29

I often get telephone calls from my personal bank, mortgage provider or utility companies.

In most cases they start by asking me to verify my identity through the usual name/address/date of birth or in the case of the bank, security questions I've agreed with them previously. The bank will ask for two digits of my four-digit PIN and a memorable word.

My concern is that I do all this without any way of checking their identity. I could be giving these details and any subsequent discussion of my account to an anonymous third party.

I understand that Caller-ID is not a reliable way of doing this and in any case these companies often use a withheld number.

I could ask for details of a recent transaction, but I can imagine that data protection would prevent them from sharing that with an unverified third party.

Should I refuse to give even partial answers to my security questions in this situation?

What is a sensible alternative?

James Bradbury
  • 2,017
  • 19
  • 27

4 Answers4

42

I would refuse to give out any personal details to anyone that called me as you can't verify who they are.
If they need to talk to you then say you can call back. You can then call through on the direct number, which if it is a large bank will be well known and on their website. You could then ask for an extension number to direct your call once you know you are through to your bank.

ChrisM
  • 332
  • 3
  • 11
  • 3
    Apparently there's a quite famous scam "Hi sir we are your bank if you want call us" where you hang up and call but they don't put the phone down and pretend like it's indeed the real bank picking up. – Иво Недев Sep 14 '18 at 11:55
  • 7
    That is a good point, someone else has answered saying to call from another phone, which is one idea, another option would be to call someone else first so you know the line is free. Although I think this would only be an issue with landlines as you can put it down and pick it up without disconnecting the call. If you hang up on a mobile then you do hang up. – ChrisM Sep 14 '18 at 11:59
  • 12
    @ИвоНедев If I hang up my end of the line, it does not matter if the other end does not hang up, the conversation will end. Is that something that used to happen with landlines? – Seth Flowers Sep 14 '18 at 12:47
  • 10
    @sethflowers Discussed in detail - as applied to the UK - here: https://security.stackexchange.com/questions/100268/does-hanging-up-on-a-uk-landline-call-not-terminate-the-connection – bertieb Sep 14 '18 at 12:50
  • 5
    @bertieb - Thanks for that info. That sounds horrible. – Seth Flowers Sep 14 '18 at 13:01
  • My university cold calls me all the time for fund raising, and somehow thinks I'll give them my credit card over the phone. I tell them that is stupid every time, and they should stop doing it because it is impossible for me to verify their identity. Never give out personal info to a cold caller. – BlackThorn Sep 14 '18 at 15:20
16

Should I refuse to give even partial answers to my security questions in this situation?

You should. Mutual authentication on the telephone really isn't trivial but important. One of the more common ways is always having the same person call you. A lot of banks will assign you a specific accountant who is responsible for you as a customer. Talking to him/her in person before makes it reasonably secure to talk to him on the phone by either recognizing his voice or arranging a keyword or something before.

A more simple approach: Call your bank and tell them about your concerns. Ask them for a solution; you might not be the first customer thinking about those problems.

Ben
  • 2,024
  • 8
  • 17
  • Then again, you _might_ be the first customer to think about this! – FreeMan Sep 14 '18 at 13:18
  • 4
    +1 for asking your bank how you're supposed to deal with it as it is the bank that's calling you. Unless they're able to offer a solution that you're happy with, ask them to stop calling you. – Thomas Sep 14 '18 at 13:22
  • FreeMan: „Sad but true.“ - James Hetfield – Ben Sep 14 '18 at 14:39
8

Call the provider back on their publicly-listed phone number from another line

My concern is that I do all this without any way of checking their identity. I could be giving these details and any subsequent discussion of my account to an anonymous third party.

Both ends deciding the other is who they claim to be is not a trivial problem. As you say, caller ID can be spoofed; in any case not everyone has caller ID.

Should I refuse to give even partial answers to my security questions in this situation?

I have refused to give any details or discuss anything without first verifying the source of the call. If the information being asked for can be used to verify you, it could be used by a malicious third part to impersonate you if they obtain it.

What is a sensible alternative?

Ask for the name of the person making the call and the broad purpose, stating that you want to call them back about it.

If you have your provider's phone number, call them on that; don't call a number back that is supplied to you during the call without verifying it elsewhere using a source you trust (phone book, provider's own website) first.

I have also heard reports¹ of phishing/scam attempts which say words to the effect "This is your bank calling, please call us back on our number to discuss an important matter <click>". Ostensibly they have hung up, but the line is still active.

This is discussed further on another QA here.

If you try to dial back at that point you are still talking to the phisher. This is a problem with landlines as opposed to cell phones; an ongoing call on a cellular device will be indicated. If you were called on a land line, it is worthwhile to call back on a different line.

So, in short:

  1. Ask the person who they are or who to ask for to discuss this
  2. Thank them and end the call
  3. Look up the provider's number via a trusted source
  4. Call that number using a different line if on a landline
  5. Go through your normal authentication process

¹ For example, an article on The Register from 2009 claiming this is the case:

Scammers posing as representatives of phone service providers, such as BT, are calling up UK subscribers in an attempt to trick prospective marks into handing over credit card or bank details under threat of disconnection.

Plausibility is added to the scam by a trick designed to fool people into thinking that their line has been temporarily cut off, ostensibly under the control of the person calling them.

This happens after fraudsters are challenged to establish their identity as a representative of a telecoms carrier. In response, con men tell their prospective victims to hang up a phone and attempt to try phoning someone, claiming the line will be disconnected to prevent this. This supposedly establishes that conmen are calling on official business.

In reality, the fraudster stays on the line with the mute button on. Because the person who initiates a call is the one to terminate it, a prospective mark is left unable to make a phone call, or even obtain a dial tone.

This is based on a "BT and Ofcom warn(ing)" but I haven't found that yet.

The Money Advice Service also mentions it:

Known as the ‘no hang-up scam’, this is where the fraudster keeps the line open, spoofs a dial tone and the fraudster’s accomplice answers and impersonates whoever the victim thinks they are trying to call.

bertieb
  • 256
  • 1
  • 10
0

I could ask for details of a recent transaction, but I can imagine that data protection would prevent them from sharing that with an unverified third party.

This is exactly what you should do and what I normally do. The bank will normally tell me the amounts of common recurring payments etc. Since these are just monetary figures and not personal data, I don't see a data protection issue. If they can tell you the last few credits/debits to the account and how much your mortgage/salary is you can be fairly sure they are genuine.

  • 4
    Just because they have other information on you doesn't make them genuine. If you bought something online and gave your details to the company then they have your details plus a recent transaction. The answer does reduce the risk but doesn't remove it completely. – ChrisM Sep 14 '18 at 12:05
  • 2
    I think the general idea is to ask for something that (1) you and the bank know, (2) only you and the bank know and (3) that's not a particular secret that nobody is allowed to know. That's quite tricky, though. Example - though troublesome to verify - is the last two digits of the amount of each of the last five transaction. – Thomas Sep 14 '18 at 13:17
  • 1
    @Thomas I wouldn't know my last 5 transactions unless I had just received a statement and hadn't spent since. Or you could log on to your online banking and check I guess. Not the easiest either way. – ChrisM Sep 14 '18 at 15:25
  • @Thomas plus if it was a company other than a bank you couldn't do that. – ChrisM Sep 14 '18 at 15:26