the price would go up.

This, it's just a nightmare.

You lose something that you really love,

something that's really dear to you.

I say lose, it's not lost, it's there,

I just can't have it, can't open it.

And it's devastating.

But even with so much at stake, Gillian is refusing to pay.

I decided that I wasn't going to give in to these cyberterrorists,

these people bullying. They're not going to get my money.

Instead, she was determined to somehow find a way

to unlock the files before the ransom deadline.

I sat at my PC, day after day,

from the morning through to the night-time,

reading up, looking, uninstalling, installing,

for the past ten days.

It's just taken over my life.

But with the clock ticking, she came to us for help,

and we arranged for her to take her computer

to tech detective John Salt.

Well, the first thing, you've done the right thing not to pay,

because chances are, they won't repair your computer.

And the second thing is they tend to send a list out of people

who DO pay to other scammers, who will then send you scams.

-Right.

-So, you've done the right thing by bringing it in.

I think the first thing we need to do

is find out what type of ransomware it is that's on,

because there's quite a variety.

-That's great. Thank you.

-Yeah?

But I think, because time's of essence,

we'll put it straight on to the bench.

John's going to try and find a way to break the encryption

that's locked Gillian's files away.

Well, the first thing we need to do is we need to scan the system

to see where the encryption came from, how deeply it's encrypted.

And he soon discovers the cyber-criminals

have modified almost every file on the computer.

-They're little blank pages.

-Yes.

Now, that's because your computer doesn't know how to open them.

-Right.

-It doesn't know what programme they're going to use.

-Yeah.

-Whereas, if you look further up the list,

it knows it's a photograph...

-Yeah.

-..but, when you go into it,

-it then...

-"Windows can't open this file."

It can't open this file because it doesn't quite know how to open it.

Gillian is relieved that her computer is now in expert hands.

The question is, can John save her files

before the ransom runs out in four days' time?

I always thought that I was too clever and too savvy,

and I wouldn't open something like that, but that invoice,

that e-mail, got me.

I opened it, and...

..I unleashed the beast.

James Lyne is global head of security

for the internet security firm Sophos.

He says that while e-mails are one way the ransomware virus is spread,

criminals may also have hidden it in the background

of websites that we may not even begin to question.

So the other extremely common way

that cyber-criminals will infect people

is by putting malicious code into legitimate websites,

so that when you visit it,

it deploys it silently in the background.

So as soon as I browse to this web page here,

in the background the attacker starts loading the nasty code,

and a short while later, the browser will now crash.

Of course, you'd think nothing of it.

You'd just close it down, open it again, or go and make a cup of tea,

but in the background, we're now starting to see files encrypted.

And there's links to a series of payment pages

where you can hand over money to get the information back.

So, very quick and easy, just by browsing to a normal web page,

I'm now in a position where all of my information is inaccessible to me

throughout the computer.

Web browsers are regularly updated

to make sure they can stand up to dangerous viruses.

But it's also worth backing up your files to a drive

that's not permanently connected to your computer,

so it can't be infected with the same type of malware.

But really it's a question of when you'll run into ransomware, not if.

Assume you're going to get infected,

have a backup plan so that you can restore your data

back to where you were, and not have to pay the cyber-criminals money.

Back in Oldham, Gillian hadn't done that,

and now, 13 days since her computer was infected,

she has just 24 hours before the deadline

given to her by the ransomware cyber-criminals.

Today's the day we find out

if John's managed to retrieve anything off my computer for me.

I'm not holding out too much hope.

So it's crunch time for Gillian and her precious computer.

-Hello, Gillian. Nice to see you again.

-Hi, John.

-Well,

the important thing is I've been able to retrieve a lot of the data

-that you, that was important to you.

-I'm so happy, so grateful.

-Great.

-Thank you so much.

No, it's a pleasure, that's what we do.

Good old John - he was able to beat the ransomware

before the deadline expired

by unlocking the files with specialist software.

And while some files were lost for good,

he was able to save the majority

of Gillian's most precious documents, and her memories.

I'm absolutely thrilled and so grateful to John

for all his hard work that I've got the photographs back.

It means such a lot to me.

I never thought we'd be able to do it -

I thought they were lost forever.

And she'll be doubly careful in how she protects her photographs

in the future.

I'm going to learn from this mistake.

The first thing I'm going to do is keep a backup of them,

and secondly, I'm not going to open any more suspicious e-mails,

and basically just learn a lesson from it.

If you've got a story you would like us to investigate,

get in touch with us via our Facebook page...

Our website...

Or e-mail...

Or if you want to send us a letter, then our address is...

Now, I have to say I was astonished by that story on contactless cards.

After all those years of being told that they're perfectly secure,

it was quite a shock to see how easily those details

could be used by somebody else.

Well, I don't use one at all, but my husband does,

and I was really reassured to see

that there is a very simple solution.

So while it's clear this isn't something

that any of us need to panic about,

it probably is worth paying a couple of quid

to keep your card in one of those protective holders.

But don't forget, you'll find plenty more information

on how to keep your identity safe on our website.

But for now, that's all we've got time for today.

It has been great having you with us,

and I hope we'll see you again very soon.

-Until then, from all of us, bye-bye.

-Bye-bye.

-Goodbye.