I had a long argument with HSBC UK Security a few years ago where I was completely unable to get the to understand they were putting their customers at risk.
In the event that something looked strange on your account the 'HSBC Fraud Department' would text you and ask them to call you on a phone number.
A phone number that didn't appear anywhere on their website. "We don't want it public.
OK,well at least put it on a non-linked page so that if you SEARCH for the number on the website search tool, it returns a page with the number on "Well, I suppose that's an idea I could pass on".
Even when I said to them "You are training your customers to accept potentially fraudulent text messages" they didn't get it.
US credit card companies aren't any better. I recently had a similar "fraud alert." The company ditched travel notices in 2016 claiming their AI was good enough to replace it. A few weeks after traveling I had a very small purchase flagged (under $20 at a place like Target). When I called the number they asked me for my complete credit card number, social security number, they didn't know my phone number or email and had to clarify which was my first and last name. They then asked me to photograph my drivers license and text it to them.
When I told them I wasn't comfortable doing this, they reiterated that this was the only way my credit card would be restored immediately and once I hung up the phone I would no longer have this option. They did give me another way to verify, they would send me an email to a web portal I could upload the photos to. After uploading I would have to wait 7-10 business days for them to review and restore my card.
Thankfully, I had another credit card I could use. I did submit via the web form after doing my best to make sure it was legit. Weeks later my credit card wasn't restored. When I later called them, it was immediately restored after a few simple questions. I sent an email to their security department describing how weird and sketchy this process was and I never got a response.
Not all US credit card companies are like this. I specifically remember a few years ago that my Mom got a call from AMEX about some fraud on her card, to which she responded “I never get calls from you, how do I know this is real?”. They said no problem, just hang up and call the number on the back of your card.
I believe some banks even skip the call entirely, and just prompt you to call the number on the card.
On traditional landline phones that older folk tend to use (although I guess that's dwindling every year) a common tactic for scammers is to ask the victim to call the number on the back of the card.
However the scammers don't hang up they just play a fake dial tone so the victim dials the number thinking they're contacting their bank but they're actually just speaking to the scammers again
In the Netherlands, in the 80s-00s at least, hanging up cleared your line, so picking it up again would get you a fresh dialtone even if the other side didn't hang up (and the other side would get a modified "busy" signal if you hung up on them).
Different telephone switches (the big ones in the central offices) have different behavior for clearing the line when one party hangs up. I've heard that some switches wouldn't clear the line for tens of seconds when a called party hung up, and that those switches were common in the UK.
I personally recall people ocassionally being able to hang up one phone before picking up a different phone if they wanted to take the call in a diffent location in the house. Although, I don't remember it ever being very effective, over time (in my corner of the US), it became never effective, so you'd just leave the first phone off the hook and have to hang it up later.
this was (is?) a "feature" that let you answer a call in say the front hall, then hang-up and continue the call in your office as long as the originating caller did not hang up the handset. The scam relies on actually playing a dial-tone and ringing after the victim "hangs up", which is how some people noticed it "sounded weird" and then called their bank on another line or cell phone.
Because when you hear the other side (pretend to) hang up, you need to not be fooled and also hang up on your side. If you don't hang up on your side, then on older phones you actually have no way of telling the call is still going.
On your smartphone, it's easier to not fall in this trap, as the screen is making it harder to type a phone number while the call is still going.
No, this isn't just confusion, this is a real behaviour difference between smartphones and (some) landlines. If someone calls you on a landline, depending on the exchange, hanging up your phone might not be enough to end the call; when you pick up again, you may still be connected to the caller.
It used to be the case that the party who made the call - being the party who is paying for it - was solely responsible for terminating it; then timeouts were introduced; and on many landline exchanges there is still a timeout before the call is actually terminated if the callee hangs up but the caller does not - although these days it is just a few seconds, that may still be long enough that you stay connected to the original caller if you hang up then immediately try to place a call.
A weird one that happened to me a few years ago was when I ordered about $100 worth of products from banggood, my phone rang within seconds of the purchase going through. The display on my phone showed it to be a bank I never heard of. When I did a search, it turned out to be a small bank with about a dozen branches in a state hundreds of miles away. The voicemail however was from my bank's fraud department informing me they were locking my card due to unusual activity. When I called my bank using the number on my card, they verified that the original call was from them and they were able to unlock my card. They had no idea why the name of a different bank showed up on my phone. Best I can determine is that my cell provider was the one who added the name information and something in their database was incorrect.
I've definitely noticed that some small regional banks make extra money by offering services to other small banks and credit unions. For example, cashier's checks issued by my (fairly large actually) credit union are actually drawn on a midwestern regional bank that they seem to use as a service provider. So it's possible that bank is somehow involved in your bank's card issuance.
I also wonder if it's a contract call center or fraud prevention company and the caller ID value was just bad... at some point their phone number may have gotten put on a listing for one of the banks that uses them and now it's stuck in the Google Caller ID database or whatever. Google's caller ID is frequently pretty out of date and it's unclear how you would get it fixed (e.g. my husband has had his phone number for years and Android phones still show someone else's name when he calls).
Most banks don't do their own everything. A few seemingly little banks (often in the middle of nowhere) take on different tasks. It could well be that when you called "your bank" the other bank was originating the call and the person at your bank didn't know how the backend was really wired.
Agreed. I personally carry a Citi card (double cash) because it has the best (for me) rewards, but I also carry an AMEX blue cash preferred for which I pay an annual fee. The customer service I get from amex is DRAMATICALLY better than from Citi.
With Citi:
* it's non-native-English support. No judgement of course but I don't appreciate the language barrier when the entire job of customer support is communication.
* Support generally seems to be very low-context and low-power. The person you talk to generally can't actually do anything, only escalate.
* Support seems very disjointed and prone to missing details.
I was burned by Citi support in a pretty big way:
1. I was moving cross-state, and we were selling (under contract) our old house and not yet closed on the new one. In between, we were living with my parents.
2. Literally the first day we were at my parents, some fraudy charges showed up on my citi card. I called, they cancelled the card, etc. I told them I was not currently at my address on file, I was at my parents, is this OK, etc. They said yes, that's fine, they'll send replacement cards to the new address. I very specifically verified with them that they were sending them to the right place, and the person even got a little tired of me being so tight about it. Ok, I figured, I feel like I've gone above and beyond on my end to make sure this works right.
3. 2 days later, I see on my security camera that the old cards have been delivered to the front door of the old house, 300 miles away.
