89

My bank called me the other day and the person who spoke to me failed to give me a single evidence that he is calling from my bank.

  • The bank number is hidden just like many other companies maybe because they use VOIP to make calls or they don't want you to ring them back on the number they call you from.

  • The person I spoke to refused my proposal to mutual verification of our identities when I asked him to tell me my account number since all the information he revealed to know about me was my name and phone number which are available to the public.

Ulkoma
  • 8,793
  • 16
  • 65
  • 95
  • 1
    Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/24904/discussion-on-question-by-ulkoma-how-to-distinguish-between-a-scam-and-a-genuine). – Rory Alsop Jun 17 '15 at 09:10
  • @Ulkoma : Remember phone calls behave essentially as unencrypted HTTP connections. – user2284570 Jun 18 '15 at 10:02

9 Answers9

119

If you're worried about the authenticity of a cold-call, don't try over-the-phone authentication in either direction. Simply ask for some basic information you can use to refer to the issue in follow-up:

  1. Name of the company/service the account is for.
  2. What is the nature of the issue/offer the caller wants to discuss?
  3. Is there a reference ID (e.g.: ticket #) for the call?
  4. Name and/or agent ID of the caller.

Important: Throughout this process, you should not ever give the caller any more of your information. The main point here is to assume that someone calling you like this is an attacker, for the entire duration of the initial call.

Question #1 should be answered by the caller before you even have to ask. Be especially wary if it's not. My wife once argued for a good couple of minutes with someone calling from the "Account Services Department", before she finally handed the phone to me. When I interrupted the caller to ask "Account Services Department for whom?" the caller suddenly hung up.

After you've gotten all you can from the caller, hang up. Then, obtain legitimate contact information for the company from a reliable source (do not use any contact info given by the caller, without verifying it first).

Once you've got known-good contact information, call the company yourself and ask about your account's status. Use information obtained from the caller as needed, to reference the incident.

Iszi
  • 26,997
  • 18
  • 98
  • 163
  • 90
    Worth adding a warning that you should avoid dialling anyone on the same land line you just received the call on – some scammers keep the line open and emulate a dial tone and then pretend to be your bank. For safety, any double-checking you do needs to be much later, or on a completely different line. – Bill Michell Jun 15 '15 at 18:33
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/24984/discussion-on-answer-by-iszi-how-to-distinguish-between-a-scam-and-a-genuine-cal). – Rory Alsop Jun 19 '15 at 10:22
  • 3
    "Name of the company/service the account is for."  — I periodically get calls where the caller says "I'm calling from your credit card company."  They don't identify the company, and — even in the case of a message left on an answering machine (or voicemail) — they don't even mention my name (e.g., "Hello, Mr. Scott, ...").  Naturally, I don't even give those calls the time of day. – Scott - Слава Україні Jun 19 '15 at 13:37
  • @BillMichell, or call your line from your mobile and check that your line rings. (Some banks cost £0.20 per minute from my mobile!) – Ian Ringrose Jun 19 '15 at 14:27
  • @BillMichell Does your warning apply to cell phones as well? – Kevin Jun 19 '15 at 17:07
  • @Kevin not as far as I know, but this is obviously dependent on your phone and provider. As far ask I know, all cell phones will clearly show you when the line is still open, and pressing the red button with always disconnect you, but there may of course be exceptions. A land line won't make it obvious and where I come from at least, the receiver of the call can't usually force the line to disconnect. – Bill Michell Jun 22 '15 at 10:03
30

Ask for their extension, then call the bank back with a number you trust. Most office phone systems allow you to get directly to any employee if you know that employee's extension, so hanging up and calling the bank back will not take more than a few seconds. If you have been called on an old style landline you should phone back on a different phone line or mobile phone as the caller could have kept the phone line open, and give out a fake dial tone or use a different person/voice. This will ensure that you have in fact reached the bank, and once you've reached the employee, you should be able to tell in a couple of seconds if it's the same person.

