Email or username:

Password:

Forgot your password?
Terence Eden

You receive a call on your phone.
The caller says they're from your bank and they're calling about a suspected fraud.

"Oh yeah," you think. Obvious scam, right?

The caller says "I'll send you an in-app notification to prove I'm calling from your bank."

Your phone buzzes. You tap the notification This is what you see.

Still think it is a scam?
1/3

In app popup. "Are you on the phone with Chase? We need to check it's you on the phone to us. Let us know it's you and enter your passcode on the next screen. @ Not you? Your details are safe. Just tap 'No, it's not me' and we'll end the call."
359 comments
SpaceLifeForm

@Edent

Of course it is a scam. They will not call you in the first place.

Peter

@Edent thats a pretty interesting scam pattern.
Spitballing, the banks need to send a message saying “there is suspected…. Please call the number on the back of your card to talk to a rep”
Pretty cost efficient secure solution, anyone able to poke a hole in it?

Bambarbian

@Edent this is wrong and bank must be responsible for any losses. they clearly failed to identify customer The app can say: if it’s you, call us again number+3 digits from app+3 digits from the call. Bank Identity is established by a well-known number, the additional digits demonstrate that the same person is using the app and talking on the phone. May still be problematic if the attacker managed to login to the app. Better idea: just verify ID through a video call in the app.

Planarian

@Edent I always assume scam. If I look up their number myself and call them, and get the same info, then I believe it.

Alexis Bushnell

@Edent makes me glad that I just don't answer phone calls.

fmobus

@Edent the scam would probably not work if the messaging on the phone app was better

"did you initate a call with us from number +1 555 123123 five minutes ago", for instance, would work much better

Wyre

@Edent@mastodon.social if someone calls me in any "official" capacity I automatically assume it's a scam.

Rick Mycroft
@Edent Obvious scam. I don't have any banking apps on my phone.
Frederic Barthelemy

@Edent @timbray Users have no way to verify an incoming call.

It should say “Did you call Chase? Chase will never call you except to tell you to call us back.”

DELETED

@Edent At this point, I think all unsolicited/unexpected communications are fraudulent. The only reasons I even have a phone nowadays are because my day job requires MFA and because you could walk 10,000 miles in any direction and not find a pay phone.

Juice

@Edent @briankrebs Damn, that’s a slick one.
I never answer calls from unknown numbers personally. I’d rather go through the hassle of missing the call and then trying to get ahold of whoever called me. That being said, my banks are smaller and I usually just go into a building when I get a letter or bill that looks weird.

George Liquor :verified:

@Edent I wouldn't fall for this, but pretty much everyone I know would.

A rule for living in 2024: if someone calls you claiming to be from your bank, credit card company, or PayPal, tell them to make a note on your account so you can hang up and call the official number that appears on your card or official correspondence you have on file.

Programmer 832-529 🍅

@Edent
They're getting clever. Like the one where "the bank" rings you and asks about a transaction of $x for Y. You look and see that transaction in your account; only the bank can see this, right?

Except it was the scammers that did that transaction knowing it would fail, but they obviously know the amount and details.

Oggie

@Edent Well this is fucking horrifying.

Troy

@Edent definitely should be re-worded at best. Perhaps "Did you call us?" not are you talking to us? - how would that verify anything?

Wonder if they could do some kinda back and forth button pressing to check but latency might make that difficult. Interesting problem to solve for!

mypalmike

@Edent Years ago, someone claiming to be Sprint fraud protection called me on my new Sprint phone wanting to verify some things. They asked for the first 5 digits of my SSN. They said they would disconnect my phone if I didn't verify the info. Suspicious, I asked I could call them back via their publicly listed phone number to handle the verification, and they said no.

I told them I thought they were scammers. It was obvious. They failed every test.

My phone was then disconnected.

Nick Phillips

@Edent Terrible wording. They need to ask "did you just call us".

Nick Phillips

@Edent And have a "no, you called me" option as well as "not me".

Ed Hurtley

@Edent The scammiest such call I ever got, I asked for their name and extension.

Then I hung up and called the number on the back of my card.

It was legit.

Like for real, I've had legit calls that sound scammier than any scammer; so I assume they're ALL scams now.

I don't trust them unless I'm the one that initiated the call.

If the call comes in to me: I give zero information, I confirm zero information. I get enough information from THEM, then hang up and call in to confirm.

(And yes, I've had an absolutely convincing call that thankfully I was already on my "treat all as scams" or else I would have absolutely believed it and given them info.)

@Edent The scammiest such call I ever got, I asked for their name and extension.

Then I hung up and called the number on the back of my card.

It was legit.

