You receive a call on your phone. The caller says they're from your bank. You hang up and call back to the bank yourself. End of story. If the caller objects to you doing that, that by itself is an enormous red flag. You never, EVER take incoming calls from "your bank" seriously.
I myself have an additional rule that I always reject calls from unknown numbers, unless I expect one (delivery, taxi, etc).
The other day I got a call from my bank, thought it was probably a scam. I hung up and tried calling back but it was a labyrinth of menu options, I gave up. Turned out that the first call was legit and I spent another day playing phone tag to get back to him.
My bank's app has a built in messaging system, but they seem to hate using it themselves. When they want to contact me they always call, or they send me paper letters. If I contact them through the app, they don't reply there but call me about it. It's bizarre.
Something like HTTPS but for phone calls could be great, so when you recieve a call, your phone could show that this is actually from whoever is claiming it's from.
I have no idea about phone systems so this mighy be out of touch
This is what STIR/SHAKEN is supposed to do. Your phone and carrier in the US probably support it, but it’s not obvious. On iPhones there will be a little check mark under the number for inbound calls on your recent call list. This doesn’t carry over to things like voicemail however - where the check isn’t shown.
This model also doesn’t work for businesses that route all outgoing calls through one number, as that is essentially caller ID spoofing.
It probably needs to be transmitted in parallel, out of band, rather than trying to integrate it into the existing phone system. That's how Google's Verified Calls thing they were touting a few years ago worked to give you context about a call by having the company placing the call relay data through Google and to an Android device's phone app with additional info like the reason for the call.
Some years ago I had one of these calls and the guy told me to turn over my card and call the phone number printed on it, then as for a specific extension number. I got back through to him in moments. This isn't that hard. However the caller didn't do this until I asked him to prove he was calling from the bank.
The banks (and utilities etc) are training the Boomers that they will call and claim to be from the bank.
I got an security awareness email from my bank yesterday saying they will never SMS or email with links to login or payment, as these are often spoofed by scammers. Directly next to this paragraph was a link to the login for the bank.
I got a letter from the county treasurer that their payment details have changed, and to send new property tax payments to a different PO box, in the major city 3h away. It mentioned a website with domain like foohost.net.
We use 2FA where we can see rotating numbers which we use to validate our login. That means on the server side they have the ability to get the number at any point of time which will match the number on my phone - if that is correct, then why can't the caller quote the number and if it is matches, it is the bank since only they have the ability to get the number. Of course if your phone is compromised then its game over anyway. And there is the added challenge of technically non-savvy people being able to do all this.
Good point - I think one approach that may work is for banks to have the calling feature within the app - only they can initiate such calls. It bypasses all the issues with regular call spoofing etc but excludes customers who do not use the app (for them, just hang-up and call back, which has its own issues).
I received a call from Capital One recently. Dude was trying to tell me that I had charges made in Georgia, have I been to been to Georgia recently, they think it's fraud. The phone connection was terrible, his Indian accent was THICK, I could hear other people in the call center. I've dealt with CO fraud department before- they didn't sound at all like this. I asked him for the last four of the card number used because I have multiple cards with them. He gives me the first six numbers. I tell him that only tells me that it is a Visa/MC/Amex/Discover and what bank. Stop trying to scam me. He got upset and hung up. I called CO directly and they had no idea what I was talking about. Just another scammer.
You receive a call on your phone. You never answer your phone except for friends and family. It goes to voicemail. If you ever need to talk to the bank you call the number that you have in your contacts list.
And if the bank ever needs to call me, they a) call and get unanswered, b) leave a note in my bank account's message system which c) sends me an email telling me I have an unread note and to log in to read it.
The few times this has happened, the note is simply 'call the bank's 0800 number and quote your account number', their robo menu will then automatically forward me to whoever is trying to reach me as soon as I hit the 'speak your account number' menu point (and if for some reason that fails, it then goes to a human operator who will then forward me to whoever was trying to reach me.