Admittedly, this does not protect against the possibility of an insider threat at the bank. But if the bank has an insider gone rogue, you (and the bank) have bigger problems.

Shaun McDonald
  • 133
  • 4
The Spooniest
  • 1,637
  • 9
  • 10
  • 1
    +1 especially for "If you have been called on an old style landline you should phone back on a different phone line or mobile phone as the caller could have kept the phone line open, and give out a fake dial tone or use a different person/voice" - a really common scam here in the UK. I usually ask for a reference number, then call back later on, using the number I find on the company's own website – user56reinstatemonica8 Jul 09 '15 at 11:12
8

I worked at a call center that handled services for several banks. The person calling was likely following procedure when they didn't tell you your account number. Since phishing scams are common against banks it was a fireable offense to give any account number without the customer verifying who they were and even though they called you they are still not allowed to assume the person that answers is the one they are trying to reach. Usually, and ironically, one of the verification questions we asked the customer was for them to verify their account number.

The best way to verify them is to get some kind of claim, order or support number to reference back. Get the phone number from your banks website and call them back with the details they provided, if they have no such reference number available they likely have a note tied to your account. You could also call or visit a local bank branch and see if they know anything about the issue, but it was common they would not and request you call the support line anyways.

ChrisM
  • 332
  • 3
  • 11
Bacon Brad
  • 3,340
  • 19
  • 26
  • 1
    +1 for mentioning that they can't give out the account number. It would be horrifying if they did. – jpmc26 Jun 18 '15 at 01:23
  • 2
    What's the issue with account number? They're printed on every cheque you used to write :) Is it so no-one can set up a direct debit? – Rob Grant Jun 18 '15 at 10:14
  • 1
    Once they verified who they were and had an account number they get FULL control of the account. This includes transferring funds, raising card limits, approving questionable purchases, even wiping out the account. But they would be isolated from accessing the other accounts (savings, trusts, etc) tied to that customer unless they had the account numbers for those too. The smartest thing you can do is NEVER have your checks linked to your primary account and keep the majority of funds in others. So if you do get compromised via your checks they still cannot access the bulk of your wealth. – Bacon Brad Jun 18 '15 at 15:43
7

This does sound like a scam. Given the amount of big data breaches of late scammers have huge datasets they can parse through and create a targeted attack.

That being said, mutual authentication is a good action to perform as they will always have the data in their system. In addition I have never experienced a large organization VoIP system that does not route to real phone numbers.

In general it is best practice to always initiate the contact between you and your financial institution.

Karmic
  • 317
  • 1
  • 5
6

First of all, never give them any information that isn't available to the public until you are sure that they are real. In fact, if they called you, I would probably never give them any information, since they shouldn't be calling to collect that kind of information. Most legitimate banks will send you a letter and then ask you to come into the branch to update your information.

If you absolutely need to update the information over the phone, what you can do, is find out what they want to know, and then tell them you will call them back. Then call them back using the phone number that you find on their website, and give them the information that they need.

No bank will ever ask you for your bank account number or something like that. However, if they say something like "I want to make sure this is really you. Could you tell me your birth date?" Give them the wrong answer and see what they say. If they keep asking different things, keep giving them wrong answers. If they never mention that it is wrong, you know they are lying. Before you believe them though, make sure you give them a wrong answer to something only you and the bank would know, and they tell you its wrong. Birthday, Address, SIN/SSN, etc. can all be looked up; what the date of your last transaction or how many transactions you have made in the last month are much harder to find. NOTE: this is an imperfect system. Someone could still have potentially stolen that kind of information, however, if they have they probably already know everything about you that they need to...

tl;dr: Don't answer any questions from cold calls, either call them back or go in to see them face to face.