4. I call back, and they tell me they don't see any record of me having requested a different address. Sigh. I ask if they can cancel those cards and re-send them to the right address this time. They say yes, we go through the loop again, etc.
5. I wait a day or two and no cards show up at either location. I call back again. I get told there's no record I asked to cancel these cards or re-send them. This rep finally tells me they can't re-issue the cards again so soon, and need to wait 5 more days. In the meantime, these active cards are just sitting on my porch in a big envelope that says "CITI - URGENT - PLEASE STEAL ME" written all over it.
And, you know, I really needed to use this card since I was trying to buy appliances for the new house.
I ended up resolving this by just making an extra trip back to the old house anyway just to finish cleaning it up and to grab the cards since I needed to go one more time anyway. I called back to make sure they weren't going to cancel these cards, and of course there was no record I'd ever asked to cancel them, etc.
Compare this to AMEX support. Native english speakers, they seem to have the power to actually just fix things for me, etc.
So, while I still use my citi card just to keep the credit line open, my Amex card is my pinch hitter and cornerstone.
When dealing with banks that I know have lousy customer service over the phone I keep recordings. "Recordings may be taken for training and customer service purposes" says the message. Thanks, I'll take your advice.
In the UK the tax-free savings account allowance is per tax year. I paid the money into a not-so-great bank offering excellent rates a few days before the deadline one year and called to create a savings account. Weeks later they've got no record of the savings account, and when I call they explain I'm too late now for "last year's" allowance. I point out that I made the transaction before the deadline and they explain that oops, sadly they don't have that call recorded, and so there's no evidence I actually authorised account creation back then. So I play back my recording, and what do you know, suddenly the bank has a new explanation for what went wrong and wants to pay me compensation for their mistake in not making the account.
A better bank would have eaten the cost of this mistake up front of course, but I already knew this was a lousy bank, that's why they're offering by far the best rates. To attract customers despite the reputation.
> In the meantime, these active cards are just sitting on my porch in a big envelope that says "CITI - URGENT - PLEASE STEAL ME" written all over it.
I have more than a few credit cards, and I've never encountered a card issuer in the US that mails active cards. All of them require some sort of activation process before they can be used. That way, it doesn't matter if they're stolen.
Incidently for those with a VPN installed on their phone do not use your banking app while the VPN is running.
The current "We don't need you to tell us where you're going we can figure it out" leads to me getting locked out 100% of the time i use the banking app on my phone with the VPN on and then try to use the card at a nearby store. Obviously there's two different sources of my location incoming and that causes issues.
I guess it's an edge case to have a VPN on your phone but it's very very frustrating.
One large bank I do business with doesn't care, or recognizes that pre-'rona I used to do a lot of international travel.
Another large bank I do business with locks me out if I'm on VPN.
I also suspect it has to do with bank balances. The more money I have in my accounts, the better customer service I get, even to the point of them answering the phone more quickly.
It also seems to help to have a business account with a bank, too. I get all kinds of free perks on my personal accounts with the bank I do my business banking with.
Lucky for me it just crashes/hangs on login if my VPN is on so I don't have to worry about the app reporting me (Ally Bank, app otherwise relatively good)
>Thankfully, I had another credit card I could use.
You pretty much have to these days, preferably with the second one being from a different bank and potentially different payment processor. Between random fraud triggers and cards being frozen because of fraudulent charges or attempts, you really need a backup.
I've never had trouble dealing with the problem by phone but I'm still out the credit card in a foreign city for a few days and I may not even be at a location where I can easily have something sent to me.
I guarantee that experience wasn't with American Express. My experience has been that Chase has invested heavily in automated fraud management /and/ that it works reasonably well, but they have no real paths outside their strict processes for going around it. American Express is much more personable, at least for high value accounts, and still allows you to insert travel advisories which have date ranges.
I had a similar experience from HSBC. They called me about a potential fraudulent claim. They asked for my DOB, card number, sort code, you know, to verify "that I am who I say"... all the stuff they SHOULDN'T ask, and stupidly I gave it all up.
To be fair, I did because my card had been rejected literally 30 seconds before while trying to make a purchase. But it was only after the phone call ended that I realised what I had done. I phoned them back on a number listed on their website, asked them to confirm that I had indeed spoken with HSBC fraud detection, and they confirmed. I then lambasted them for asking me all the questions they tell their customers never to answer.
They're just training their customers to give out information, and even alert customers like myself can sometimes have a moment of panic and comply.
I hope your admonitions to the call center drone who picked up your call were emotionally satisfying to you, because that's as far as they went. If you want to influence company policy on something like that your best bet is a highly visible social media conversation. The poor call center drone who was the subject of your wrath literally just sighed and stared at the wall for a second after your call then opened up the line to the next person who was going to yell at them.
>I hope your admonitions to the call center drone who picked up your call were emotionally satisfying to you, because that's as far as they went.
I've supported a call center. We had specific escalation routes where problems could be sent to higher levels. The most obvious is the "I want to talk to your manager" escalation, but the agents, managers, and QC agents could push buttons that flagged additional review.
My advice for getting attention: don't be rude (EVERYONE is rude, this won't get any one's attention), be CLEAR about the problem AND solution, evoke emotion in the listener (remember, the listener is a QC person who reviews the call days later)
Try something like: I'm on vacation and my daughter was REALLY looking to see a musical. Do you have kids? Mine LOVE Beauty and the Beast - she has her backpack and t shirt, she is adorable. Every time we try to buy a ticket, it gets rejected. I think I forgot to notify you that I'm traveling. I'm so sorry - it just slipped my mind!
In fairness HSBC calls from known numbers (granted, you may not recognise it the first time, but you can look it up then save it) and publishes numbers where you can call them [1]
This doesn't help when it's so common to spoof caller-id. The telco industry has blown any trust we can put in this information.
[I just learned that the FCC is considering not allowing calls made outside the US to be spoofed as numbers originating inside the US. I thought that was the whole point behind STIR/SHAKEN, silly me].
The important part is that you are able to look up/personally verify that you are contacting the correct people. If I lose my card I can still look up the right number on my banks website. Because you cannot confidently identify a caller it is better for the customer to reach out using more easily verified information.
Well yeah.. but again, the number could also be in the footer of the banks website.
People usually get scammed when they have the card with them... when they lose the card, they're the one actively looking for a phone number, and not presented with one from a scammer.
- "Sir, I'm calling you because I found your card, I called your bank, and they gave me your number. They told me you should report the card as lost in case it's been used fraudulently with the phone number that is written at the back of the card"
- "Can you send me back the card?"