I've never even had a whiff of them being annoyed by this chain of events the 3 or 4 times it's triggered (always due to steam triggering fraud protection)
We agree about official calls, I also call back (independantly sourcing an official number) and advise my father ( ~90 ) to do the same.
> I myself have an additional rule that I always reject calls from unknown numbers
I'm highly skeptical of unknown numbers and they're almost always telemarketers or scam calls but ... my circle includes people who can lose phones, have batteries go flat, ask others to pass on a message, etc - fully whitelisting isn't always an option.
Be careful about this. Scammers have bought Google adverts to advertise fake phone numbers for banks, so "ask Google what my bank's phone number is" unfortunately isn't secure against scammers.
I mean, yes, you need to independently source the official number; just make sure that your father knows how to do that and doesn't try to do it in a way which may be compromised.
He has actual paper phone books, several address books, and spent some time as a naval signals officer ..
We're both of generations that have always been skeptical of infomation on computers ... I can't imagine life as someone who'd ask google what my banks number is.
You can avoid 99% of all phone scams by never giving personal information out on an unsolicited call. Regardless of what the caller’s phone number appears as.
A legit caller won’t care if you call back yourself.
I have the rule to not provide my phone number and email address to certain institutions (e.g., banks, the government, insurances). If there's a phone call or email, I know for sure that it's not from them. They mostly don't need to or shouldn't contact me anyways. And if they really need to, they can send a letter.
> I have the rule to not provide my phone number and email address to certain institutions (e.g., banks, the government, insurances).
Where do you live that this is possible? I'm genuinely curious. In most places a phone number is required to open a bank account or use most/any government services.
I occasionally get calls from my bank. They are always from the security department saying there was some charge to my card. Was it me or not? I don't have much problem with those.
I only answers calls from immediate family. If I get called by a friend I'm immediately suspicious of foul play. Except during big events. My friends only use calls to shout at each other that they are lost in a crowd.
Older POTS maybe - and I’m old enough to have experienced that back in the 1980s, but I’m pretty sure that that’s no longer the case today - triply so with mobiles.
That's odd, I've never heard of this. On landlines I used, when the other side hangs up, you hear the busy tone, with no other choice than to hang up too.
Okay, so different countries had their phone systems work differently. In Russia, even back when we had electromechanical telephone exchanges, it's always been such that hanging up would instantly disconnect your line from the call, no matter the direction of the call. I just assumed it worked this way all over the world.
What riles me is when the Bank rings me and demands that I identify myself so they know it's me they are talking to.
What's your full name?
What's your date of birth?
Etc.
The Bank lady on the other end of the phone one day was most put out when I asked those same questions so that she should identify herself to me also.
I would hang up and verify the phone number and then call them back if it checks out, or more usually I ring the Bank using my own version of the Bank's phone number and ask to speak to 'Charlene' or whoever it was.
I said I was uncomfortable, could they verify who they are.
They said they can’t for security reasons for MY account.
I refused to give out info. They hung up.
Turns out, it WAS the bank. In 2023, I’d assume this should be figured out. Especially, since they send out like a 100 emails about “your bank will never call you and ask for your personal info”.
I recently used a website to do something that required 2FA. They texted me a code, and the text included some wording to the effect of "we will never ask for this information!" The website then asked me to enter that information which they said they would never ask for.
I knew enough to read between the lines, but on the surface it sure was confusing to be asked for something they said they would never ask for.
I dropped Chase literally this weekend because of this. Their security questions were useless, and in one case, wrong - they had an estimate of how much I owed on my mortgage, that didn't take into account additional principal payments, so made me go through a second three rounds (either that, or the cs rep screwed up one of the address questions).
About ten years ago (it was my top Google+ post, if that dates it for you) I emailed one of their emails to me to their fraud department, because it was so ridiculous, urgent calls to action, obfuscated links, no identifying information that only the bank would have known. They're fraud department thanked me for reporting this obviously fraudulent message, to which I replied that it wasn't fraudulent, to which they were flabbergasted.
