On 6 November, Tesco Bank was forced to block some customers' credit card activity after "suspicious activity" on thousands of accounts was discovered by its fraud prevention systems – with outraged customers quickly taking to social media to complain about losing money.
The bank issued a statement in an attempt to soothe the mounting concerns. It claimed the blockages were a "precautionary measure" and told media the amount of people impacted was "in the thousands, but less than 10,000". Less than 24 hours later, this number increased significantly.
The day after news of the incident broke, it was revealed by Tesco Bank chief executive Benny Higgins that roughly 40,000 accounts had suspicious transactions and that money was raided from 20,000 customer accounts. On 7 November, the bank froze all online activity.
Have I been hacked?
If you are a Tesco Bank current account holder, there are a number of steps you should take right now to ensure your money is safe. The first is to stay calm, log in to your account and monitor your transaction history for any suggestion of malicious activity – no matter how small. According to the bank's officials, all customers who have been impacted will be notified via call or text. So if you are affected by the fraudulent attacks Teso Bank is likely to also contact you directly.
Can I still use my Tesco Bank account?
Yes. In a statement posted online, Higgins said that current account customers will still be able to use their cards for cash withdrawals at ATMs and for chip and pin payments. Additionally, all existing bill payments and direct debits will continue as normal, he said. However, unfortunately for those who rely on online banking, the bank has not said when the ability to do online transactions will be restored.
Call Tesco and keep an eye on social media channels
Tesco Bank's immediate advice was to call a representative for more information or to voice complaints. This – as expected – resulted in a flood of calls that only angered customers more. If you want to talk to a real person, you should definitely call the service (however be prepared for a bit of a wait). However, what may be more effective is to keep an eye on the bank's social media channels (here) or the website's support page (here) which both will update with the latest official statements.
Be aware of phishing scams
On the back of every major hack, cyberattack or fraud case will come the inevitable scammers. So, be extra suspicious of any email or phone calls claiming to represent Tesco Bank and never transfer your account details, passwords or personal information in response to an email – no matter how official it appears to be. Some of these email or phone attacks – known as 'phishing' - will appear legitimate but banks should never demand this information from you over an insecure connection.
Change your passwords
Despite Tesco Bank failing to relay any information about how the incident took place, as a precautionary measure you should change your account credentials now. Ensure your new password is unique to the website, long and complex – with a strong mixture of letters, numbers and symbols. If you have used your previous Tesco Bank password on another service, it's probably best to change that too.
Is Tesco working on a fix?
The CEO of Tesco Bank has said that he is now working with the "authorities and regulators" to address the fraud cases. Furthermore, you can be well assured that any financial losses will be reimbursed by the bank. Higgins, in his statement, said: "We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank, and we are working to refund accounts that have been subject to fraud as soon as possible."
Was this a major cyberattack?
Tesco Bank has admitted that customers have had money stolen from their accounts but has sidestepped calling the incident a hack or cyberattack. It has issued no clarification as to how the customer accounts were infiltrated or how criminals bypassed the security measures in place. The bank has said the event was a result of "online criminal activity" but little more at the time of writing.
According to Action Fraud, the UK's major fraud watchdog, most banks will not approach their customers and ask for personal banking details directly. On its website, it says: "If you are concerned about the source of a call, ask the caller to give you a main switchboard number for you to be routed back to them."
The advice continues: "If you receive an unsolicited email or phone call from what appears to be your bank or building society asking for your security details, never reveal your full password, login details or account numbers. Check your statements carefully and report anything suspicious."
Have you been affected by the issues? Get in contact: firstname.lastname@example.org or via @Jason_A_Murdock