- "I'm in a train, I won't be able to do that for a while. You should really call"
Good thing there are no data leaks or compromises! /s
That my bank insists on using essentially now public information now to verify (and refuses to use anything else, even after being repeatedly asked!) is also infuriating. Last 4 of SSN and DOB? Really?
Well, the point isn't that my bank wouldn't "leak" my details - I certainly don't trust them that far. So it's absolutely possible for a random person to get my phone number from the bank. But if a random person were to phone me and tell me that my bank gave them my phone number to be helpful, I'd be calling that out as a lie.
If someone spoofs the banks number on caller ID (trivial), knows all your security question answers, the bank you bank with, and your number - very few people are NOT going to fall for some kind of attack there correct?
How could they figure out the internal account number without hacking into the bank in the first place? I’m fairly certain there’s no way to derive the account number from a debit card number or any of the info you mentioned.
Additionally, bank account ‘internal’ account numbers are pasted on every check that goes out and any ACH transfers also include that information, so it’s not like they are hard to cross reference with any of the other major breaches.
SSN, dob, which banks people use (and other financial institutions), which loans they have with whom, etc. also got leaked for pretty much every US adult with the equifax hack.
If my bank has blocked fraudulent transactions for a card I've lost, I'm not in much hurry to respond. They've already blocked it, and I don't have the card to use anyway.
I have three bank accounts and none of them send emails with links. If they send any email to start with, they just say go read your messaging/documents on your bank account.
For most banks it is fine. They say "Click this link" I click it, then click "Login" and everything is fine.
Other banks purposely break my password manager so I have a high chance of pasting my password into a phishing site because I am in a habit of pasting my password for that bank.
In the US, we had a medical provider who, when they would call you to give you test results, would attempt to get you to verify your identity by telling them part of you social security number. Haha, you called me! How do I know you're who you say you are?
>Even when I said to them "You are training your customers to accept potentially fraudulent text messages" they didn't get it.
You were talking to a call centre worker making close to minimum wage and who's job is to get shouted at by customers all day. Even if they wanted to help you, their opinion would count for nothing.
Natwest seems to have taken to sending me text messages listing three recent transactions (where one is suspicious to them), and asking did you make these? Reply y or n.
I can't verify that the text is from Natwest, but it seems relatively safe, as I'm not providing any personal information in return, so this seems a reasonable first line security mechanism. Of course someone could clone my SIM, in which case there's no protection, but it does raise the bar for using a stolen cards, and I think that's the intent.
If my bank ever does call me, they have to leave voicemail because I don't answer calls from unknown numbers. And then I call back using the number on the back of the card.
I have also had that with HSBC -if you call the main online banking number they will put you through but it involves being shunted around on hold. The thing I found most annoying was the attitude of the HSBC representatives when I said (very politely) that I wanted to call back.
The thing I found most annoying was the attitude of the HSBC representatives when I said (very politely) that I wanted to call back
Because they poor person on the phone gets dinged for not completing the transaction. You doing the right thing causes them to look bad in the computer-tallied automated productivity tracking tool.
Call center employee metrics are absolutely brutal.
In theory, you would first call your bank consultant to verify the number is legitimate. (Supposing the existence of a process which is not completely broken.)
Britain being where the victims are, not the criminals.
Some reasons why Brits might be so so vulnerable:
* Major: English speaking so common to be targeted from less affluent ex-commonwealth countries.
* Major: Ageing population have most of the wealth.
* Major: Lots of vulnerable victims online and relatively high social media engagement.
* Major: Little fear of retaliation (other than Jim Browning). The UK is having less of an engagement in global policing (due to leaving Brexit) and has less reach as a consequence
* Minor: Degrading international relations. Less empathy shown towards Brits due to somewhat inward looking foreign policies over the past decades.
* Minor: Growing economic disparity causing a glut of "get rich quick" victims.
Honestly I think Jim Browning is showing how this problem is solved and is probably having a 100x impact over the average bank worker. The Banks should be funding him and others like him.
For those that don't know who Jim is, he does awesome work in identifying scammers and working with the local / relevant authorities into shutting their services down.
> While security experts and senior bankers said many fraud attacks could be traced overseas - including from India and West Africa - Britain is also increasingly exporting attacks.
> ...
> "It's popular to say the fraud threat is imported into the UK, and I don't think that bears analysis," said NECC's Reed. "There is a significant UK nexus to a lot of fraud, our operational experience is showing that."
From personal experience working on this problem I would strongly agree with idea that a lot of bank fraud is home grown.
The police in the UK have a very poor track record of actually dealing with bank fraud. The nature of the crime, and way UK policing works, means there's a significant number of disincentives to actually investigating bank fraud. Two of the biggest showstoppers is location/jurisdiction and training, which police force should investigate? The one where the victim lives, or the one where the criminal lives? Police training focuses almost entirely on crimes with a physical element, if someone robbed your store, then the police know how to help. If they rob your bank account, they haven't foggiest on where to start that kind of investigation.
Additionally each individual case of fraud tends to be for small amounts (thousands to tens of thousands), so are frequently ignored. It's only in aggregate that the sums become meaningful to police, but they rarely consider fraud on anything other than a case-by-case basis. The result, as a bank we can tell the police exactly who commited a crime, where they live, what they look like, where they eat breakfast, what their social media handles are etc, and nothing will happen. The report and all the data vanishes into the blackhole known as the NCA.
This reminds me of how I used to get fake passports.
There was a period when almost every day I had Royal Mail drop through my letterbox envelopes containing various fake documents (passports, driving licences, National Insurance letters, ID cards from various EU counties). Someone was mailing those from a nearby post office and putting my address on the back of the envelopes as the sender. A fraction could not be delivered and got returned to the "sender", some having travelled to, and returned from, other countries.
I reported this several times, both to Action Fraud and to the police. At some point I spent an entire Friday evening sitting at a local police station, thinking that, if I brought the documents to them in person, the police would be less inclined to think I was some crackpot making the whole thing up. I also thought that the fact the documents were being mailed from a post office across the road from the police station might pique their interest (the letters had tracking numbers and so I could look up their journeys on the Royal Mail web site).
In the end this turned out to be a waste of time. The front-office police person were clearly pretty unhappy with having to deal with this, but escalated to someone who "knew more about these things". The latter applied the investigative method of typing "Portuguese driving licence" into Google Image Search and comparing the results with one of the licences I gave them. After a further escalation to an even more specialised officer, the conclusion was that the documents were indeed fake.
I got a crime reference number and a clear indication that I would never hear from them again, which I indeed haven't.