One morning a few years ago as I was getting ready to get in the shower a spam call comes in to my landline. I don’t remember the exact bogosity but I think it was the ol’ your computer has a virus thing. When he asks for payment I say I will get my credit card but it is down in my car and will he wait? He agrees and damned if he wasn’t still waiting for me when I got out of the shower 20 minutes later.
My personal best was 2 hours and 10 minutes before it was me that got sick of playing them.
After that I put the "This Number Out of Service" tones (http://www.k3pgp.org/telezap.htm) on my answering message. That knocked out a lot of the spam diallers.
Usually I don't answer any number that's not on my contacts list, and let them go to voice-mail. If they really need me, they'll leave a message.
I do that too. I even got an app that does this automatically. I just get a silent notification afterwards, it's great. It's very rare that I'm expecting a call from someone I don't know already, so there's no problem.
Unfortunately, not everyone has this privilege -- people who work with sales, for instance.
You are a hero. We need a personally secretary app that would identify spam calls and keep them waiting forever, plying To Elise music in the background.
Some banks in Australia (probably globally) use credit-card fraud prevention services. So say I buy something from overseas, for a large-ish value, that service will call me to verify it was me. And request the same identification etc. But it's not even the bank that is calling.
This was such a massive headache for me while I was on the other side of the globe. I let my bank know in advance that I was going to travel to a specific country, and got a special gold credit card with all sorts of services.
Yet after one day abroad, they blocked my card and needed me to call them and have them call me a couple of times to validate my identity and purchases. _During their office hours, meaning in the middle of the night for me_.
I moved out of Australia and let my bank know that I would likely be using credit cards overseas for a while.
Sure enough, as I was trying to buy furniture for my new place, the same thing happened to me. They blocked the card and when I called them they scolded me for not letting them know that I was traveling. I told the agent that I did in fact let them know, and asked them to update the account to note that I lived overseas.
Some 5 years later I needed to use one of those accounts again. I diligently phoned the bank, let them know I lived overseas and that I was going to use the card. I used the card, the transaction was blocked, I called and was again scolded for not telling them that I went on holiday.
I swear the 'notes' they add to your account are just an eye-roll and then a call disconnect.
It's a pretty clever idea for the scammers to exploit the in-app notification to fool the end-user. I wouldn't blame them for being scammed in this manner. However, the post then goes on to say:
> Then he asked me to confirm the last 12 digits of my card number, cvv and expiry date.
That to me is a big red flag, and I hope that I would have spotted it if I was the one being scammed. If it was really someone from the bank, they would already have access to this information and wouldn't need an end-user to give it to them.
Although in this case, it may have been too late by that time to limit the damage. They may have been asking for this info as just the cherry on top. I'm assuming that responding to the in-app notification was probably the main thing they needed to extract the savings.
Yeah, the reddit post is worth a read. Yes, they did exploit the banks notification, but the rest of the scam seems pretty normal. Why would the bank need to move your funds? They could just block the account I would assume.
And the whole "tell me all of your credit card details except the first 4 numbers that only identifies your bank"-thing should immediately scream scam.
The dialog missed some important text: If this is not YOU calling US, it’s a scam. Hang up immediately. Or words to that effect.
I was called by my bank once. They wanted to know if I had spent two thousand euros in a fashion store in Rome. No, I said. They needed no sensitive information for what came next: They cancelled my card and sent me a new one. Later, I logged in at the bank, saw the fraudulent charge, and used their standard protocol for disputing the charge. It was soon reversed. End of story.
I see no reason why the bank would have to verify my identity for something like this, or why I would have to verify theirs.
Got the coinbase scam just a few days ago. Surprisingly well thought out. First I got a call which I picked up out of curiosity (I kind of enjoy seeing which kinds of schemes are out in the open, so I pick up unknown calls here and there). The call was an automated, pre-neural-ai phone voice that said
"This is Coinbase support, we've noticed a suspicious transaction originating from 'Salt Lake City, Utah'. If this was you, press 1. If not, press 2'".
