@Edent did they send that via text or in the actual chase app? If it's via text it's still a pretty sophisticated scam!

@Edent People still answer..."phone calls"?

@Edent Your bank wouldn't do this.

@Edent
I recently had friends get this kind of call. They are educated and very smart people and fell for it, it was so convincing. Then something made them reconsider and they spent the rest of the night into the next morning making phone calls to their bank officers and succeeded in not being robbed. The new phone scams are very polished.

@Edent I would assume it was a scam. That is partly because I deliberately don't give my bank my phone number (so that I can spot scams) but also because both notifications seem to be initiated by the caller. When my bank has emailed about suspected fraud I've not rung the numbers in the email either but rung the bank on a number I know separately and then told them off for doing what they say they won't do.

@Edent I had to look up what Chase is. As sophisticatingly horrifying as this is, I guess those of us who aren't with Chase are not vulnerable to this?

Yes, that was a legit question

@Edent i tell the scammer I think it is a scam and I hang up and call directly to my bank. I don't fall for bullcrap. I don't trust any notifications on my phone. I am the biggest skeptic now.

@Edent I never trust anybody calling me.

@Edent Chase should reword this notification to say "Did you just call Chase bank, or did someone claiming to be calling from Chase contact you?" and then change the buttons to read "I called Chase" or "Someone called me"

@Edent
Nothing in that image to prove it's actually your bank app .

@Edent Doesn't matter. I'll end the communication and contact them separately through a number I already have for them.

@Edent Yea, I definitely think it's a scam.

@Edent Very scary it can come from the actual app. But I don’t use a password to open my app. I use biometrics. So I think I would find that wording suspicious if it’s how it was presented to me

@Edent

i'd do what i've done for years with bank fraud calls. i'd delete/ignore any notifications, hang up from any phone call, then call the known good number i have for my bank and ask for the fraud department.

this kind of crap is why i also don't use a phone app for banking...

@Edent Could be scam, no?

Method:
1. Scammer calls you and Chase at same time
2. Chase is unsure of scammers identity, so sends them in-app 2FA dialog
3. You hit yes, and Chase thinks scammer is you

@Edent@mastodon.social Yes, I still think it is a scam. A live person is not going to call you about your account. If something was flagged, you'd get a text without any clickable link or asking you to verify anything. If your bank or creditor is dumb enough to require you to do any of those, you should not be using them in the 1st place, and it is time to switch banks or creditors. -- The only time you may get something like this is if YOU called them and not them calling you.

@Edent
I'm suspicious of any contact I didn't initiate. I'll call my bank directly and go through the phone tree.

The only way to verify that the caller is who they say they are is to go to the official website, find their number on there, verify they can be reached at that number, and then call them back at that number.

@Edent Pretty slick... pretty good. I'd be taken in for a minute.

But, while my goto financial security measure is simply 2 be broke, my next best defense to any call regarding my ID, money or account that involves either is "tell me what extension or sequence of menu options to call you back at your 1-800#. u know the one on the back of my card".

now, when the call scammers can replicate my bank's labrynth of automated call menus at a perfectly spoofed 1-800 # then Im in trouble.

@Edent That happened to me once and I immediately hung up when the person asked for an OTP. A minute later my card was locked and when I called the bank directly the same person picked up the phone.

I told them they were stupid.

@Edent Luckily, my bank has such a long phone queue that it would be extremely difficult to synschronize this 😄

@Edent@mastodon.social Probably.

@Edent The number of people in this thread insisting they wouldn't fall for this fake screen even though it's *real* suggests that yes, most people would and will fall for it.

@Edent This is an easy cut-off. I never do banking over the phone for calls I don't initiate and I rarely (a handful of times/year) even do those.

@Edent This is why TOTP should be the only acceptable form of second factor for MFA.

@Edent Oh DAMN that's a clever tactic. How do you protect yourself from that?!

@Edent Yes. It's always a scam

@Edent Wow. Thank you for this. I like to consider myself relatively aware and I had no idea this was a thing. Thanks!

@Edent I'd call the number on my bank card from a different phone. And stay with them.
In the *unlikely* case that both calls are genuine, I can "sneakernet" case numbers between calls.

@Edent you're making a leap by assuming i answer phone calls

@Edent That is so clever, but so obvious when the scam is laid out in front of you. Ingenious.

@Edent The notification would freak me the living fuck out I'd hang up, immediately transfer everything in that account to one of my other accounts and then ask the bank questions later.

That's provided I actually answered my phone in the first place.

@Edent Always, always, always confirm out of band, via a number or other means of contact that you find independently, and initiate the contact.

@Edent would have hung up long before that. Have a strict call bank myself only and from a different phone.

@Edent to me it would be an obvious scam bc I don't have banking apps on my phone.

@Edent I once transferred a large amount of money from my phone. Immediately I got call from a unknown number. Due to my past experience with unknown numbers, I decided to hang it up.
Later becoming curious, I checked the number on TrueCaller and found that it was from my bank.
May be they called to confirm that it was actually me who transferred the amount or something bad happened?
I immediately checked all the transactions and found nothing suspicious.

