Mastodawn

Terence Eden May 2, 2024

The scammer is on the phone to you.
Their accomplice is on the phone to your bank, pretending to be you.
Your bank send you the notification.
You accept, and scammers proceed to drain your account.

Someone has just lost £18,000 because of this.
https://www.reddit.com/r/UKPersonalFinance/comments/1cih3kd/been_scammed_over_18000_through_my_chase_account/

2/3

Terence Eden

It *is* a genuine notification. But it isn't confirming the bank is calling you.

Should the bank word that differently?

In a rush, would you read it thoroughly?

Most likely, in a panic about the fraud, you'd confirm it was a genuine notification (it is!) and accept it.

3/3

Simon Wood May 2, 2024

@Edent I think I’d be taken in by that. My thought was: why do they need to check they’re on the phone to me if *they* called *me*? But on balance I’d decided it was just poor wording or an ill thought through system (both of which I still think, in fact!) so I wouldn’t have challenged it.

flabberghaster May 2, 2024

@simonwood @Edent one might assume even if they believed the bank was calling them, that they still need to confirm they got you and not someone else.

Simon Wood May 2, 2024

@flabberghaster @Edent I have had my actual bank call me, and then ask me (via security questions) to verify that I am actually me. I feel that was *training* customers to divulge information insecurely, as I had no way of knowing that they were who they were, and they wouldn’t have provided it if I’d gone along with their request.

flabberghaster May 2, 2024

@simonwood @Edent yeah, same. I had told my bank I intended to travel internationally and then when I got there my card stopped working and they called me saying there was suspected fraud on my card. I knew it was legit because I called back on the number on my card, but I think it's bad practice to initiate calls.

GunChleoc May 2, 2024

@flabberghaster @simonwood @Edent Yes, always call back on a phone number that you know to be legit when your "bank" calls.

Paul McO'Smith III May 5, 2024

@gunchleoc @flabberghaster @simonwood @Edent been there; done that. "no. you rang me out of the blue. i have no idea who you are, so before i provide any of my information to you, why don't you provide me some information about me? "we can't do that sir."

fine. bloop. just hang up immediately. they never ring back.

@flabberghaster @simonwood @Edent

Ľuboš Moščovič

May 2, 2024

Indeed. They should, probably, do it like the good banks send mails: plaintext notification, no link at all, just an info - there is an important message in your Internet banking inbox, go there and fetch it.

So even the call may be initiated in a way - hello, this is your bank, we need to talk to you immediately because of "reason without details" (e.g. there was a suspicious transaction we want to xcheck with you), please contact our telebanking number to proceed.

Olivier Mengué May 3, 2024

@simonwood @flabberghaster @Edent What security questions do we have to verify that the bank calling is... the bank?

Simon Wood May 3, 2024

@dolmen @flabberghaster @Edent I left it to them to prove who they were. Surprisingly it took the guy a while to come up with the answer - it obviously wasn’t a procedure he was familiar with! But it was simple enough - we switched over to secure messaging via the online bank.

Stuart McHattie 👨🏼‍💻May 3, 2024

@dolmen my bank puts an indicator in the app only when they’re calling me.

Stuart McHattie 👨🏼‍💻May 3, 2024

@simonwood @flabberghaster @Edent my bank has an indicator in the app when they are calling me. I’m trying to think of a way scammers could call me and make that indicator activate and I’m drawing a blank. That’s how I know it’s really them before handing over sensitive data in the call.

AlisonW ♿🏳️‍🌈♾️May 2, 2024

@simonwood @Edent
I regularly have a little dance with people who phone me asking me to prove who I am before they will continue. I try to get them to confirm something that only the true caller would know but sometimes just have to give up and end the call.

Aleggra May 2, 2024

@simonwood @Edent

Wow! What’s your number, again?

stephen May 2, 2024

@simonwood @Edent All good points. I likely would be tricked too.

@simonwood @Edent at 81 my mom fell for a Norton refund scam (they send you an email receipt, thanking you for your $600 automatic renewal. Can the number to request a refund and it's all very confusing, so they have you go to their site and permit screen sharing. You get the idea.) she has had multiple incidents since where she calls one of us to check in because it all seemed legit.

@simonwood @Edent most Bank alerts say "we will never call you for this information" which seems like essential phrasing. We're confirming that YOU called US.

Philip Mallegol-Hansen May 2, 2024

@Edent There’s probably lots of good reasons not to, but I wonder if they could change the notification to show which number they *think* you’re calling from. Presumably their system knows, it’s just a question of whether it could be hooked into the notification sending infra.

sahqon May 3, 2025

@philip @Edent It could add the number and the question "DID YOU CALL US?"

Edit: it just occurred to me that they could also spoof your own number to the bank, no? So that might not be helpful at all and may be misleading.

And other than that, do not assume any incoming call asking for any info is legit. Other than your significant other asking whether you fed the cat.

Led By Gilded Fools May 3, 2025

@philip @Edent caller ID spoofing could overcome that mitigation.

Derick Rethans May 2, 2024

@Edent How and what is faked there then?

