Training to be a victim

A couple of weeks ago, I received two essentially-identical letters in the post.  They claim to be from Capita Registrars. There’s a Capita logo, and a footer referencing contact details for Capita Registrars. So far so good, but does that mean they’re from Capita?  A competent fraudster might very well impersonate them to get my identity details and a foot in the door of my finances (whatever they may be).

The letters run:

IMPORTANT: Protecting your shareholding against fraud

Dear [me]

We have recently received an instruction to change details on your holding.
The following details have been changed:

– The way you receive your payments

If you did not ask for any changes, please contact us immediately by telephoning 020 8639 3312 or +44 8639 3312 if you are outside the United Kingdom.

This letter is sent in the interest of shareholder security so you can let us know if we have made any changes you did not ask for.

Yours sincerely

[scrawl]

For and on behalf of
Shareholder Security Team

I haven’t instructed them to make any changes, but I do have two new shareholdings with instructions to pay dividends direct to my bank account. If it’s genuine it’s good they’re taking care of security, but I can’t verify it.

• There is no reference to what shareholding they might be talking about.
• I can’t verify that phone number. Google finds it not on Capita’s pages, but in a list of 0208 numbers that have had complaints against them, which doesn’t exactly inspire me to ring it[1].

This is almost as bad as Verified by Visa.  Not quite as bad: the fraudster still has a way to go from convincing me to ‘phone their number to getting their hands on my assets.  But it’s the same principle: as soon as I respond to a letter, I’m doing exactly what a fraudster needs me to do to fall victim.  And of course, when I ‘phone the fraudster’s number, they will naturally need to ask a bunch of sensitive questions to verify I am really me: sufficient to identify me, and if they’re good at blagging they might get a whole lot more.

To follow this up, I started with Google and Capita, through which I established to my own satisfaction that the Capita Registrars website was genuine.  Searching it for contact information I could safely use, I found the choice of a couple of email addresses, or ‘phone numbers.  Or could I check it all myself online?

I tried signing up for Capita’s online shareholder services: if I can verify my shareholdings and associated payment details, I can see for myself whether the letters really need following up!  I’ve tried that before, but this time I carried it through.  I am indeed similarly signed up with other registrars: ComputerShare’s online service which works to a satisfactory level, and Equiniti’s which is amazingly bad but might at least have been sufficient to follow up these letters.

Signing up for this online service, I first gathered together all my Capita-issued share certificates.  Ten of them (seven distinct holdings; eight distinct stock codes).  Following the signup procedure, I entered the details for one of them and created an account.  From there I was able to verify that that shareholding was in order, but I was completely unable to access any other holding.

After trying every bloomin’ path in the system, I logged out, and tried logging back in using another share certificate.  It rejected the username/password I’d just created!  Seems the system requires me to create a separate account for every holding.  Indeed, not merely create it once, but log in eight separate times – each a complex process – any time I get a shareholder security letter in future.

Well, bugger this: surely I must be missing something????  OK, try emailing.  That got me an automated reply promising attention within 48 hours.  The following day a human reply, offering to ‘phone me and follow up on points I’d raised.  Great, I’m getting somewhere!

I took up the offer and they duly ‘phoned.  We were quickly able to trace the matter of the two letters to my new shareholdings, thus resolving the original issue.  I also raised my concerns about their system: letters indistinguishable from phishing, scarce information with which to follow up, and is their online system really as useless as it seems?

Encouragingly, the lady I spoke to sounded good: she wasn’t some call-centre drone reading from a script, and she sounded receptive to my points about phishing and unverifiable information.  She told me they were proud never to have suffered fraud, but that begs the question of how you count responsibility for a phishing victim who subsequently suffers identity theft but not loss of the specific shares.  I stressed that if it hasn’t happened yet, it can only be a matter of time.

On the question of their online services she confirmed yes, amazingly, they really are that bad!

Let’s see if anything changes following my call ….

[1] By posting here I’m creating another google result for anyone seeking to verify that number.  If you found it at random through a search, you probably don’t know me.  Am I who I seem, or part of the fraudster’s operation?