I pressed 2 but it proceeded anyway with
"We see that you did not initiate this transfer, please expect a call from Coinbase within 3 minutes".
After about 10 minutes a man with an American accent (ironic given that Coinbase support routes you to an Indian call center) called claiming to say something about how Coinbase was compromised and I needed to change my passkey and move my funds to a custodial wallet. I logged into my Coinbase account and said "I don't see any transfers". He said "yes, we don't show them to you because they've been flagged, but they were in the amount of <off by an order of magnitude of what I have in Coinbase>". I asked him "how do I know you're Coinbase?", and he said "certainly I can send you a verification email", which he did. The domain name wasn't verified and gmail flagged it as spam. He stayed on the call then said, "next I'll send you a reset password link". Then I asked "how about you tell me how much I have in each currency". He said a number that was off by an order of magnitude. Then I hung up. He tried calling back but I didn't pick up. Later, I checked my email and saw there was indeed a "reset coinbase passkey" email in my spambox.
Well if I know your email, which they obviously did since they sent you unofficial mail, all I have to do is type the email in and push reset password.
Large banks like chase are motivated to make social engineering attacks like this more difficult. However, they need to do so while also considering the friction and potential frustration that additional security/verification measures might cause for their customers.
One idea that would mitigate against this, while also not imposing significant burden to the customer is to have the procedure be that the app simply instructs you to hang up your call, and then after dials a randomly selected number from a large pool of numbers the bank controls, that has been wired up to (given your phone number) connect you back to the bank and directly to the agent that has called you. If your phone number dials any other number from the pool during this time (the attacker is trying to race you to call back the bank while spoofing your number), then the account flagged as being potentially under attack.
Edit: Hmm, I'm getting a 404 on one of Google's development pages for it. I'm wondering if they killed it already in less than 4 years... It wouldn't surprise me, unfortunately.
Is there anything about that phone in particular, or is google just device-locking features to differentiate their devices? (or subsidizing something that runs on their server)
It's just a differentiator. It's actually tied to the Phone by Google app, but some features only work on Pixels (and maybe other phones that have it pre-installed as the default dialer, but I don't know which those are). https://play.google.com/store/apps/details?id=com.google.and...
It does work well though. I get a lot of spam calls and texts a month (the result of my political donations, which I didn't realize were public info and easily harvested by spammers, sigh... fucking NGP Van). The Pixel filters out the overwhelming majority of them, thankfully. The call screening works exceptionally well for spam calls, since most just hang up.
The Pixel is a perfectly generic phone, IMO, but the spam blocking is amazing. I switched to an iPhone for a few months, but the spam (even with several third party apps) made it unusable and I eventually got another Pixel instead. About the only thing it consistently does better.
Does any of you know how to force-enable this feature on a Pixel 4a, preferably without tripping SafetyNet? And does it support languages other than English?
This is actually one kind of fraud that could easily be solved if not for draconian app sandboxing rules.
If your banking app could easily see if you're in a call and who you are calling / who is calling you, this would be a lot easier.
Even without that info, banks could solve this by requiring all customers to initiate all calls from the app. In case a customer lost their mobile device, they'd let them proceed on the phone, but send a bunch of alerts to the device that it was just reported stolen and to immediately hang up if you were still the owner.
The banking app (or any other app) having access to see that you're in a call or who is calling you seems like another data mining point that I don't think they should have. Having a way to initiate the communications through the banking app seems like a good idea though.
You receive a call on your phone. The caller says they’re from your bank. You never notice because you ignore unexpected calls that aren’t from family and you don’t check your voicemail.
It should be irrelevant what details the scammers did/didn’t use and how convincing their spiel is. We should be educating everyone that the SECOND anyone asks for your card details, or asks you to pay for something (gift cards included) that it’s a scam. Doesn’t matter how “real” it seems.
The step people fail at isn’t ID’ing whether a caller is “real”, but by handing over their card details to anyone at all without personally contacting them via a known channel.
