Email or username:

Password:

Forgot your password?
Top-level
Terence Eden

The scammer is on the phone to you.
Their accomplice is on the phone to your bank, pretending to be you.
Your bank send you the notification.
You accept, and scammers proceed to drain your account.

Someone has just lost £18,000 because of this.
reddit.com/r/UKPersonalFinance

2/3

118 comments
Terence Eden

It *is* a genuine notification. But it isn't confirming the bank is calling you.

Should the bank word that differently?

In a rush, would you read it thoroughly?

Most likely, in a panic about the fraud, you'd confirm it was a genuine notification (it is!) and accept it.

3/3

Simon Wood

@Edent I think I’d be taken in by that. My thought was: why do they need to check they’re on the phone to me if *they* called *me*? But on balance I’d decided it was just poor wording or an ill thought through system (both of which I still think, in fact!) so I wouldn’t have challenged it.

Sbectol :twt:

@simonwood I tend to be suspicious. The only time my bank ever called me was from the security dept and I refused to believe it was them and called back on the main number and asked to be transferred.

That’s not to say that I wouldn’t be taken in by a different fraud, of course

@Edent

flabberghaster

@simonwood @Edent one might assume even if they believed the bank was calling them, that they still need to confirm they got you and not someone else.

Simon Wood

@flabberghaster @Edent I have had my actual bank call me, and then ask me (via security questions) to verify that I am actually me. I feel that was *training* customers to divulge information insecurely, as I had no way of knowing that they were who they were, and they wouldn’t have provided it if I’d gone along with their request.

flabberghaster

@simonwood @Edent yeah, same. I had told my bank I intended to travel internationally and then when I got there my card stopped working and they called me saying there was suspected fraud on my card. I knew it was legit because I called back on the number on my card, but I think it's bad practice to initiate calls.

GunChleoc

@flabberghaster @simonwood @Edent Yes, always call back on a phone number that you know to be legit when your "bank" calls.

Ľuboš Moščovič

@flabberghaster @simonwood @Edent

Indeed. They should, probably, do it like the good banks send mails: plaintext notification, no link at all, just an info - there is an important message in your Internet banking inbox, go there and fetch it.

So even the call may be initiated in a way - hello, this is your bank, we need to talk to you immediately because of "reason without details" (e.g. there was a suspicious transaction we want to xcheck with you), please contact our telebanking number to proceed.

AlisonW ♿🏳️‍🌈

@simonwood @Edent
I regularly have a little dance with people who phone me asking me to prove who I am before they will continue. I try to get them to confirm something that only the true caller would know but sometimes just have to give up and end the call.

Captain Janegay 🫖

@simonwood @Edent The bank do need to confirm that: they only know that they called your number, but they can't be sure that you picked up - maybe someone else has access to your phone, or it's been lost or stolen, or you changed your number and forgot to tell them.

Unfortunately this only makes this attack more persuasive.

Telling them you'll hang up and call back on the main number is a good option, and the bank employee should always be happy for you to do so.

Buuut this is Chase...

Simon Wood

@CaptainJanegay @Edent Maybe someone else has access to your phone, so they’re going to send a push notification to your phone to verify it's really you? 🤔

Captain Janegay 🫖

@simonwood @Edent Well, it asks for your password as well, which would significantly increase their confidence - although ofc this notification is not actually used to verify your identity in that situation.

But my point is that it's entirely believable that the bank would need *some* kind of verification when they call you, and a lot of people won't pick up on inconsistencies like this, especially when they've just been told someone has fraudulently taken £300 out of their account

Simon Wood

@CaptainJanegay @Edent Very true.

Asking for verification is ok, but it amazes me they don’t work on customer expectations - what you will be asked for when the bank calls - and also customers’ fraud literacy - how we can and should verify them!

