Bank scammers get smart(er)

Scammers still love the telephone. It’s the best way to scam people because you have got them there, in the palm of your hand, so to speak. Banks are slowly getting to grips with this and warning customers not to give personal details over the phone to anyone claiming they’re from a bank. Check the number, they warn, and ensure it’s one that is recognisably the bank’s.

Of course, scammers can get around that by changing the displayed number, but there’s another way too. Smart customers would usually google the number the call is coming from before accepting it. These might be listed on websites like Truecaller, which are basically vast databases of users’ phone numbers, a sort of global phone directory.

Some are dedicated to identifying fake or scammy phone numbers to warn others. (In fact, this is one of Truecaller’s main selling points.)

Scammers are taking the next obvious step: adding their fake numbers to these services so the alert user who uses them to check whether it’s really their bank calling them might be hoodwinked into thinking the phone number is legit.

This is nearly what happened to me today. The phone number on display showed up in three different databases as an HSBC credit card call center, and it took me about 30 minutes on the phone to the real bank to confirm that it was in fact fraudulent.

I’m not quite sure what banks should do about this. They have gotten better about warning customers not to hand out personal details over the phone, but there are still too many legitimate calls and emails that could have been faked, or contain links that direct to a site other than their main banking site (usually promotionally tracker URLs.)

I think banks probably need to add an extra layer of security by allowing users to demand a key word be included on the bank’s part that is known only to the bank and the customer, so that the absence of such a key word should provide a warning to the customer to hang up. I also think that banks need to have better one stop shops to work with their customer — too many times I get a response of ‘oh this is about a credit card, that’s a different department.’

It inconveniences the customer but more important gives the impression that the customer should expect communications from different departments. If it’s one bank, it should be a single communicator. One point of failure, as it were, rather than several.

Of course, using phones when we could be using more secure channels is pretty absurd in 2018. But then banks look pretty anachronistic anyway, and so don’t get me started on that.

Update June 1 2018: I have since discovered that in fact the number was a legitimate bank number, despite staff there telling me it wasn’t. It kinda confirms my point about the need for a one stop shop in a bank. So I was crediting the scammers with being smarter than they are.

Nevertheless, something worked which I didn’t expect to: the bank caller was responding to a request I had made via secure email to contact me by phone, and I had asked that they use a specific word to confirm their identity. (I must confess I. had forgotten about this, so I probably should have realised the call was about this.)

So that bit worked. And it might be a good idea in future to adopt this practice: if companies, especially banks, insist on calling you back, then you should leave them a specific code word they must use to authenticate themselves. They’ll ask you to authenticate yourself, but short of hanging up and calling back a number on their website or on the back of your credit card, there’s not much you can do.