Still have all the docs (the police didn't want to keep them). They stopped coming after a while.
another factor is cost - the police do not have enough resourses to investigate
a few weeks ago my car was hit and the driver just drove off without stopping to give details (hit and run) the incident was caught on my dashcam inc car reg plate and faces.
After informing the police on 101 - they said sorry they do not investigate hit and run anymore unless a serious injury has occured - no resources available
Because we lost access to many EU police databases and data sharing agreements. We negotiated continued access to some stuff, but there are still some significant gaps.
I don't think that's a reasonable question, not all scammers are Nigerian. Some are based in the UK, others in Europe. Also the EU had data sharing agreements and collaboration outreach with police forces all over the world that we also lost access to.
That's one of the complications with our data sharing with the EU; they have agreements to share data with non-EU countries on the basis that their data is only shared within the EU, which we are now not. Therefore the EU can't grant us access to databases containing that data until we/they have permission from these other countries. We will, and are sorting it out but it's going to take time. Brexit was always going to come with some costs, that should be obvious even if you think on balance it was the right choice, and this is one of them.
The poster forgot the bunny quotes ("so-to-say") in «stereotypical "Nigerian scammer"», but added the term 'stereotypical' to lead you there, and the content was clear: certainly the poster did not express or suggest that «scammers are Nigerian». "Scotch tape" is from Minnesota, and the Scots are probably not that disturbed from the underlying idea of "Careful with that glue, Eugene! "Be a Scot", don't waste it". The Nigerian princes happened, terminology spawned, Nigeria has presumably not yet demanded that those scams should be called with Greek letters. Because we are not fools and we know losing one's head is not decapitation, and losing one's mind is not misplacing it on the wrong table. You know what's Eugene even if no-one's called Eugene, and if you don't you can get it's a cultural reference.
The intended interpretation is (Nigerian scam)mer, not (Nigerian) scammer; the scammers aren't Nigerian, the scam is. It refers to one of the earliest well-known forms of a type of e-mail scam: "Hello, I'm a Nigerian prince with a lots of funds but I can't access it, please send me $amount so I can get access and I will return it ten-fold".
> I don't think that's a reasonable question, not all scammers are Nigerian.
Than a non-sequitur, why would it matter? superbugs that originate in hospitals can escape and cause harm beyond a hospice; and if certain locales, Nigeria being the famous example of, are harder to touch, then those places will be selected-for for by scammers.
Consider that certain places are harder to police than others (which is basically the whole premise of this thread in the first place - than the EU is better policed than the UK); or that criminal operations could operate somewhere other then their place-of-origin.
> Some are based in the UK, others in Europe.
And if the European ones are more likely to get caught, there will be fewer of them, and a lot of those that remain won't operate locally.
> Also the EU had data sharing agreements and collaboration outreach
I don't doubt data-sharing is more difficult, I question if it makes any (long term) difference to remote (i.e. over the phone, or email) scams.
The question is how does that data relate to catching scammers who trivially outsource from elsewhere? Does the EU have any data on which EU companies run scams out of Nigeria[*0]? Even if the EU has a data-sharing agreement with Nigeria, I doubt the government even keeps tabs on the scammers. Plus, you can always move to wherever there isn't such a data-sharing agreement e.g. somewhere semi-hostile/antagonistic to Europe.
[0] SIDENOTE: I would mention somewhere other than Nigeria, so not as to seem to "pick on" the place, except - 1) Nigeria is established as famous for scams already, b) that would only make me more susceptible to downvotes from people triggered by me mentioning their somewhere-they-hold-dear in a negative light.
Commonwealth should be unaffected, but if the perpetrator is in the EU, i guess it could be because British police can no longer access the Shengen information system (SIS) database, or issue European Arrest Warrants (EAW).
Because criminals operate in every country and the EU has a large and often English speaking population. It’s the same with the US/UK where plenty of scammers operate in each country while targeting the other. Email doesn’t care about national borders, it does care about language.
Sure, they do, but what does that matter; or what does "operate" mean in this sense? You can outsource to elsewhere i.e. you can operate anywhere.
> the EU has a large and often English speaking population
So do many places, the EU is by no means unique in this respect. But there's a reason "cost centres" are being outsourced to India or the Philippines, more often than than the EU. And in the context of criminal operations, "language-speakers" is by far the least important/riskiest factor relative to those that would get you arreseted.
> It’s the same with the US/UK
Is it? Do you have (statistical) examples?
> Email doesn’t care about national borders
Wrt liability, (i.e. Arrest Warrants, the context of this thread) email, or at least the senders of, do care; more-so than language. Unless you are implying criminals care more about maximising profit than getting caught?
AFAIK Europol has been a significant factor in fighting online fraud because much of it is international and the same group targets many EU countries at once.
It's also because the britanic banking system decided that, on the safety / usability balance, they would choose usability.
Banking in britanic banking system is way easier than anywhere else. I remember when I was a student, they sent a bus to the university, so we could just hop in, arrive at the bank, and open an account as an immigrant in 15 minutes.
Try to do that in France, you would get your card, what, next month at best?
It was only a matter of time before the criminals realize the door was unlocked and feast on them.
In fact, I'm expecting Australia to be next, for the very same reasons.
Have you tried to do any paper work in Australia ? It's. So. Simple. Seriously, for a french, it's a video game on easy mode, and you never leave the tutorial.
But there is trust everywhere.
They are either going down, or make the system harder to work with.
> Britain being where the victims are, not the criminals.
Britons could be the criminals too. It's easier to spearphish high value targets when using a familiar "trustworthy" accent and associated mannerisms and cultural knowledge.
* UK infrastructure makes number spoofing very easy.
* UK banking legislation (and court rulings) put banks in a difficult position: they MUST accept a clients instruction to transfer money and do so rapidly (unless doing so would be a crime).
> they MUST accept a clients instruction to transfer money and do so rapidly (unless doing so would be a crime).
Not quite true. Banks are required to accept and process instructions quickly, the general idea being that bank should never prevent an individual from accessing their own money. But protecting a client from fraud is a legitimate reason for slowing down a transaction, you just can't delay it indefinitely. There are plenty of UK banks that will delay outbound bank payments by up to 24 hours if they think there's a good chance someone is being defrauded.
But it goes all the way back to common law. Basically the bank is a customers agent and must obey instructions to the best of its ability. It must exercise reasonable skill etc obeying those instructions. But unless it suspects fraud it cannot disobey. To quote: a bank is not required to act as an amateur detective.
There is very little room for them to decline a customer instruction once given. It needs to be pretty blatant fraud or otherwise illegal. Sending money to another account is neither on the face of it.
