About 5-6 months ago, Ayşe (not her real name) purchased home internet service from a large company called X. Shortly after her subscription started, her phone rang from an unknown number. The person on the other end of the line said that she was calling on behalf of Company X.
Ayşe had made a non-committal agreement with Company X. She was not very happy with the internet service either. The person on the phone said that Company X provided internet infrastructure service to Company Y, one of the largest telecommunications companies in Turkey, and that if she wished, she could start a subscription with Company Y and receive a committed, more affordable, and faster internet service.
Ayşe was called from a corporate number, and the person on the end of the line convinced her with his confident speech. She accepted, requested the cancellation of her contract with Company X, and became a subscriber of Company Y. Company Y came, brought the necessary equipment, and installed the internet in her home. Thus, her subscription began.
Ayşe, whose bills were on automatic payment instructions, was unaware that she had been paying money to both companies for months. She was still making payments to Company X, whose subscription she had terminated. She realized the situation too late, called Company X to find out the reason, and got the shock of her life: She had been deceived by Company Y using Company X’s name.
How Does?
One of the dealers of Company Y had somehow obtained Ayşe’s personal information and called her. He pretended to be calling from Company X, added various lies and managed to convince the young woman. Ayşe, who thought she was talking to Company X, thought her subscription had been cancelled, but she was wrong, she was paying two bills at the same time without realizing it.
So how did Y, one of Turkey’s most established and well-known companies, gain customers through such a method? If this wasn’t fraud, what was it? How did it know which company Ayşe was a customer of and what right did it have to speak as if it were an official of that company and make false statements?
This is a real event. Those who heard about this event gave a common reaction: The same or similar event had happened to them, or someone in their circle had fallen into this trap. So how is it that they can reach our phone numbers without any means, call us and lie so much? Isn’t our data safe? Are the companies we thought were the most reliable now also trying to find ways to trap us in illegal ways?
Dear Prof. Dr. Ali Murat Kırık, Head of the Visual Communication Design Department at Marmara University Faculty of Communication and Information Technologies Specialist We talked to…
– How do these companies access our personal information such as our numbers and subscriptions?
Personal data has a very serious importance in our age, we need to underline this. There are serious problems that arise as a result of personal data being shared or sold without permission. There are a few different possibilities for how they obtain customer information, the first of which is data sales. Some companies can generate income by selling customer information to third parties. This information may include which internet service the customer uses and their contact information, i.e. phone number and address. The second possibility is that an internet service provider’s database may have been hacked. In this case, attackers can access customer information and use it for fraudulent or malicious purposes. There may also be a different method called social engineering. Sometimes scammers can try to collect information to reach customers. In other words, they call you and say that you have a subscription. You can actually think of this as a phishing activity. They bait you and say, “You are a member here…” Maybe you are not. But they can scam those who do. This is what we come across. One of the issues that we frequently encounter is that some companies can share customer information with their business partners or dealership networks. In this case, a company can access your information and offer its own services by calling you. This poses a serious risk.
– Can we say that our personal data is under threat?
– Yes, we have to say that frankly.Because now personal information can fall into the hands of fraudsters. In addition, your contact and address information can be accessed. These are the visible part of the iceberg, there is also the invisible part. After all, when we perform subscription transactions, we provide all our identity information. It is not just our Turkish ID number, name and surname. There is a lot of information there. Sometimes we provide a photocopy of our ID. It is a serious threat and risk for these to be passed on to third parties. They can also perform different transactions on our behalf. Fraudulent activities can be carried out. They can charge us. Or they can subscribe us to different services. This situation is a serious threat for the future and for the user. One of the main factors underlying the increase in fraud cases in recent times is data breaches. Due to these data breaches, companies are not able to store data properly, which creates serious security risks. There are also claims that employees in some companies can obtain and leak this data. We need to emphasize both the existence of an external threat and the possibility of information being leaked from the inside.
– I can more or less understand why unknown companies resort to this method, but what do you think about the fact that Turkey’s largest and most corporate companies are now also collecting customers using the same method?
– Unknown companies resort to such methods for fraudulent purposes, but it is very worrying that a well-known, reputable company, especially one that has worked in the telecommunications sector for many years and has become a brand, is engaging in similar actions and is an issue that we absolutely must focus on in terms of data breaches. We should also not ignore the following, we should not always attribute this incident to well-known companies. Sometimes internal breaches can occur. Some individuals working in these companies can abuse their authority and sell customer information illegally. Sometimes this can be an individual abuse that is independent of the general policies of the company. Of course, this does not mean that we cannot just say, “Our employee did it” and move on. After all, it is the company itself that hires the employee and must ensure data security. We may also encounter weak security measures. The security measures of well-known and well-known companies may sometimes not be sufficient. Since such companies do not update the necessary security policies to protect customer data, fraudsters can use these gaps. Another common incident is that business partners and subcontractors can also be involved. Large companies usually work with business partners or subcontractors. This means that third parties can inevitably access customer information and take malicious actions. This may also be due to the fact that the company has not sufficiently inspected the data security practices of its business partners and subcontractors. In addition, some large companies may not be very careful about transparency and data privacy. They may share customer information without permission or not fully disclose their data collection policies to their customers. There is also the use of the company image. Fraudsters can use the names and logos of well-known companies to establish trust. Or the company pays a commission fee. For example, I am a large business, I give a franchise, and I tell this franchise, “When you sign this person up for my company, you get a 10 percent bonus…”
– We have been reporting similar news for years. Do you think the reason why these fraudulent activities have not ended is the inadequacy of sanctions?
– Of course. In fact, the existence of such news sadly shows that the current sanctions and legal regulations are inadequate. The fact that sanctions are not sufficiently deterrent makes it easier for companies and individuals to risk data breaches and fraud. The fact that penalties are not severe helps companies and individuals not to refrain from such actions. For example, with a fine, the business is closed. But what happens if the data is leaked? The fact that regulatory bodies and laws are not strict enough regarding data privacy also causes violations to occur much more frequently. Therefore, we need to emphasize that increasing inspections and tightening regulations are very important.
– How will we protect ourselves?
– I think awareness training is extremely important. It is extremely important to explain and convey this process at a younger age. It is extremely important for companies to protect this data much more strictly and create specific protocols with their employees. It is extremely important to eliminate gaps and deficiencies in contracts in order to protect the end user. It is always important that the end user, that is, the consumer, carries out these transactions face to face, by checking the details in the contract that he/she will sign, rather than approving such transactions over the phone. During such subscription transitions or cancellations, we should never assume that the event is over without confirmation.