Terence EdenMay 2, 2024

You receive a call on your phone.
The caller says they're from your bank and they're calling about a suspected fraud.

"Oh yeah," you think. Obvious scam, right?

The caller says "I'll send you an in-app notification to prove I'm calling from your bank."

Your phone buzzes. You tap the notification This is what you see.

Still think it is a scam?
1/3

Show threadTerence EdenMay 2, 2024

The scammer is on the phone to you.
Their accomplice is on the phone to your bank, pretending to be you.
Your bank send you the notification.
You accept, and scammers proceed to drain your account.

Someone has just lost £18,000 because of this.
https://www.reddit.com/r/UKPersonalFinance/comments/1cih3kd/been_scammed_over_18000_through_my_chase_account/

2/3

Show threadTerence EdenMay 2, 2024

It *is* a genuine notification. But it isn't confirming the bank is calling you.

Should the bank word that differently?

In a rush, would you read it thoroughly?

Most likely, in a panic about the fraud, you'd confirm it was a genuine notification (it is!) and accept it.

3/3

Show threadPaul Richards
@Edent what baffles me the most is how a large bank with presumably tens to hundreds of security experts can put out a feature like this. They either spotted it (it’s quite a simple MITM attack that a security professional should pick up easily) and put it out anyway. Or they didn’t spot it at all. Either case is baffling.
May 2, 2024 at 8:42pmWeb