Nothing so complicated. With open borders the UK was a popular destination - and the training ground, and work environment. Now lockdowns have forced people to double down. Some below mentioned the infamous Nigerians, it's usually the Albanian region.
Yeah, Jim Browning definitely needs to go teach law enforcement how to do their job, preferably in exchange for the biggest consulting cheque the world has ever seen.
Ths problem, as always, is that they don't actually want to do that. They'd rather stay incompetent because it lets them let criminals off more easily. We have the same problem where I live but with illegal work for often far below minimum wage. The cops and tax inspectors keep saying they're understaffed, underfunded and undertrained to do anything about the problem, yet two journalism students have been able to catch and report more cases of illegal working conditions than the inspectors do in one year.
I used to wonder why, until I saw one of the main white collar cops in the city having a beer with the dude that I know for a fact regularly pays people minimum wage then has them give him half of it back in cash or they're fired. I asked around and it turns out they're childhood friends so he lets him do whatever. And we're not even close to the higher half of the corruption index! I can't imagine how things work in a country that's worse off...
I didn't have any proof, only the word of a few people that were still working for him and couldn't afford to lose their jobs.
I do however know that he was reported and investigated at least once by a former employee, but the investigation unsurprisingly found no proof ("agreements" were all verbal and everything was done in cash). The cops said that with just one testimony a conviction was unlikely and nothing really came of it.
In general, these things rarely get resolved because the worker can't risk snitching because they'd lose their only source of income and once they leave and get a better job, they're just happy it's behind them and don't pursue it further.
What is the evidence that they don't want to fix the problem? The evidence from TFA would suggest they are trying and struggling, mainly due to resources.
How is the world going to balance instant low friction commerce with the need to prevent instant low friction fraud...
I don't think anyone has answers, it's a problem that will affect crypto payments as well as Fiat payments.. I hoped Confirmation of Payee would help, but the massive increase in APP fraud in the last 12 months seems to dispel that notion..
Maybe the answer is money that doesn't settle instantly.. Kind of like how your paypal payments are "on hold" whenever you get them to give the sender time to realise they've been scammed. Maybe all payments take 2 weeks to settle, and everyone lives on free credit up to the unsettled amount..
edit: I worked at Monzo for 5 years, and was in the original Confirmation of Payee meetings as Monzos rep to Open Banking
> Maybe the answer is money that doesn't settle instantly.. Kind of like how your paypal payments are "on hold" whenever you get them to give the sender time to realise they've been scammed. Maybe all payments take 2 weeks to settle, and everyone lives on free credit up to the unsettled amount..
Well, all credit card payments are basically exactly this (which you’d know, given your previous job). The crypto crowd always yell “no chargebacks!” when trying to attract people to their platforms, but chargebacks are actually a feature, not a bug — for the very reason you just described.
I don’t like it, though. It seems totally inefficient, and there are better ways to do this.
Edit: I want to add, because of chargebacks, any credit card processor that doesn’t hold your money for, like, 6 months or whatever, is accepting the credit risk associated with what would happen if all of your transactions were charged back and you weren’t good for the money. Hence why their risk management is a nightmare, and why anyone who enters that space ends up looking like a bad guy who arbitrarily freezes people’s money (unless they choose to use humans rather than AI, but that doesn’t “scale,” right?).
My father was scammed out of $1200 USD. He had a pop-up on his browser that said his computer was broken. It's the most cheesy scam on the web but this 80 year old man didn't know better. He thought he was getting a great deal - $1200 for lifetime support of his computer.
Anyway, he told us the same day and we immediately called his bank. It was under 24 hours and they shut down the payment. He didn't lose a penny.
So, yeah, I totally agree with you. The slowness of payments and chargebacks are a feature, not a bug. Same way that we have checkpoints before we deploy code to prod. Not having this assumes that everyone is making decisions in their best interest all the time. In reality, we do bone-headed things quite often and need a fair redo.
I'm not sure how that would help with regards to APP fraud. APP fraud is possible because scammers are successfully able to social-engineer people into sending their money away despite the various warnings (including on the payments UI in bank apps, or - in the US where this scam uses gift cards - to not tell the cashier or the bank what you're buying the gift cards for). I would expect the same social-engineering to be able to convince the user to not raise the alarm during the 2 week cooldown period.
I think the problem with APP fraud is a lack of user education (and maybe consequences - users expect the bank to always make them whole and so don't take security seriously) as well as insufficient enforcement on the other side - not enough is being done to prevent scammers from operating (why is it still possible for them to robocall and spoof UK numbers? why is there no AML/KYC equivalent before being able to place calls?) and getting away with it.
> I would expect the same social-engineering to be able to convince the user to not raise the alarm during the 2 week cooldown period.
It would be interesting to test this. Having read through a number of APP fraud cases, including victim statements. One persistent theme is that the pressure cooker environment that scammers create to get victims to send money is very effective as getting them to ignore warning signs. But after they've sent the money, and the immediate pressure is off, they quickly realise they've been scammed.
I strongly suspect that introducing even short delays of a few hours would be very effective. Especially if the victim is immediately made aware that a delay has been introduced. This give the victim a little time to cool-off and realise that they've been scammed, and then hopefully alert the bank.
Haha I wonder if you've read my case. I was scammed out of 100k this year.
The scammer had control of my solicitor's email and timed the attack perfectly so I was absolutely convinced I was sending money to the right place.
Didn't realize until a few days later when the solicitor called me wondering where the money was. The two week thing might have helped us but the scammer would probably just time their attack differently. Although it would increase the time they have to keep the fish on a hook.
Not sure if you managed to get your money back. But if you didn't, go research the contingent reimbursement model (CRM). Pretty much every major bank has signed up to it, and the CRM requires banks to reimburse victims, if the scam is sophisticated and the victim took reasonable steps to avoid the scam.
A basic house deposit payment redirection scam should be covered, assuming you have evidence that the emails were sent from your solicitors email address.
> I think the problem with APP fraud is a lack of user education (and maybe consequences - users expect the bank to always make them whole and so don't take security seriously) as well as insufficient enforcement on the other side
We know that banks don't want to discourage people from spending money or using their services, but even as a consumer I hate dealing with chargebacks.
My significant other doesn't watch their credit card statement and signed up for some LinkedIn service that was never used for like 6 months. LinkedIn isn't going to refund money that far back and chargebacks won't go back that far, either. I don't think any lesson was learned.
