You receive a call on your phone.
The caller says they're from your bank and they're calling about a suspected fraud.
"Oh yeah," you think. Obvious scam, right?
The caller says "I'll send you an in-app notification to prove I'm calling from your bank."
Your phone buzzes. You tap the notification This is what you see.
Still think it is a scam?
1/3
The scammer is on the phone to you.
Their accomplice is on the phone to your bank, pretending to be you.
Your bank send you the notification.
You accept, and scammers proceed to drain your account.
Someone has just lost £18,000 because of this.
https://www.reddit.com/r/UKPersonalFinance/comments/1cih3kd/been_scammed_over_18000_through_my_chase_account/
2/3
It *is* a genuine notification. But it isn't confirming the bank is calling you.
Should the bank word that differently?
In a rush, would you read it thoroughly?
Most likely, in a panic about the fraud, you'd confirm it was a genuine notification (it is!) and accept it.
3/3
@Edent most banks are absolutely terrible at wording their SMS confirmation messages.
I've had genuine incoming "give us your details first to pass security" calls recently and it's frustrating. They follow it up with a generic code via SMS, which is the same one they use if you call them so the whole process is totally vulnerable to a MITM attack.
If I didn't have a need to make timely progress with something I'd start taking their "NEVER SHARE YOUR VERIFICATION CODE" message literally.
Terence Eden
Simon