Gregory's Server@Edent I think I’d be taken in by that. My thought was: why do they need to check they’re on the phone to me if *they* called *me*? But on balance I’d decided it was just poor wording or an ill thought through system (both of which I still think, in fact!) so I wouldn’t have challenged it.
|
20 comments
@simonwood @Edent one might assume even if they believed the bank was calling them, that they still need to confirm they got you and not someone else.  @flabberghaster @Edent I have had my actual bank call me, and then ask me (via security questions) to verify that I am actually me. I feel that was *training* customers to divulge information insecurely, as I had no way of knowing that they were who they were, and they wouldn’t have provided it if I’d gone along with their request. @simonwood @Edent yeah, same. I had told my bank I intended to travel internationally and then when I got there my card stopped working and they called me saying there was suspected fraud on my card. I knew it was legit because I called back on the number on my card, but I think it's bad practice to initiate calls.  @flabberghaster @simonwood @Edent Yes, always call back on a phone number that you know to be legit when your "bank" calls. @flabberghaster @simonwood @Edent Indeed. They should, probably, do it like the good banks send mails: plaintext notification, no link at all, just an info - there is an important message in your Internet banking inbox, go there and fetch it. So even the call may be initiated in a way - hello, this is your bank, we need to talk to you immediately because of "reason without details" (e.g. there was a suspicious transaction we want to xcheck with you), please contact our telebanking number to proceed.  @herrman_sk @flabberghaster @simonwood @Edent Since I never answer the phone, that's what my bank does. Simple message requires me to initiate the proceeding.  @simonwood @Edent @simonwood @Edent The bank do need to confirm that: they only know that they called your number, but they can't be sure that you picked up - maybe someone else has access to your phone, or it's been lost or stolen, or you changed your number and forgot to tell them. Unfortunately this only makes this attack more persuasive. Telling them you'll hang up and call back on the main number is a good option, and the bank employee should always be happy for you to do so. Buuut this is Chase... @CaptainJanegay @Edent Maybe someone else has access to your phone, so they’re going to send a push notification to your phone to verify it's really you? 🤔 @simonwood @Edent Well, it asks for your password as well, which would significantly increase their confidence - although ofc this notification is not actually used to verify your identity in that situation. But my point is that it's entirely believable that the bank would need *some* kind of verification when they call you, and a lot of people won't pick up on inconsistencies like this, especially when they've just been told someone has fraudulently taken £300 out of their account @CaptainJanegay @Edent Very true. Asking for verification is ok, but it amazes me they don’t work on customer expectations - what you will be asked for when the bank calls - and also customers’ fraud literacy - how we can and should verify them!  @CaptainJanegay @simonwood @Edent We get landline calls in the UK from “your bank’s security department”. Recent ones have spoofed the local area code.  @CaptainJanegay @simonwood @Edent It is being used to verify your identity though. The scammer has presented it to you as if it's verifying their identity to you, but it's actually verifying your identity to the bank. The notification could be improved with something like "if you have just called the bank, enter your passcode to continue. If instead someone claiming to be from the bank has called you, they are trying to defraud you and you should immediately hang up and call the bank." @CaptainJanegay @simonwood @Edent They could I guess also have an option to push out a notification to go with their outbound calls, "The bank is calling you. You seeing notification confirms that the caller really is from the bank. Please enter your passcode to confirm to the caller from the bank that you really are you." @dragonfrog @simonwood @Edent Yes, you're right - I mean that in the fake scenario the scammer is presenting you, where the bank has called you, the bank does not use this notification to verify you. They only use it if you call the bank. But there's really very little opportunity for most customers to figure that out. |
@simonwood I tend to be suspicious. The only time my bank ever called me was from the security dept and I refused to believe it was them and called back on the main number and asked to be transferred.
That’s not to say that I wouldn’t be taken in by a different fraud, of course
@Edent