Peter Maidens
  • 169
  • 2
  • 2
    "Most legitimate banks will send you a letter and then ask you to come into the branch to update your information." That's not typical of the UK. I for one would be very annoyed if my bank summoned me to their physical building for some triviality such as updating account details. – David Richerby Jun 16 '15 at 07:57
  • 10
    Also, your suggested tactic of deliberately answering security questions wrongly seems very dubious. Even if the call is genuine, banks don't necessarily announce that your answer was wrong, because that would be giving information about you to somebody whose identity they have not confirmed: they just move onto the next question. And deliberately getting the questions wrong is likely to make your bank believe they have the wrong contact details for you, which may make them feel they have to talk to you face-to-face with ID, to establish correct details. – David Richerby Jun 16 '15 at 08:02
  • 1
    @DavidRicherby 1.That may be true in the UK, I don't know about how the UK works, but here in Canada, banks do not typically call you to update that type of information; they wait until you either come in or until you contact them to update anything. If neither of those occur, they assume everything is fine. 2. I don't think that is a bad thing. If they take your wrong answers and just hang up, then no harm done. If they make you come in face-to-face to update stuff, even better; that is what they should have done in the first place! – Peter Maidens Jun 17 '15 at 03:13
  • 1
    @DavidRicherby Also, I have used the answer wrong method in the past and it has worked. They don't tell you the right answer. They just say something like "That doesn't match what I have on file. Have you moved recently?" or they take a longer amount of time to respond, or something like that. I have always found it easy to tell the difference in their reaction when you give them a right answer and a wrong answer. – Peter Maidens Jun 17 '15 at 03:18
  • 1
    @DavidRicherby Depends on the bank, maybe. I've had a couple of times that a bank or whoever has called me and I've given information that didn't match their files because I'd moved or whatever, and they've said, "That doesn't match our files. Have you moved?" or some such. I suppose saying that the birthday you gave isn't what they have on file would give some information to a scammer, but telling him it's not 1 day out of 365 is not MUCH information. Unless they let him keep trying and on the 40th try he gets it right and then they say, "Oh, okay, it must be you then." – Jay Jun 17 '15 at 14:01
5

As above the best methods of verification include reference numbers/account information. However, I think it would be highly unlikely in most cases that your bank would ever directly ring you, perhaps only in the event of card fraud. In such event I would end the call and dial the bank from another number or at least verify the call had indeed been terminated.

A common scam in the UK is to dial a person using a landline telephone and inform them to call their bank as their account is compromised/card fraud. As the person hangs up and dials their bank the fraudster never terminates the call and plays a fake dial tone to the victim to make them believe their outgoing call is genuine. The victim is then subjected to social engineering and unknowingly gives their bank account information to the fraudster posing as their bank.

Robert
  • 151
  • 1
  • 1
    Interesting. I suppose this relies on the victim accidentally not hanging up properly? Surely if the victim hangs up properly, the fraudsters connection is automatically terminated as well? – S.L. Barth Jun 17 '15 at 11:10
  • @S.L.Barth on mobile phones the connection can be terminated in this way but on landlines it can be possible to keep the connection open even if the person on the other end of the line tries to terminate it from their phone (not sure how it works but I have experienced it myself when receiving cold calls). – Robert Jun 17 '15 at 11:30
  • 1
    Highly unlikely that the bank would ever ring you? I get lots of calls from my bank, credit card company, etc. My mortgage company once called to say I'd missed a payment. My credit card company called to say there was a possibly fraudulent charge on my card. My bank has called to sell me other services they offer. I know all these calls were legitimate because I've checked my account on their website or visited the bank to discuss further, etc. I'm certainly not saying there aren't scam callers, but there are plenty of legitimate ones. – Jay Jun 17 '15 at 14:05
4

When I get a call from my bank (presumably) and they say there is some problem and they need to verify my identity first before proceeding in the call, I tell them I don't feel comfortable to provide this information because I don't know their identity. That say they understand and I should call the number on the back on my credit card and hang up. There is no haggling about the identity of either party, it's simple and effective.

Cano64
  • 141
  • 3
3

Ditto lots of what others have said.

I've been stupid in the past and given out information to people who called me claiming to be from the bank or a charity or whatever. No more.