@Edent I try to teach my family to reply "let me call you back" and then calling the actual bank's number. Same with emails or texts: never click through links.

That said, I might still get scammed in the heat of the moment.

@Edent If I get a call, and I'm at my computer, I'll log into my account to see what's going on right at that moment.

@Edent

1. Who actually takes phone calls from numbers we don't know? Mine go to VM.

2. Banking apps? Not a good idea. Phones are too ripe an attack surface and banks too poor at IT.

@Edent @BobDevney Scam. You have no idea who they are, whatever fancy pants “authentication” they offer. Remember that all our private info has been sold and/or stolen too many times to count.

If you really think it’s legit, hang up anyway and call your bank directly at their actual phone number.

@Edent

In every case, I will call the number on the back of my related bank card or visit my bank's site by typing in the name directly on my search bar.

@Edent For me it is because I don't bank with Chase.

@Edent My bank called me once. Caller id: "private". Said they were my bank, started to ask me identifying questions.

I said no. He said "what?" Couldn't understand why I wasn't going to answer. I explained that I didn't *know* it was the bank, and could be giving out my info to a stranger to steal my identity.

I said I would hang up, call my bank myself, and then they could tell me what they needed to. He was still confused.

In the end, you know what it was? A sales call. I raised hell.

@Edent Lol. They have my number already. That proves nothing other than the chance that they’re especially crafty scammers. If it is your bank - they’ll send you a postal letter on letterhead with a name and number to call or an in-app message that you’ll see upon login. @lisamelton

@Edent I got this one right, but of course it's easy to be an "armchair warrior".

My thinking was that: sure, this might actually be a legit notification from the legit bank's legit app and legitimately about what it purports to be, but *how do I know it's about the call I AM ON?*

Nothing in the message ties the notification to the call *you're on*, so I can't be sure, so it's a reject.

@Edent This two-factor authentication is useless when both factors go to the same phone. One of my banks does this, and I can't figure out why they think it is secure.

@Edent I'm sitting here in 2024 wondering why we still don't have authenticated caller id.

@Edent My bank or any other entity I do business with (cable, doctor etc), I hang up and call them using a number in my phone.

@Edent YES! As at least in Germany a bank would never ever call you and ask for a password, PIN, TAN, whatever on the phone. They even have that on their own website as an advice that such behaviour is always scam and never a clerk of theirs.
If a bank wants to talk business, they will invite you into their office, not discuss on the phone.

@Edent well this just cements my hatred of answering the phone ever. I'll just continue to send unknown numbers to voicemail.

@Edent This scenario is one more piece of support for my firm policy of never answering calls from unknown numbers.

@Edent joke's on them, I never answer my phone. Social anxiety FTW!

Increasingly I think the best advice to avoid scams is: ignore everything and hope it goes away.

Just pretend you didn't hear your phone ring. Pretend that email went to your spam folder. Assume that whatever it is will work itself out on its own. Surely they don't actually need to talk to me.

Fooling me into thinking they're my bank doesn't help them if I ignore my bank, too!

@Edent Yes.

@Edent
My bank just went out of business. So I'm protected from this scam.
🔑🔒

@Edent Just handled a bunch of credit card fraud on my account but my bank called me to tell me to contact the fraud management line indicated on my card. Harder to insert a man in the middle if I am initiating to a known good number I guess.

@Edent Yes. Anytime there’s any chance of a scam, (random phone call asking for money or account details), always hang up and contact the person of company yourself from a reliable phone number or website.

@Edent This is why whenever I get a call from my bank or credit card fraud dept, I thank them, hang up, and go find the number to call or login to the website. There's just no reasonable way to authenticate a random inbound call like this.

@Edent I'd say it's a scam. I would try to confirm with another method. Contact the bank online or from another phone if it's possible.

@Edent
That's quite clever. However, I think the rule is to never agree to anything incoming unless you have initiated it. I think I'd hang up and call my bank so that I'm initiating the check.

@Edent I would thank them for "letting me know", hang up and call the bank back. I would not use any number the caller gives me, but would find the number from the bank's web page or the app.

@Edent I refuse to put any financial app on my phone whatsoever.

@Edent My bank usually just emails me, after blocking purchases I've made until I can confirm that yes, I did add much higher funds to my Steam account than usual.

It's annoying, but efficient.

@Edent I don't utilize banking apps nor do I typically do online banking. When they go digital, scammers will be even worse. If I got a text from someone saying they're from the bank, I wouldn't respond, hold onto the text and go directly to the bank and talk with the people directly who know me personally, and work with them on attempting to catch the perpetrators.

@Edent best thing to do would be to hang up and call the bank yourself.

@Edent

Thanks. I’m already paranoid to the extent of making the sign of the cross when I see anything Google. I’d use a rosary & sprinkle Holy Water if I had any.