Terence Eden May 2, 2024

@derickr nothing is faked in app. It is a genuine notification from your bank.

Alex@rtnVFRmedia Suffolk UK May 2, 2024

@Edent @derickr the level of knowledge of this incident suggests the target has already been stalked and their finances already monitored (its way too much resources/effort to put into attempting to scam someone who is skint and only has a few quid in the bank. really wouldn't put it past insiders in the bank/call centres being involved)

@vfrmedia @Edent @derickr my mom got a call from "her bank" inquiring about possibly fraudulent charges. They wanted her account number to review the charges. She banks with a small credit union, so they only knew what bank based on a previous scam

Alex@rtnVFRmedia Suffolk UK May 5, 2024

@amanda @Edent @derickr

A few years back the boss of the local credit union in my town got nicked and sent to prison for fraud/stealing customer data and funds, he was only caught because the main bank they use for the electronic transactions noticed suspicious activity and went over his head to cops. The credit union has since been taken over by the local Council.

Mélani (Melanie) Bjornsdottir (she, ŝi)May 5, 2024

@vfrmedia @amanda @Edent @derickr o_O

@vfrmedia @Edent @derickr previously, she twigged to the scam in time to call her bank and raise a red flag. It was super inconvenient to change out her account numbers and logins, but nothing was stolen.

We were all mystified when, months later, a scammer pretending to be from her actual bank (again: a tiny credit union, not Chase) almost got to her. I'm realizing now that they knew which bank to mimic from that earlier scam.

The title of the family group chat is now "urgency+money=fraud"

Alex@rtnVFRmedia Suffolk UK May 5, 2024

@amanda @Edent @derickr there's a common fraud in Britain where someone claims to be the teenage or adult offspring of a middle aged person who needs money urgently - yet in spite of being 52 (which is old enough to be a grandparent these days) but unmarried and childless I've *never* had one of these messages, which suggests the scammers are now at least picking those who *do* have families, having gained this info from other sources (maybe commercial social media?)

Verđandi K Soldusty May 3, 2025

@vfrmedia @Edent @derickr
Consider, scammers aren't picking & choosing. They spam from their call centres so they may hit loads of cuts but when they hit grandma Doris with her husband's major life insurance payout in her accounts, it balances out for them.

dinosaurdigger May 2, 2024

@Edent no because i never answer my phone

LonM May 2, 2024

@Edent I feel like the notification would be better used for warning you about the purpose of the call. "are you on the phone with us right now RE your requested money transfer" would be more accurate.

Also, I'm not sure how it works with this bank, but with mine I need to approve transactions to new recipients with a physical card reader that asks for a ref no and the transfer amount. That would nix this scam.

Keith Ivey May 2, 2024

@LonM @Edent In the US we can't even handle having a PIN for our credit cards. Can't let security get in the way of convenience.

Jennifer May 2, 2024

@Edent I always wonder what would happen if these scammers used their skills for good

Chris Johnson May 2, 2024

@Edent I think it’s just not possible for the average person (or maybe anyone) to evaluate these situations correctly. It’d be better for people to have a blanket rule *never* to trust any incoming call from a business under any circumstances. Hang up the phone, find the number of the business through some trusted channel, and call them back. Don’t try to suss out whether the call is legitimate.

It’s surprising to me that businesses that ought to know better are training people to do exactly the wrong thing. I got a text message from Citibank recently about suspected fraud, asking me to call a phone number they provided. I ignored that number and called the number I found in their app. After working my way through the phone tree, I eventually made my way to the fraud department, where they proceeded to ask me a bunch of questions about sensitive information. It turns out the text message was legitimate, and Citibank expected me to call them at a number that arrived at my phone unsolicited and hand over a bunch of sensitive information.

Citibank’s own fraud protection page warns you of this exact scenario: “Named for SMS (Short Message Service), the technology used for cell phone text messaging, SMiShing messages appear to be from a legitimate company and typically contain a link that takes you to a spoof website or asks you to call a phone number.”

mort May 2, 2024

@Edent If I was lucky, I would've noticed that it's kinda strange that the person on the phone said they'd show a notification to prove it's them, while the notification is asking me to prove it's me.

But the person on the phone could just phrase it differently, something like "for security reasons, we have to verify that we have reached the right person, you will receive a notification to confirm" and then I'd have no chance at all, I *am* on the phone with "Chase" after all

lp0 on fire

May 2, 2024

@mort, exactly: in this case, the notification needs to include text meaning “you called Chase”.

NatalyaD May 2, 2024

Well if it was my bank calling I'd be suing them for disability discrimination for phoning me (deaf). I've already tried the Financial Ombudsman on NatWest over deafness and phone issues.

I've told my mum that even if she thinks the bank caller to her is legit. Hang up. Wait 10 mins. Look up the bank's number on a statement she has and use a different phoneline to initiate her own call.

