Bank scammers get smart(er)

Scammers still love the telephone. It’s the best way to scam people because you have got them there, in the palm of your hand, so to speak. Banks are slowly getting to grips with this and warning customers not to give personal details over the phone to anyone claiming they’re from a bank. Check the number, they warn, and ensure it’s one that is recognisably the bank’s.

Of course, scammers can get around that by changing the displayed number, but there’s another way too. Smart customers would usually google the number the call is coming from before accepting it. These might be listed on websites like Truecaller, which are basically vast databases of users’ phone numbers, a sort of global phone directory.

Some are dedicated to identifying fake or scammy phone numbers to warn others. (In fact, this is one of Truecaller’s main selling points.)

Scammers are taking the next obvious step: adding their fake numbers to these services so the alert user who uses them to check whether it’s really their bank calling them might be hoodwinked into thinking the phone number is legit.

This is nearly what happened to me today. The phone number on display showed up in three different databases as an HSBC credit card call center, and it took me about 30 minutes on the phone to the real bank to confirm that it was in fact fraudulent.

I’m not quite sure what banks should do about this. They have gotten better about warning customers not to hand out personal details over the phone, but there are still too many legitimate calls and emails that could have been faked, or contain links that direct to a site other than their main banking site (usually promotionally tracker URLs.)

I think banks probably need to add an extra layer of security by allowing users to demand a key word be included on the bank’s part that is known only to the bank and the customer, so that the absence of such a key word should provide a warning to the customer to hang up. I also think that banks need to have better one stop shops to work with their customer — too many times I get a response of ‘oh this is about a credit card, that’s a different department.’

It inconveniences the customer but more important gives the impression that the customer should expect communications from different departments. If it’s one bank, it should be a single communicator. One point of failure, as it were, rather than several.

Of course, using phones when we could be using more secure channels is pretty absurd in 2018. But then banks look pretty anachronistic anyway, and so don’t get me started on that.

Update June 1 2018: I have since discovered that in fact the number was a legitimate bank number, despite staff there telling me it wasn’t. It kinda confirms my point about the need for a one stop shop in a bank. So I was crediting the scammers with being smarter than they are.

Nevertheless, something worked which I didn’t expect to: the bank caller was responding to a request I had made via secure email to contact me by phone, and I had asked that they use a specific word to confirm their identity. (I must confess I. had forgotten about this, so I probably should have realised the call was about this.)

So that bit worked. And it might be a good idea in future to adopt this practice: if companies, especially banks, insist on calling you back, then you should leave them a specific code word they must use to authenticate themselves. They’ll ask you to authenticate yourself, but short of hanging up and calling back a number on their website or on the back of your credit card, there’s not much you can do.

I’m An Airline, Fly Me

This an email from a bona fide airline: 

Dear Sir/Madam,

Please be informed that your transaction with [international carrier] has been confirmed. Due to fraud prevention procedure against Credit Card transaction, we would like to validate your recent transaction with [international carrier] by filling information below :

Passenger(s) name :
Route :
Date of Travel :
Cardholder name :
Address :

Also, we need to confirm and validate your name and last four digit of your card number. Please kindly provide scanned/image of your front side credit card that used to buy the ticket. You may cover the rest information on the card. Please reply in 8 hours after received this email or we will cancel the reservation.

Thank you for your cooperation.

Best Regards,
Verification Data Management

Ripe for Disruption: Bank Authentication

One thing that still drives me crazy, and doesn’t seem to have changed with banks, is they way they handle fraud detection with the customer. Their sophisticated algorithms detect fraudulent activity, they flag it, suspend the card, and give you a call, leaving a message identifying themselves as your bank and asking you to call back a number — which is not on the back of the credit card you have.

So, if you’re like me, you call back the number given in the voice message and have this conversation:

Hello this is Bank A’s fraud detection team, how can I help you today?
Hi, quoting reference 12345.
Thank you, I need some verification details first. Do yo have your credit card details to hand?
I do, but this number I was asked to call was not on the back of my card, so I need some evidenc from you that you are who you say you are first.
Unfortunately, I don’t have anything that would help there.

So then you have to call the number on the card, and then get passed from pillar to post until you reach the right person.

How is this still the case in 2016, and why have no thoughtful disruptive folk thought up an alternative? Could this be done on the blockchain (only half sarcastic here)? I’d love to see banks, or anyone, doing this better.

A simple one would be for them to have a safe word for each client, I should think, which confirms to me that they are who they say they are. It seems silly that they can’t give some information — it doesn’t even have to be private information — that would show who they are, but only a customer would know.

LinkedIn scam comes full circle, by pretending to be LinkedIn

LinkedIn don’t seem to be taking seriously the extensive use of their network by scammers, as I went on about here. Maybe this will make them change their mind: use of their own company in a scam profile (might not be up long, see screenshot.)

The Jeffrey Westwood in question is a stock photo from Thinkstock used in a number of places, such as this website focused on building sales leaders, and this insurance website.

I’m going to reach out to see whether LinkedIn are taking this kind of thing more seriously, given that not only could a simple algorithm catch these kinds of profiles, but that by using LinkedIn as his company the scammer should have set off other alarm bells somewhere in a LinkedIn cubicle (“Does anyone know this Jeffery Westwood fella?” “Nope. Must be new.”)

[Update: LinkedIn appear to have removed the profile in response to my query, but not answered my questions. Will try again.]