Sbectol :twt:

@Edent yikes. This could easily impact my elderly parents. They’re so scared of internet fraud that they only ever talk to the bank in the branch now

Philip Mallegol-Hansen

@Edent There’s probably lots of good reasons not to, but I wonder if they could change the notification to show which number they *think* you’re calling from. Presumably their system knows, it’s just a question of whether it could be hooked into the notification sending infra.

Chris Adams

@philip @Edent I would bet a lot of people would see a different number and just assume their IT department messed up, since there’s rarely a shortage of prior support for that. That goes double if the scammer successfully gets the person into a panic state first.

Philip Mallegol-Hansen

@acdha @Edent Fair, there’ll never be perfect technical solutions to these human problems, just trying to imagine what we might do better.

Could the banking app use the phone’s phone API to check whether the call is being made on that device, and then at least show something like “You are talking to us on THIS PHONE” vs “You are talking to us ON A DIFFERENT PHONE THAN THIS ONE”?

Again, not perfect, but maybe that would help some number fewer people get scammed.

Mister Moo 🐮

@philip @acdha @Edent They could add a box with details about the call. "We are talking to you on the number (XXX)XXX-XXXX. You placed the call to us at X:XX. If any of this is incorrect, please tap 'No, it's not me.'" In this case "No" should change to something like "I have concerns"

Mister Moo 🐮

@notsoloud @philip @acdha @Edent That's why I suggested including whether the call was in- or out-bound. The point is to give someone a clue so they can have an a-ha moment and go 'wait, something's wrong.'

lp0 on fire :unverified:

@MisterMoo, assuming that each X represents exactly one digit, I'd find that phone no. extremely suspicious as it's too short; and the only 3-digit area code which I can think of is 020.

Darren Moffat

@lp0_on_fire @MisterMoo that is a US format phone number which can never start with 1 or 0. 020 in the UK is a London number.

Mister Moo 🐮

@darrenmoffat @lp0_on_fire It was just an example. Presumably it can be modified for telephone numbers across the world.

Chris Adams

@philip @Edent yes - it’s a brutally hard problem because banks have to assume some customers will have lost phones/ID, be confused, etc. and the fraud industry is large enough to have decent IT, training, etc.

I think expecting the phone companies to do more is the future. I’d bet a lot of people would use an international/VoIP block and they could setup a system where you can’t reset passwords, transfer, change your address, etc. except by starting the call in their app.

Derick Rethans

@Edent How and what is faked there then?

Terence Eden

@derickr nothing is faked in app. It is a genuine notification from your bank.

Alex@rtnVFRmedia Suffolk UK

@Edent @derickr the level of knowledge of this incident suggests the target has already been stalked and their finances already monitored (its way too much resources/effort to put into attempting to scam someone who is skint and only has a few quid in the bank. really wouldn't put it past insiders in the bank/call centres being involved)

funbaker #AssangeIsNotGuilty

@Edent there used to be a time where they told customers at every possibility: our employees will never ask for your password etc.
I think they still do.
Wtf happened.

Terence Eden

@funbaker they haven't asked for your password.
You haven't given the person on the phone any details.

the cake is offline

@Edent That is when I ask for a case number, and then call the bank back on the number on the back of my credit card.

LonM

@Edent I feel like the notification would be better used for warning you about the purpose of the call. "are you on the phone with us right now RE your requested money transfer" would be more accurate.

Also, I'm not sure how it works with this bank, but with mine I need to approve transactions to new recipients with a physical card reader that asks for a ref no and the transfer amount. That would nix this scam.

Keith Ivey

@LonM @Edent In the US we can't even handle having a PIN for our credit cards. Can't let security get in the way of convenience.

Jennifer

@Edent I always wonder what would happen if these scammers used their skills for good

Chris Johnson

@Edent I think it’s just not possible for the average person (or maybe anyone) to evaluate these situations correctly. It’d be better for people to have a blanket rule *never* to trust any incoming call from a business under any circumstances. Hang up the phone, find the number of the business through some trusted channel, and call them back. Don’t try to suss out whether the call is legitimate.