Maybe I'm more sympathetic to merchants and avoid charge backs? If I don't recognize a charge, I usually assume I don't recognize the merchant and investigate and reach out to them first. I feel like half the time I do have to issue charge backs the bank invalidates my card (even though I know it was not lost or stolen). I feel like they're penalizing me.
> Maybe the answer is money that doesn't settle instantly.. Kind of like how your paypal payments are "on hold" whenever you get them to give the sender time to realise they've been scammed. Maybe all payments take 2 weeks to settle, and everyone lives on free credit up to the unsettled amount..
This would be extremely annoying. I hope it would be opt-out.
2 weeks to settle would be very annoying for people who are getting used to same-day shipping. It works when all of the goods are virtual/revocable but once you need to ship an actual product you want to be sure that you actually have the money (within some margin of error).
What's always missing from stories like this is how the crooks get the money out. Considering that all Western governments have achieved total surveillance on our banking and made it impossible to have anonymous bank accounts, I'd like to see a detailed analysis about why they can't follow the money and see who gets it.
Every scenario I can think of seems like it should be either traceable or actionable.
Scenario 1: The crooks cashed out the victim's $270,000 at ATMs. That means they set up 270 fraudulent bank accounts, each tied to a separate ATM card, and each with a withdrawal limit of $1000. There should be a cornucopia of leads to follow. It's a major hassle to set up a bank account. You need an address at which to receive each one of those 270 ATM cards. Did the bank(s) send 270 cards to one single mailing address? Were these online accounts or did the crooks visit each bank with fake IDs? What did the surveillance cameras at the ATMs show? If they hired duped people to cash out at the ATMs, can't the police catch at least one of those persons and continue following the money?
Scenario 2: The crooks create one master British bank account into which the stolen money is funneled (say $1,000,000) and then they transfer the money to overseas to Third World Bank. Why doesn't the British bank (or the British government) demand that the $1,000,000 be returned by Third World Bank? It's now the Third World country's job to track down the crooks if they want to. If they won't return the funds, they get blacklisted by the British banking system.
Perhaps there are very good answers about why and how the crooks can get away with it but it seems so implausible when money has been so traceable for the last 20 or 30 years (except for certain cryptocurrencies but that's recent).
Go and look up the concept of money mules. Fraudsters don't need to setup bank accounts, they either buy bank accounts off people for £50, or convince people to move the money on their behalf by claiming they're doing an "accounting" job that involves large money movements, and the mule will get paid a percentage.
Most people don't realise what these accounts are used for, or just don't care because they're paid enough to look the other way. Then stolen funds are quickly moved across dozens of banks, with the money being split and re-combined with potentially legitimate money. Eventually the administrative overhead of tracking the money gets so great that no one bank can be bothered to do anything about, and the police aren't interested in actually investigating. The end result is that once the stolen money if a dozen or so bank accounts away from the victim, it's extremely unlikely that anyone is actually going to trace the money to that account, effectively making the money clean.
You see ads on instagram offering to buy or borrow your bank account for £50... and when they're used for muling guess who it is that gets their account banned and then a CIFAS marker ensuring they can't bank anywhere else? The desperate kid who needed the money, not the actual criminals behind it.
Yet another reason for regulating advertising. Why are these platforms not held liable as accomplices? I can't think of any legitimate reason for an ad to buy/rent someone's bank account.
At least in my experience these aren’t official ads. It’s random sketchy people posting about “business opportunities” with stacks of cash or whatever.
Acting as a mule for money laundering is a crime. They are criminals. They might be young, but the majority of them know they are doing something wrong.
I'm not suggesting they aren't criminals. But there is a spectrum of criminality and I am suggesting they are considerably less so than the leaders of the fraud ring.
These ads are deliberately designed to prey on the desperate, unfortunate or the technically illiterate.
Some of them probably know exactly what they're doing and I have no sympathy, but some of them probably fall into the same category as people falling for Authorised Push Payment fraud.
> What's always missing from stories like this is how the crooks get the money out.
It is in the article:
The fraudsters had told her to shift her "at risk" cash to an account on a cryptocurrency platform that they emptied - while isolating her from family by stressing secrecy and coaching her on how to respond to sceptical bank officials. "They knew the name of my financial adviser, they were utterly convincing as FCA staff," she said. "And they told me I could not tell anyone about the investigation as it would damage their efforts to catch the crooks."
Granted that in this case it was a cryptocurrency account, but I've seen dozens of articles like this over the years in which cryptocurrency was not mentioned or didn't even exist yet.
> What's always missing from stories like this is how the crooks get the money out. Considering that all Western governments have achieved total surveillance on our banking and made it impossible to have anonymous bank accounts, I'd like to see a detailed analysis about why they can't follow the money and see who gets it.
It's not really like this. Banks (and Western) governments are extremely meticulous about recording financial transactions, but have relatively few systems for actually retrieving that information for proactive law enforcement. There are large historical and technical barriers that prevent meaningful advances in the government's ability to surveil bank accounts in real time.
As just one example: interbank settlement over ACH is measured in days, not seconds or even hours. During settlement, anything can happen: the ODFI might try to claw the transaction back, either institution can go bankrupt, the destination account might close, etc. A human frequently intervenes to handle these cases. Banking is eventually consistent, but the fraudster is frequently long gone by that point.
Edit: it's also worth noting that "anonymous" (read: numbered) banking is also really only good for Doing Crime (and Having Crime Done to You). But plenty of countries, including the US, allow you to open bank accounts (and do debit transactions) without an official government ID.
Scenario 3: Unsuspecting people are recruited to get "Bitcoin management operator" jobs, where they receive funds on their account, buy bitcoin with said funds and send the coins over.
In the past, the same mules were sending Western money transfers or similar, but nowadays cryptos are so handy most criminals have migrated to it.
After a few months the cops usually come knocking, and depending on the jurisdiction, the poor mule is hit with fine/jailtime and/or the debt
Or what about Nigeria and India based scam artists ripping off thousands and thousands of elderly Americans on a daily basis? I think in India it’s turned into an entire industry by now. Is there really nothing American law enforcement can do about it or are they just asleep at the wheel?
It's well documented that a lot of this money goes out of the country by transferring it to a 'mule' with a bank account in the UK, who think they are doing something innocuous. They transfer it to the scammers either via cryptocurrency (basically untraceable) or previously, via an international money transfer service such as Western Union. The latter is also pretty much untraceable. You can pick up money anywhere in the world from these services with some ID. They don't need your address or to really check you are who you say you are, they just want to make sure you have the same name as the one the sender referenced.
Unless the destination country, the destination Western Union office and the person who picked up the money are all willing and able to co-operate, law enforcement in the source country is pretty much stuck.