@Edent @offby1 it is so frustrating, seeing this q and immediately knowing what the scam is and how to fix it and never being anywhere near proximity to the actual decision makers who can prevent stuff like this. Like please point me at a bank executive and let me give them a security design and threat modeling training, for the love of god

@Edent they call me, they call bank, bank 2FAs me, I accept, they get in.

My bank has never called me, in all the years I've been with them. Not once. If they did, I would hang up.

@Edent definitely a scam

@Edent Chiming in to say I experienced this scam with Capital One, who uses in app notifications or text messages for verification. I only barely caught on to it in time to tell them I'd hang up and call them back.

Come to find out, Capital One does not cold call you for suspected fraud under any circumstances.

@Edent yes

@Edent@mastodon.social Definitely. My habit is to receive the fraud notice call, then hang up, and dial the number on the back of my bank card. If it's really fraud, they'll know about it and we continue. Otherwise, it was a scam and I dodged a bullet.

@Edent@mastodon.social Easy one: I'd judge by the dialect. My bank is located in a small western Norwegian town called Voss. Everyone who work there speak the Voss dialect. And people at Voss don't do frauds 😎

@Edent my bank call me and ask me security questions. No, bitch, you rang me, I should be asking you the security questions.

@Edent If you call Bank of America, they will verify you using a code sent by SMS that contains, “DO NOT share this Sign In code.”

I’ll confirm with the agent that they’re asking for the one that says under no circumstances am I to share with anyone, and they reply cheerfully, “yeah that’s the one.” 🤦‍♂️

#bank #security #SecurityFail #phishing

@Edent genuine question here…

in-app notifications can be ‘easily' spoofed? I hadn't considered it before. I guess they aren't so special but it *is surprising* to hear.

@Edent yes it's a scam. Person calling is trickling you into accepting a 2 step verification prompt.

@Edent I would never but I bet very many would fall for this.

@Edent Yes. My bank damn well KNOWS not to call me.

@Edent

I'm at the point where I assume everything is a scam. I got a call from someone claiming to be a postal cop. I told him to eff off, post office doesn't call people and hung up.

Later I learned that in fact he was telling the truth, but understood my skepticism. (It was related to the theft of a mail piece.)

But even still I think the right scam at the right time would fool me.

@Edent I once had a scam call from someone claiming they were from the FSA (UK financial regulator) saying they were processing a refund from.... somewhere or other. I started laughing, and asked if my mate Steve had set him up to this, then "go on then, do your script". I kept laughing, he started laughing, trying to get through his scam script.

I explained my wife worked for the regulator and that the FSA regulates companies, not customers.....

@Edent yes

@Edent
Yep. 😜 My banks only have my land-line. Ditto my cable/internet provider.

In theory, this device has a phone number, but I only have a data plan: it's just a pocket personal computer.

@Edent yes but only because I know that this should only be triggered if I call them. BUT. I can absolutely see and sympathize with someone dealing with this.

@Edent oof, that’s rough.

Reading the post, the first red flag was when they advised that because of fraud, they need to transfer their money to a different account. That’s a classic scam technique there.

But if you’re not aware of that, are maybe a bit tired/distracted/in a hurry AND get a legit notification from your bank app? That’s scary.

@Edent The banks seem to think they can "technology" their way out of social problems.

Social problems (e.g. social engineering), require social solutions.

Sorry shareholders, that means keeping bank branches open, for longer, so people can meet, in person.

@Edent and this is why I have taken what some may see as extreme lengths

If I am called about fraud, I hang up and call the 800 number my bank gave me that I know will get me to an automated system to verify transactions

This way, unless they're doing Sneakers (1992) style phone circuit interception, I'm safe

Whether this level of paranoia suits, I leave to the decision of each reader

@Edent
I hang up with them and call my bank login to website with a physical usb key and speak to the fraud dept and report what happened and verify authenticity period. :) If I know how things can be exploited I know criminals do as well.

@Edent I had my bank call me about suspected fraud and they had no way for me to confirm they were legit. I said I'd call them back and they didn't have an external number I could call. Their tone suggested nobody had ever checked. One of the biggest banks in Australia / NZ.

@Edent That's viciously effective. Makes me glad I don't use banking apps. (I use the website with 2fa.)

I did get a call from the power company who had all my details and was demanding an immediate payment. I checked on the website and nothing was due, so that was a scam. They are convincing. "Hang up and call back" is the only safe move.

@Edent That scam wouldn't work on me: no app. Why can't the bank send each party a GPG-signed and encrypted email with two codes. Each person reads one of them and the other verifies it. A third party shouldn't get the email and can't read it if they did get it.

@Edent you scammed me at Bank Cold Call

@Edent Always and without exception, hang up, and call the bank or whatever entity called and verify.

@Edent There's only two ways I'll accept a notification from a business. If I'm in the room with them, like at my wireless company, or if I'm on a website trying to make a purchase. No one in the middle. Most places won't call you. And if they do, take a message, go to their business or call them at a number you know os legit.

@Edent this day and age where you can tap into someone's phone, nah, I go straight to your bank and talk to someone in person

@Edent

SCAM - I don't install bank apps.