It’s surprising to me that businesses that ought to know better are training people to do exactly the wrong thing. I got a text message from Citibank recently about suspected fraud, asking me to call a phone number they provided. I ignored that number and called the number I found in their app. After working my way through the phone tree, I eventually made my way to the fraud department, where they proceeded to ask me a bunch of questions about sensitive information. It turns out the text message was legitimate, and Citibank expected me to call them at a number that arrived at my phone unsolicited and hand over a bunch of sensitive information.

Citibank’s own fraud protection page warns you of this exact scenario: “Named for SMS (Short Message Service), the technology used for cell phone text messaging, SMiShing messages appear to be from a legitimate company and typically contain a link that takes you to a spoof website or asks you to call a phone number.”

@Edent I think it’s just not possible for the average person (or maybe anyone) to evaluate these situations correctly. It’d be better for people to have a blanket rule *never* to trust any incoming call from a business under any circumstances. Hang up the phone, find the number of the business through some trusted channel, and call them back. Don’t try to suss out whether the call is legitimate.

mort

@Edent If I was lucky, I would've noticed that it's kinda strange that the person on the phone said they'd show a notification to prove it's them, while the notification is asking me to prove it's me.

But the person on the phone could just phrase it differently, something like "for security reasons, we have to verify that we have reached the right person, you will receive a notification to confirm" and then I'd have no chance at all, I *am* on the phone with "Chase" after all

lp0 on fire :unverified:

@mort, exactly: in this case, the notification needs to include text meaning “you called Chase”.

Maddad The Friendly Ghost 👻

@Edent

Hey, thanks for this. Too many have been scammed the last few years, especially seniors.

I just stay safe and will ignore these as I do online banking or in person banking.
The bank website also says at the top..'We will never call you unless you ask us to.'

Franz Graf

@Edent ahhh that's really nasty. Thanks for sharing

NatalyaD

@Edent

Well if it was my bank calling I'd be suing them for disability discrimination for phoning me (deaf). I've already tried the Financial Ombudsman on NatWest over deafness and phone issues.

I've told my mum that even if she thinks the bank caller to her is legit. Hang up. Wait 10 mins. Look up the bank's number on a statement she has and use a different phoneline to initiate her own call.

Thanks for sharing how this scam works. I hadn't thought of the dual prong approach. Evil scammers

Chris Martin

@Edent The premise is confusing, why would I receive a call on my phone

Dan McDonald

@Edent

Wow a man-in-the-middle attack with a real life person actually in the middle! 😮

Tristan Slominski

@Edent "If someone called you and you did not call the bank, hang up and report fraud" at the beginning would help.

Directionality is important in this protocol and needs to be of prime importance.

Pass the Dutchie

@Edent I got a call saying it was my bank. Almost got me. But I decided to call my bank and hung up. The bank said they will never call me. The same scammer called me several more times trying the same tactic.

Tilo

@Edent someone really really fucked up their „Security protocols 101“

MarkS

@Edent

Somewhere on that page it should say that the bank will never call you and ask you to accept this.

Nicolas SAPA
@Edent This is is difficult because the caller ID is spoofable.

If it wasn't, the notification could have been: "We received a call from PSTN_NUMBER, is it you?"
Then "You should have been provided by agent the following number XXX. If not, please hang up"
Bindestrich

@Edent yeah definitely I'd fall for that if my bank had such a system.

Shannon Skinner (she/her)

@Edent
The remedy is to hang up and call the bank directly, right?

Jay

@shansterable @Edent Which is why if you say that, the real bank will go “sure, give us a call” and the scammer will try to stop you.

Either way, you hang up.

Lex

@Edent I love this scam. The banks need to repeat the standard advice of never passing information to a caller about your account, ever. Their security advice is you must call back on their standard number.

