Comment by rcxdude
4 months ago
Banks are pretty good at doing an impression of phishing scams, unfortunately. Almost every red flag for a scammer has also been done by a bank, legitimately.
4 months ago
Banks are pretty good at doing an impression of phishing scams, unfortunately. Almost every red flag for a scammer has also been done by a bank, legitimately.
There was a comment on Hacker News, which alas I can no longer locate, where a guy said he'd been called by his bank and the bank wanted him to answer various security questions. He said he was happy to do so, but firstly needed the bank to verify who they were, or to call the bank back on a telephone number on their website. The bank refused, so he refused to give them any details. The bank then blocked his bank account, meaning he couldn't pay his university tuition on time, meaning his student visa was no longer valid as he was no longer "studying", meaning he had to leave the country.
That doesn't add up; you're free to call the bank at the telephone number on their website whether the representative who just called you wants you to do that or not.
A bank blocked an account because they called someone and that person didn't provide them with personal data? That sounds unlikely.
I've definitely experienced the first half of the story: banks really will do dumb things like this and then be surprised when someone is upset by it (anti-fraud protection tends to be the worst: a text-message from a random unaffiliated number with another unaffiliated number to call, where you must then provide account details in order to get your card unblocked, and trying to call the official number and go through the phone tree does in fact, eventually, tell you that it was legitimate, but only after hours of being batted between departments).
1 reply →
Banks do have obligations under AML and KYC laws to get information from their customers. I mean I know a single phone call sounds extreme, but I could believe it.
My bank (in the EU) wrote to me a while back (post, no copy to email, no sms, no phone call, etc.) saying if I didn't provide info on certain recent transactions (my salary) they'd block my account in two weeks. Thankfully I wasn't on vacation and saw the letter and answered and it was all OK.
1 reply →
I am not surprised. I know of a bank that disabled a credit card following a single missed payment for the crime of failing to answer a phone call.
3 replies →
I understand the desire to be skeptical, but maybe you should give individuals the benefit of the doubt and the giant multinational corporation the skepticism.
1 reply →
This.
Also healthcare providers, though they seem to have finally wised up. They would call me from poorly configured phone systems (so unrecognizable caller id) and the first thing they would ask is to confirm full name and date of birth.
Patterns like this do a great deal of damage in desensitizing folks and making them accept dangerous patterns that get exploited by scams.
Even if you recognized it, the number shown by Caller ID is easy for the caller to spoof -- or at least it was a few years ago (the last time I paid attention).
Thankfully that part has vastly improved with STIR/SHAKEN, combined with number reputation management.
3 replies →
I remember when I used Ting, I could specify what would appear as caller id. If I had wanted to abuse this, I could easily have had it display whatever number I wanted instead of my name. Since a number of phones would display the caller id instead of the number when caller id was available, nobody would know that the number was not real. I am not sure if this has changed at all.
I have had my telephone company ask me to give them a code sent to my device. It is presumably to prove to the company that the representative is talking to me so that bad actors low in the company cannot start randomly messing with people’s accounts. It is the equivalent of the bad click here. The only real defense is to know the difference between a mechanism meant to authorize someone a the company and a mechanism to authorize you. Confuse the latter for the former like the victim did here and bad things will happen.
Interesting. Was that after you called them or they called you?
It was when I called them.
Banks maybe, but Google? Google only has "AI" support and that doesn't call us yet. So it's safe to assume that any call from Google is fake.
Yeah Google will never call you about your free gmail account, just as Microsoft will never call you about a virus on your home computer.
I called a bank to increase my ATM limit. The agent sent me an SMS code to verify my identity and wanted me to read it back to him. The message said not to give the code to any human. Sigh.