Scotland

Inside the toxic world of online fraudsters

Media playback is unsupported on your device
Media captionKaspersky Lab tries to identify criminal gangs online

We Britons spend £500m a week on the internet but just how safe is our money and what is being done to protect us from the global rise of cybercrime?

In my documentary, Gangsters.com, I investigate the toxic world of online gangsters.

As part of my hunt for those who buy and sell our data to make billions, my journey took me from the footsoldiers of fraud operating in the back streets of Britain, to the organised crime gangs in Moscow's gritty suburbs.

I wanted to understand how criminals are managing to get hold of our previous personal data and use it to make millions.

To do this, I needed to speak with those at the heart of this trade - one of the criminals who buys our stolen data from hackers and then uses it to defraud us.

I spoke to a series of contacts. People were reluctant to talk but, after much negotiation, I had a lead. One of the footsoldiers in this criminal trade agreed to meet me, if I didn't reveal his identity.

Former drug dealer 'Dave' told me he turned to online fraud for an easier, more lucrative life. His job was to buy victim's data - called profiles - from the hackers and then to defraud those victims.

Samantha Poling with 'Dave'
Image caption 'Dave' said he turned to online fraud for a more lucrative life and could earn up to £35,000 a week

He said: "I can earn more in a day than I could earn in a month selling drugs. On a good week you can be talking up to £35,000.

"From buying data, having somebody's date of birth, post code, and all that information, it's just so valuable. People don't realise. Half the country or even more wouldn't realise what people can do with this information."

Dave said that once he had bought the stolen data from the hackers, he would use it to take out loans or store cards in his victim's names, buy cars or high-end luxury goods. There were many like him, he told me, he was simply at the bottom of a massive organised criminal network.

"It's like an army, " he said. "You've got your generals, you've got your majors, and you've got your soldiers.

"There are days when you are sitting looking at the money you have earned and you're thinking, 'I can't believe I have got this'."

Media playback is unsupported on your device
Media captionGavin Holt and Duncan Atkin discuss online security risks as well as their own career prospects

The most he has earned in one day, he told me, is £20,000. Despite efforts by banks and big business to protect customer data, Dave says there are as many stolen profiles available to buy on the black market as there ever was.

"There are sites dedicated just to that," he said.

"I could go and see my friend today and I could literally buy 10 profiles off him. Money is definitely not safe online.

"Me personally, I don't even have any money in any banks. If I went out and earned say £25,000 today, I would never go to a bank and put my money in the bank."

"Because of people like you?" I asked.

"Of course", he said. "Because of people like me."

'Fresh victims'

I realised through my conversations with Dave that people like him could only operate if there was a much more structured and organised criminal network behind them.

I had heard of a man called Tony Sales. He started out as a traditional fraudster, cloning credit cards and taking out store cards in other people's names.

But the rise of the internet was a game-changer. Internet forums began selling people's stolen data and that was when Tony realised the real cash was in people's personal information.

He told me: "Data is an amazing thing and it's taken us until now for people to start talking about data. Does anyone really realise what data is and what criminals do with it?

Media playback is unsupported on your device
Media captionTony Sales advises businesses on how to protect themselves

"It's the new currency. You can steal someone's house from them. You can steal it from underneath them and there's nothing they can do about it."

Tony said the information he was able to buy from the hackers would often come "graded", with more money being paid for stolen data of "fresh victims".

"If you have a grade one for instance, the likelihood is that the information has not been sold to anyone else and you would pay more for that information. It's a fresh victim. Whereas if you get a grade three, the likelihood is that it has been sold to 10 or 15 people. Which means the person has been stung," he said.

Tony was eventually caught and jailed, but since leaving prison he has put his criminal know-how to positive use.

Many British businesses and big banks have been turning to him for advice on how protect themselves from other cybercriminals and fraudsters. He is often employed by them to test their defences and highlight their vulnerabilities.

Media playback is unsupported on your device
Media captionJames Lyne gives advice on how internet users can be safer online

He said: "I'm given a week to go into a big corporate company, a big retailer, big bank and at the end of that week I go into a board room with a CEO or the head of loss prevention, and we show them what we've found throughout our week's work.

"Now whether that may be a hacking scam, a cracking scam, a refund scam, a stealing scam, a new shoplifting scam, whatever it may be, we will show them.

"Normally by the end of the presentation, they're breathless and with their jaw dropped on the table, saying 'wow, we never saw that'."

Tony said that many companies he assesses take action if the effect on profit is significant. But if the weakness he points out is simply a data breach, then many companies call it "acceptable loss" and write it off.

He told me: "I have a thing with acceptable loss where I say, what loss is acceptable? I don't feel that if someone steals all my information, blacklists me, they ruin my life, and yet a bank or a retailer or an insurance company or whoever it may be can write that off as an acceptable loss. I don't think it's acceptable."

Some companies, Tony told me, fail to act even after he has pointed out weaknesses in their security.

'Infect everyone'

"I am stunned when they don't do anything, they shake my hands, say thanks and six months later nothing has changed, it's exactly the same as how it was," he said.

Tony finished the interview with a warning. In today's fast-moving cyber world, he told me, it's not just our computers we need to worry about protecting from malware attacks and infiltrations by cybercriminals.

"Your life is in your phone so I can now take over your life," he said.

"I can see your life, I can talk to people on Facebook as you, I can talk to people on LinkedIn as you, I can tweet as you, I can send tweets out with malware in them as you that will then infect everyone that you know.

"I can send videos out on Facebook with malware in them that will infect all your friends. People will share your videos and they will move on and on and on, and so by just getting one person's phone, you can actually destroy millions of lives just by malware."

BBC Scotland Investigates: Gangsters.com will be broadcast on Wednesday 11 June, at 22:35 on BBC One Scotland, and for a week afterwards on the BBC iPlayer.

More on this story

Around the BBC