Like for real, I've had legit calls that sound scammier than any scammer; so I assume they're ALL scams now.

I don't trust them unless I'm the one that initiated the call.

Woodswalked

@Edent
That would be the point that I knew it was a scam.
Before that, I might think they are legit and would be telling me to call their 800 number.

Dr Colin Jacobs

@Edent The bank could probably know what I sound like. They record all the calls. It would be feasible for a computer to check whether the current call and the archived snippet were the same person. I wonder if that would help.

Kasey Strube

@Edent The only safe thing to do is to always hang up on an unsolicited call and then call back on the bank’s publicly posted number. Problem is that the scammers will likely call back or call your spouse or family member and hound you trying to keep the scam going in the meantime

Stephen Gentle

@Edent If scammers can successfully make that work, then the bank should be 100% liable for reimbursing the customer for anything the scammers take. This isn’t like these scams where they convince the customer themselves to make transfers to other people, this is the bank’s security practices not being sufficient so the bank allowing scammers to take money!

Terence Eden

@LetsRoc
How would a video call prove anything to you?
You don't know what the bank's staff look like. They don't have photos of you.

Earthlingz ✌️🍉#سلام #HetBoñhe

@Edent I know their uniforms & typical environment. They have a copy of my passport.

Terence Eden

@LetsRoc
Like, you don't think a scammer can but a corporate T-shirt on eBay?
I did for a fancy dress party. Ex employees often sell their uniforms.

Earthlingz ✌️🍉#سلام #HetBoñhe

@Edent yeah, I'd like to an imposter inside a branch dressed as them making calls.

FirefighterGeek :masto:

@Edent

At this point I wouldn't even trust their app. It looks legit, but...

The safest response is to ask for a reference code you can use when you call in using the number on the back of the card. Do not accept an alternate number.

Then make your own call to them.

carbon offsets are BS ☕️🥬

@Edent

the answer to the question in the push alert is “I’m not sure, I haven’t been able to verify this yet.”

If the alert is meant to inform and verify to me that I’m on the phone with Chase, it wouldn’t me asking me a question and wouldn’t need my input.

That said, I understand how this would fool people.

Stephen

@Edent Anyone saying they’d immediately identify this as a scam is delusional or a perfect mark in the future...

Terence Eden

@CliffClavin
Yup. So many people think they have perfect OpSec.

Briala

@Edent This is similar to how Paypal scammers are abusing how Paypal's lost password mechanism works (it sends a code a little like this).

KnittingMittens

@Edent I would always hang up and call the bank/credit card company number on my card. The real bank has no problem with that, but scammers would be upset.

Jim Vernon

@Edent Another reason to ignore calls from people who aren't in my contact list.

Jim Vernon

@Edent I think the only businesses in my contacts are medical providers and some restaurants, so I'd be fine there too.

QuarterSwede

@Edent I had the security company of my business call me and I refused to talk to them. Called them back, it was legit but it may not have been. Never trust anyone calling you about personal business. Always call them back using a known number.

QuarterSwede

@Edent The other piece is my bank has never and will never call as apart of their security (they say this a lot). They communicate in other ways and ask for the customer to call them.

Alfredo Octavio

@Edent I'd tell them I'd call back. But my ex bank did this to me for real...

Neal Onions

@Edent what surprises me is so many people here who know what they are talking about rely on calling their bank. But if I’m getting the zeitgeist all these calls are set soon to be answered by LLM’s. People on the banks end of customer calls will not be a thing. How will that change the playbook?

DELETED

@Edent Bank needs to establish that You arent a scammer who could hypothetically be carrying out the man in the middle attack against the trust between Your bank and You, using your stolen phone, or your phone number which leaked out somewhere.

Pepijn Schmitz

@Edent I wouldn't fall for it, since it's asking for a passcode, which the bank would not do to confirm that it's *them* calling *me*.

But I can see that this would be extremely convincing. The bank could definitely word it better. Just a simple "did you call us?" would be an improvement.

Rob

@Edent Whenever my bank calls me, I hang up and call them back myself at their normal customer service number.

Inbound calls from a bank? Never. Not on my watch.

Androcat

@Edent Man-in-the-middle, I would wager.

I.e. the con is calling you up, then initializing a password restore interaction with your bank, timed so that you accept the verification, giving him access.

I only ever accept that sort of verification on calls that I have initialized myself.

Григорий Клюшников

You receive a call on your phone. The caller says they're from your bank. You hang up and call back to the bank yourself. End of story. If the caller objects to you doing that, that by itself is an enormous red flag. You never, EVER take incoming calls from "your bank" seriously.

I myself have an additional rule that I always reject calls from unknown numbers, unless I expect one (delivery, taxi, etc).

Go Up