It's definitely the bank's failure to not make this explicit on the app notification. I hope they are rushing to fix it :blobsweats:

"We will never call you and ask for information"

Ciggy Bringer of Smoke

@Edent

For a moment, can we just appreciate this archaic and literal 'man in the middle' attack is viable today? An oldie but baddie? No?

Well I think it's neato, even if absolutely fucked.

Okay, I'll go.

DELETED

@Edent thinking about this and wondering "how could one prevent this?" and originally a thought I had was "play a sound over the phone that has to be interpreted, like a piano / animal / etc." but it could be even easier thanks to the sole system behind calls. Add an additional prompt asking if you got called or are calling, I couldn't think of a way to task you in calling a scammer number like that and I can't see the bank accidentally calling a scammer pretending to be you with this.

Greengordon

@Edent

I wonder how long it would take for banks to put in security measures to prevent this if they had to pay for the losses, instead of passing them on to their customers?

"The scammer is on the phone to you.
Their accomplice is on the phone to your bank, pretending to be you.
Your bank send you the notification.
You accept, and scammers proceed to drain your account.

"Someone has just lost £18,000 because of this."

@Edent

I wonder how long it would take for banks to put in security measures to prevent this if they had to pay for the losses, instead of passing them on to their customers?

"The scammer is on the phone to you.
Their accomplice is on the phone to your bank, pretending to be you.
Your bank send you the notification.
You accept, and scammers proceed to drain your account.

BrianKrebs

@Edent This is a great scam, and probably effective a good percentage of the time.

It reminds of a story I wrote about a tech expert who got scammed b/c he refused to hang up when the scammers called. Instead, he put the scammers on hold and called his bank and asked them if they were in support call with him already, and they checked and said yes. Feeling better, he went back to the original caller and proceeded to give them what they needed to take over the account.

What he didn't count on was that the scammers were also on the phone with his bank at the same time --- pretending to be him! So the bank was answering truthfully, from their perspective.

This wrinkle just seems to add some app magic into it, which is brilliant.

krebsonsecurity.com/2020/04/wh

@Edent This is a great scam, and probably effective a good percentage of the time.

It reminds of a story I wrote about a tech expert who got scammed b/c he refused to hang up when the scammers called. Instead, he put the scammers on hold and called his bank and asked them if they were in support call with him already, and they checked and said yes. Feeling better, he went back to the original caller and proceeded to give them what they needed to take over the account.

Gary McMeekin

@Edent The timing is amazing. The fraudsters are good at what they do. The whole reddit thread is worth a read.

Mre. Dartigen [maker mode]

@Edent Some of the issue seems to be the app allowing login and active use from two different devices simultaneously.

(Though a determined attacker might find a way around that... But a lot of people aren't going to be worth that level of effort, especially when this already seems to be an extra level of effort above what the usual banking scams use.)

Geraint

@Edent Ouch! Rule #1 with banks: if they phone you, decline to engage or prove who you are and tell them to send you a letter.

PhDog 🇮🇪

@Edent
A two-men-in-the-middle attack. Old-skool but clever.

Scribe

@Edent I work at a call center and one of my coworkers recently had a similar exchange with a scammer like this targeting someone in the US. They were speaking with someone who was giving noticeably delayed responses to questions, and got suspicious since there was a history of this customer being a victim of fraud.

Turns out it was this exact scenario - one scammer in a pair on the phone with the customer, the other on the phone with us. My coworker thought something was up, so he put the caller on hold and did an outbound call of his own on his second line to the phone number we have on file. Sure enough, someone else - the customer's son - answers the phone, and confirms that the customer is on the phone with someone claiming to be us.

@Edent I work at a call center and one of my coworkers recently had a similar exchange with a scammer like this targeting someone in the US. They were speaking with someone who was giving noticeably delayed responses to questions, and got suspicious since there was a history of this customer being a victim of fraud.

Turns out it was this exact scenario - one scammer in a pair on the phone with the customer, the other on the phone with us. My coworker thought something was up, so he put the caller...

Go Up