> doing something innocuous. They transfer it to the scammers either via cryptocurrency
Whoah. Do you mean there are people that think cryptocurrency is "inoccuous"? I mean, I know there are inoccuous uses; but if someone "official" tells you to use a cryptocurrency account, that is very definitely occuous.
I know in the USA it is possible to open accounts online only, and when you are online only well it's not a far hop to give a digitally manipulated ID photo, if they ask for one at all. Plus all the info needed to open bank accounts has been breached and released 100 times over at this point.
>Considering that all Western governments have achieved total surveillance on our banking
You're so far away from the truth. Basically, they have flashlight and they are in dark forest. You can theoretically find what you want, but it's fairly unlikely and very time consuming.
> Considering that all Western governments have achieved total surveillance on our banking
> and made it impossible to have anonymous bank accounts,
These are not the same things, as anyone who works in logging and tracking will tell you. Just because there is some tracking of you, or an ability to track you does not mean that all activity could be noted or flagged. If I purchase from a new online vendor, how would my bank know if it was me or not?
There are organizations creating thousands of bank accounts to cash out transactions like this for a percentage. They use fake IDs, there’s no way to stop them.
Catching the people opening the accounts leads you to nowhere, they rarely even know their bosses.
Never gonna happen internationally. We barely managed to push through cryptographically signed passports after 9/11, and even those aren’t very well adopted (you will never face issues if your passport has a “faulty” chip)
The NECC's Reed said another problem was that just 1% of policing resources were dedicated to fighting fraud, despite it making up over a third of all crime in England and Wales.
Is at least one major cause of the problem. The police and government's response has been pathetic. This is not a new thing either, it's been going on for years.
The other problem is that this statistic is nearly meaningless. If I run a bank scam, I might have 500k victims, but it won't take as many police to investigate as 500k rapes or murders or kidnappings would. This is comparing apples with oranges.
Practically what happens if you're defrauded is your local police force will direct you to Action Fraud (https://www.actionfraud.police.uk/) run by the City of London, who will note it down for "intelligence" but otherwise appear to do nothing whatsoever. Which is not too surprising - according to Wikipedia they have 80 staff.
Yeah, I'm somewhat familiar. I worked at a (fairly technological) UK bank, where we did investigations into scams like this. There's really not much that can be done about most of these scams, other than taking your multivitamins to prevent cognitive decline.
Most of these scammers are outside the UK, in India or Africa somewhere. Those countries do put a lot of resources into capturing 'Yahoo boys' and the like, but it's sometimes like looking for a needle in a haystack. I think the more realistic solution is to educate people so they don't fall for some of these preposterously blatant scams.
Is it really the case that not much can be done, or just that the resources aren't there to do it? Your average scammer isn't a criminal genius. You'd think a bit of good old fashioned police work would suffice in a lot of cases – if there were actually some police officers available to do that.
We worked a fair bit with the police, and I never got the impression we were frustrated with their inaction. They devoted a lot of resources to it, but it's part of the nature of the beast that there just don't need to be as many officer hours per victim as there would be for a rape or murder.
This isn't really a problem the police can solve: criminals are all abroad.
This is a question of who is allowed non-in-person banking. And a few technology tweeks (getting rid of number spoofing). And education but that's a bit of a lost cause.
Personally I think this comes down to ineffective education in many cases. Yes, some of these scams are getting quite impressively advanced, and they tend to target older people who are declining in cognitive ability, but so often the victims are absolutely unwilling to admit they were a bit stupid. It's always someone else's fault, like the bank, or the police, or Facebook, and not theirs for doing a direct bank transfer to some random person who told them it was an emergency. It is frustratingly hard to protect old people from this though - my nan got scammed for a new mattress by a door-to-door salesman when she was in a care home, who dropped the ball by letting him in at all. Another OAP I know would be a fairly easy target too, as she seems like she'd trust a "nice young man" more than her own family at this point (unwarranted, I should add).
Our tech education in particular was fucking woeful when I was at school and I have to assume it's little better now. To me, avoiding scams seems fairly straightforward:
1) If it's too good to be true, it's not true.
2) Never fill out a form from a link in an email.
3) Don't provide any details to anyone who phones or emails you, always look up their official phone number and phone them back. I use multiple devices to do this and multiple sources to avoid compromised sites like one of the examples. Call up the directory service on the phone and compare that too, if needed.
Perhaps there's also a cultural aspect to why the British are so easy to scam? Maybe our curious mix of laziness, stupidity, superiority complex, and greed combine to make us the perfect targets.
> Perhaps there's also a cultural aspect to why the British are so easy to scam?
Ongoing transition from "high trust" to "low trust" society. People don't yet expect to be scammed, but trust in institutions and the rest of the public is falling.
It's not just old people. Plenty of young tech savvy people fall for these scams as well.
The scammers are extremely well practiced, and are extremely good at using misdirection and pressure cooker situations to make it extremely difficult for people to recognise the scam in the moment. Some of the scariest aspects of these scams is that they frequently use the banks own fraud protections and alerts against victims, creating transactions they know will be declined, or inducing the bank to send legitimate login warnings, to create evidence that a victim needs to act soon to protect their money.
Scammers will also falsify phone numbers, calling from numbers that are either identical, or almost identical to the banks official number, and then ask the victim to compare the caller ID to number on the bank of bank card to build trust. Finally there's frequently a significant delay between the initial scam email/SMS and final scam. A victim will accidently enter their card details into fake package website, but nothing happens. Then three weeks later when they've forgotten about the fake website, the fraudsters will ring, using the data to "prove" they're from the bank, then ask the victim if they recently put their data into any dodgy websites (which of-course they did). Once they created the strong impression they're calling from the bank, reminded the victim of the earlier fake website, the victim is then perfectly primed to believe someone is trying to steal their money, and person on the phone is going to help prevent that.
TL;DR, these scams are extremely sophisticated, and perpetrated by intelligent individuals who's full time job is figuring out how to socially engineer people into handing over their cash. Don't assume your somehow "better" or more "immune" to these scams, or that victims aren't educated and intelligent. That grossly underestimates how capable these criminals are, and induces people to ignore the issues and victim blame instead.
It's tempting fate to say it, but I've not fallen for a scam, or a phishing attempt, and I've been subjected to many. Natural distrust and cynicism perhaps. I don't answer the phone to unknown numbers, I don't click links in emails, I don't do business at the door or over the phone, and I don't believe anything other people tell me (can report that my girlfriend hates this aspect of my personality).