Thanks for sharing how this scam works. I hadn't thought of the dual prong approach. Evil scammers

Chris Martin May 2, 2024

@Edent The premise is confusing, why would I receive a call on my phone

Dan McDonald May 2, 2024

Wow a man-in-the-middle attack with a real life person actually in the middle! 😮

gram May 2, 2024

In cryptography, it's called "man-in-the-middle attack":
https://en.m.wikipedia.org/wiki/Man-in-the-middle_attack

Man-in-the-middle attack - Wikipedia

Tristan Slominski May 2, 2024

@Edent "If someone called you and you did not call the bank, hang up and report fraud" at the beginning would help.

Directionality is important in this protocol and needs to be of prime importance.

Pass the Dutchie May 2, 2024

@Edent I got a call saying it was my bank. Almost got me. But I decided to call my bank and hung up. The bank said they will never call me. The same scammer called me several more times trying the same tactic.

ferricoxide May 2, 2024

@kcanales02 @Edent

That's when I hit the block/spam button in my dialer app.

Ariaflame May 3, 2024

@ferricoxide @Edent @kcanales02 Only slightly annoying if they're spoofing your actual bank number.

ferricoxide May 3, 2024

@ariaflame @Edent @kcanales02

Fortunately, that only blocks inbounds and results in calls going to a spam folder rather than ringing your phone.

Tilo May 2, 2024

@Edent someone really really fucked up their „Security protocols 101“

MarkS May 2, 2024

Somewhere on that page it should say that the bank will never call you and ask you to accept this.

Bindestrich May 2, 2024

@Edent yeah definitely I'd fall for that if my bank had such a system.

Joe Hill 🇵🇸🇺🇦May 2, 2024

@Edent
Definitely a scam. Always hang up, call your bank.

Aleggra May 2, 2024

Not even in a drunken stupor. I’d hang up, block & call my bank.

Paul McO'Smith III May 2, 2024

@Edent so Scam-2 is on the phone with the bank and gets the bank to send the notification before Scam-1 or 2 have any of your card details. how the hell did S2 convince the bank to do that? sure, the notification came in legit, but what convinced the bank S2 was you at that stage to send the notification? did the bank just test a phone number? it sounds... improbable.

after that it's all sorts of dumb. 12 digits... nah. CVV and 12 digits... you kidding?

i still can't get to why the notification was sent. okay, a phone number not hard, people have those everywhere. but a bank would never simply use that as authentication. first pet name, anyone?

honestly the whole thing sounds like BS, or the guy in question was d-u-m-b dumb. perhaps both. why did the bank send the original notification? was this guy's whole life available online? xfer money instead of lock the account? sounds like he was scammed and has made up a "they were so good" story to save face.

Paul McO'Smith III May 2, 2024

@Edent oh, and the multiple transfers would have flagged both AML and Fraud systems and locked the account down automatically. this can happen with one really odd transaction, let alone a stream of them. even SWIFT would flag up "ya think???".

mal3aby May 3, 2025

@pavsmith @Edent I don't see why it would be so hard? All you need to do is initiate the bank's "forgot password" sequence for their phone banking service. You may need (say) the user's card number, their email address and their mobile number - but all you need to get those is a data breach at a website you've ordered something from, ever.

John Mark Ockerbloom May 2, 2024

@Edent I'd think that knowing this, the message should say "Did you call Chase?" (maybe with a note that if it appears that Chase called *you*, you should hang up and dial their number). That might not stop everyone from pressing Yes anyway and confirming, but it might stop some of the scams from succeeding.

Korny May 2, 2024

@Edent
Theres also the problem that, even if I suspected it was a scam, I really struggle to do the sensible thing and call my bank - because all my experience with calling large institutions on the phone is long annoying call queues and difficulty getting any help.
My bank is probably better, but I've just been trained to avoid calling any businesses because so many are so bad.

Paul Richards May 2, 2024

@Edent what baffles me the most is how a large bank with presumably tens to hundreds of security experts can put out a feature like this. They either spotted it (it’s quite a simple MITM attack that a security professional should pick up easily) and put it out anyway. Or they didn’t spot it at all. Either case is baffling.

Houston Bova May 2, 2024

@Edent My response is always. Okay, let me call you back and we can start this process. A scammer will insist they handle it for you. A bank may say they can handle it but will usually let you hang up and call back. Fraud departments don’t make commissions so there’s no reason for them to hold you on the line.

Sue May 2, 2024

I think this is another reason why I bank at a small local credit union. I get text notifications and phone calls occasionally that warn me that my Chase or other big bank account may have been breached, and I get to know 100% its a scam, because I don't have an account at a major bank. I think the perpetuators of this particular scam would be hard pressed to spoof my bank.

tptigger May 2, 2024

@Edent I'm hearing "if the bank calls to tell you they've found fraud" the correct answer is always "Let me call you back" hang up, dial number on back of card?

Mark May 2, 2024

@Edent I think we need to become really stupid and stubborn, because smart is not going to help. They’ve thought it through.

1. If they call you, hang up, find the number yourself, call back. Even for probably genuine calls. Make it a habit.
2. The only thing that might be happening now, in real time, in a rush, is a scam. There is never a rush.

I wonder will this advice continue to hold.