CBA (largest bank in Australia) is very good about this and has scam info on the front page of their website, and drills it into you that they’ll never ask for any information over the phone and to call them on the main number if you’re ever asked.
I’ve had a call from them before and when they first greeted me they made it clear they know my full name and details, and told me up front if I have any doubts before continuing I can call the main number and use the voice-assistant to ask for a specific department. I did, and was put through in under a minute.
My previous bank wouldn’t even do 2FA other than via SMS, and also would only let you do 8 character alphanumeric passwords. The contrast between banks is wild for this day and age.
Doesn't have to be a name. They can quote department x and a code y which doesn't identify the employee. Once you call back, you can quote both and they can translate y -> employee name internally without letting the customer know any identifiable information about the employee.
I don't think this applies to calling back someone who just called you. Also people who have premium banking tend to use the same relationship manager every time without this suspicion.
This is a perk of coming from non-English speaking country. I will get call from my bank? Great I can switch to my original language. Too bad that scammer likely does not know how to speak it...
There were stories in local newspapers here in the Netherlands about similar scams. The victims mentioned that the scammers spoke perfect accentless Dutch.
The GP said "coming from", not "being in". And it sounds like they're still banking with some bank in their country of origination. So, you call me and say you're my bank? Great; let's switch to Swahili/Twampa/Tamil/whatever language is prominent in that country, I'm sure we'll both be more comfortable talking that way. Oh, you wouldn't because <lame excuse>? Yeah, you're probably not my bank then.
I always thought I wouldn't fall for this trick. Then one day a lady called about something I'd done on Coinbase. It's true, I had transferred money to Coinbase. She then said she wanted me to login to the app and get to a screen where I had to do something. I hung up.
Months later I got a call from the Income Tax Department saying I was in big trouble. I had done something very bad. I hung up.
But the third time was wild. Something was wrong with my credit card. They had to replace it. They were even able to trigger a 2FA code. I hung up and changed my password.
Turns out I was right. I don't fall for this trick.
1. The notification must have included the phone number.
2. The bank must have the registered number/s for customers and clear procedures on how to deal with calls from numbers unknown to bank.
3. Attackers clearly knew the above flaws of the banking system and processes.
4. Chase must take immediate actions for pp. 1 and roll out the update. But then I am not sure how about nowadays but 10 years ago it was pretty easy to spoof callerid.
Deaf people still make phone calls, through a relay service[1]. Scammers still call them. Worse, the deaf people can't hear any clues from the inflection of the scammer's voice.
[1] It works like this: Their "telephone" is an IP device with a camera that connects to their TV. When they make a phone call, they do sign language into the camera. This gets routed to a call center with a sign language interpreter, who makes a voice call to the person that the caller is trying to talk to. When the hearing person replies, the audio goes back to the call center, where the interpreter does sign language into a camera in their cubicle. That sign language displays on the deaf person's TV.
Scammers like this arrangement. At least one interpreting company (VRS) had to fight with the FCC about whether their interpreters could let the deaf person know that the call was a scam. The FCC's position was that this was supposed to be a faithful translation of the communication. But that was very hard on the interpreters, who were watching this person get scammed, helping this person get scammed, and couldn't do anything about it. Eventually the FCC relented, and now the interpreters can let the deaf person know it's a scam call.
It's See (2019) (https://www.imdb.com/title/tt7949218/) but different & opposite. Almost everyone is deaf and the society has adjusted. Rare few people are gifted with the ability to hear and are now better fighters because they can hear the others accidentally making loud noises.
It implies that - or that all deaf people will spawn non-scamming progeny simultaneously, coincidentally as the non-deaf get selected against by lethal scamming simultaneously (then all scam themselves).
1. Why "simultaneously"? You could have all the hearing die over 10 years, and the deaf can work on repopulation over the following decades (and arguably those time periods can overlap too).
2. The scenario is that the deaf will repopulate, not that they will specifically repopulate with "non-scamming progeny".
I myself have an additional rule that I always reject calls from unknown numbers, unless I expect one (delivery, taxi, etc).