These days, if someone calls claiming to be from a charity and asks to put a donation on my credit card, I say no, send me something in the mail. Then I can verify that any address given really is the address of the charity. Etc.

If someone calls claiming to be from the bank or a credit card company or whatever, I make sure they are giving me some information that a scammer is unlikely to know. If they don't, I say that I will call them back, then I look up the phone number on the bank's web site. Companies won't normally tell you your account number for verification, but at a minimum they should tell you the name of the company, and not just "the bank" or "VISA". If there's a problem with a particular transaction, they should know all about that transaction, like when it was made and the amount.

In my experience, most scammers don't go to a lot of work to research your life. They call and say "this is the bank" because they don't know what bank you patronize, etc.

Most scammers are pretty lame. I get lots of scam emails that I know are scams because they are filled with spelling and grammar errors. I could believe that Microsoft would send an email with a grammar error. But Microsoft is not going to send me an email with 20 grammar errors. That's a scam. Etc.

I'm sure some scammers take the time to do some research on you. There are plenty of ways today they could find out your birthday. They could steal your mail to find out the name of your bank and your account number. Etc. To the best of my knowledge, I've never run into a scammer who did that much work. Probably I'm not rich enough to be worth special effort. It's easier for the scammer to just dial through a bunch of numbers or send out a bulk email and try dupe the most gullible people. Or people who are usually smart but just have a moment of carelessness.

But my point is, if they can tell you one or two things about yourself, they are PROBABLY legitimate. I wouldn't beat verification to death. But get SOME verification.

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
Jay
  • 859
  • 5
  • 5
  • "...send me something in the mail." I'm not sure that's a very good way to authenticate someone. – Nathan Osman Jun 18 '15 at 04:54
  • @NathanOsman If you get something in the mail, then you can check it out before you give them money. Verify that the address or phone on the mailing is really the organization, or if it's not an organization you know, you can check them out. – Jay Jun 18 '15 at 05:54
  • 1
    But anyone could obtain the address and phone number and create a letter claiming to be from that organization. – Nathan Osman Jun 18 '15 at 16:19
  • @NathanOsman Well, sure. But if I then send a contribution to the real address, or call the real phone number to make a contribution by credit card, how does that help the scammer? – Jay Jun 18 '15 at 19:41
  • 1
    Then why do they need to send you something? That seems like a pointless step then. – Nathan Osman Jun 19 '15 at 03:12
  • @NathanOsman Okay, I suppose if someone called and said, "Will you make a pledge to the Save the Unicorns Fund?", I could just say, "Not over the phone, but that's a worthy cause, I'll look up your address and send a contribution." And then hang up. Maybe that would be more efficient. But they're trying to get a pledge out of me. So I say "yes, I'll make a pledge. But I won't give you my credit card over the phone because I can't be sure you're really from the Save the Unicorns Fund and not a scammer. So go ahead and record my pledge, then send me a letter and I'll pay by mail." ... – Jay Jun 19 '15 at 05:40
  • ... I've gotten a couple lately where they send a letter with some code number, and if you go to the organization's web site there's a place to key in that code so they can link your contribution back to the pledge. The only difference it makes, I guess, is that the charity gets the warm fuzzy that you made a pledge, and not just a vague assurance that you'll send a contribution sometime soon. – Jay Jun 19 '15 at 05:42
1

I would refuse to give out any personal details to anyone that called me as you can't verify who they are.
If they need to talk to you then say you can call back. You can then call through on the direct number, which if it is a large bank will be well known and on their website. You could then ask for an extension number to direct your call once you know you are through to your bank.

ChrisM
  • 332
  • 3
  • 11
  • 1
    It might worth adding that since I asked the question my bank has changed their policy. No calls from VOIP numbers and they have a number checker on their website so you can tell for sure that the person who is speaking to you is from the bank. Unless of course the phone number has been spoofed. – Ulkoma Sep 18 '18 at 15:15