The head of accounts in my previous company fell for a bank transfer scam (urgent payment request forwarded "from the CEO"), so I have seen it happen to young people, but I wouldn't say that person was "tech savvy". Being able to use a computer doesn't make you tech savvy, and I would say the number of tech savvy people is probably close to identical between younger and older age groups. Being intelligent in one aspect doesn't make you smart at everything else (which is why I avoid doing plumbing). What is missing is critical thinking and cynicism. I highly doubt most people check the full email source of anything they receive that looks important, but they should. People rely too heavily on technology to tell them when something is wrong, and they shouldn't.
The scam example you describe is easily avoided: don't enter your details in the fake package website in the first place. Don't answer the phone to the unknown number. Don't believe them when they say they're from the bank. Don't do anything anyone tells you to. And if they try to rush you, that should make you stop and think why.
I don't doubt the scams are getting pretty clever, but that doesn't mean the victims can't also be a bit stupid. Yes it's sad that they have fallen for it, but to shift all the blame elsewhere is unfair - we are ultimately responsible for our own actions.
I think the British and Americans have a lot in common which likely makes us equally susceptible, but perhaps some of the reasons are slightly different. To overly generalise two entire countries:
British: tend to defer to authority, tend to be overly polite.
Americans: tend to question authority, tend to have strong self-belief.
As a theoretical scammer I'd likely be looking at different approaches in the two countries, but with probably the same underlying scam. I imagine this is true for most countries, and I'd be curious to see how much of the approach has to change for different places.
Edit: I should add, I think the American fear of the IRS and the UK fear of HMRC are effectively equal. Everyone's scared of the tax man :D
Hah yes I was trying to think of a way of describing that - our inability to be rude to people, or speak up about something that seems wrong. That should certainly be added to the list.
I don't seem to find that hard at all. And I meet many strangers that are rude (not all of them foreigners).
It's true that brits hate complaining in restaurants. I don't think I've ever complained in a restaurant, despite my innate rudeness. But I find it very hard to keep my cool, when I've just listened to 30 minutes of hold music, and the person that picks up is an unhelpful numpty.
The 3rd step above would have protected me but I'm not sure everyone would be so cautious as that.
In my case, the attacker had control of my solicitor's email.
A few days before he sent me a letter instructing me to deposit money to the correct account, the attacker sent an email from the solicitors email server (Dkim verified by Gmail), with a different account.
This was in the context of a thread about the conveyancing on a house purchase so I was expecting to have to transfer money somewhere.
I admit my own failure in the process but I think there's room for improvement in the whole process of buying a house too (like why don't solicitors get buyers to enter the correct account info proactively at the beginning of the process)
In a twist of irony, my 76 year old mother took in a immigrant who attended her church and was in a difficult situation. He'd come to the US on a lottery visa, was working and going to college while renting a room from her. After some years, it was time for his family to join him in the US. He flew to his home country of Cameroon to retrieve them, but the bribes he had to pay to get them out exceeded his cash on hand, and my mom needed to send him more money.
You can imagine the conversation at the bank as they repeatedly refused to entertain her explanation, let alone wire the money.
It utterly infuriates me that banks won't let you use their mobile apps -- which are inevitably their websites packaged in a bundle, with added tracking -- on a rooted (or jailbroken) phone, even though I am sure that the overwhelming majority of users on android who have a rooted device are likely to be the most technically sophisticated, with (in my case) the presence of mind to install updates to their four-year-old but perfectly usable device that would otherwise be considered EOL by its manufacturer. Meanwhile, the banks are expanding the contactless limit to £300 -- despite academics showing that covert antennas can do "wallet sniping" easily -- and have a horrendous attitude to security. 2FA is entirely based around random numbers and "Private Number" caller-ID barred phone numbers -- meaning that if someone was spoofing your account details, you'd never know. Their fraud detection algorithms tend to be quite good, but only if "your" criminal has stereotypical tastes -- I've been called up after I bought a computer at the apple store, for example, which is in-keeping with me, but not when my card was cloned and someone bought lots of drinks at a Weatherspoons.
> expanding the contactless limit ... wallet sniping
I am quite interested in the security details of NFC.
Where is the best information you found? Unfortunately my searches found too little.
BTW: apparently someone managed to use a fault in the protocol to steal well more than the limit. And by the way, if any product proposer mentions a "limit", in order not to be brainless they must also mention a "rate" (e.g. 10€ per hour), and I have never seen anyone do it.
Here are a few articles -- admittedly several are quite old, but I am sure I have seen more than this elsewhere. They either discuss attacks, or attack mitigations.
Fraudsters, for better or worse, will also be in that technical category of people who would use rooted phones too. It's easier to just click the configuration option and materially reduce fraud cost for little work than to do the banking equivalent of porting your game to linux.
Similarly with NFC wallet sniping. In practice it doesn't happen, and because it's a merchant credit card transaction, significantly easier to roll back in time once customers start filing charge backs for them, which is a major reason probably why it doesn't happen much in the first place. Physical wallet snipping is also too much work compared to other schemes available.
Ultimately you can't really stop people from falling for con men, but I do feel part of the blame lies with banks and other institutions for normalising out-of-the-blue phone calls.
How would you know a call from the bank about fraudulent transactions was fake? They do that! I've even had legitimate calls from them where they refuse to pass my security questions because of data protection. Pure madness.
Yeah NatWest are majorly guilty of this. They used to phone me with a script that was like:
NW: "Hello, am I speaking to <robotmay>?"
Me: "Who's asking?"
NW: "I'm calling from the NatWest fraud team, we'd like to verify your transactions. First we need to ask some security questions: what is your account number?"
Me: :|
Online-only banks like Monzo/Starling are better at this aspect - they never seem to phone anyone, which at this point I'd consider a security feature.
I had the same experience with them and when I told them that I'm not going to give them any information over the phone because I have no way to verify anything I was told is true so give me a phone number I can contact them to verify the transaction then I was told that I'm overly cautious and stupid phrased in a nice and British way. And the transaction they flagged was a £30 payment in a city restaurant. I'm no longer with them.
A recent new scam is delivery text (SMS) messages [1]. You are expecting a parcel delivery and receive a text message saying you have missed a delivery. The text asks you to rearrange delivery by paying for the cost of re-delivery. The link takes you to a scam website asking for payment from which you enter card details.
I have had these scam delivery text messages. On one occasion, I almost fell for it because the scam text message coincided with an expected parcel delivery. The text messages randomly target people without knowing whether people are expecting parcels, but it undoubtedly succeeds in tricking some people who are genuinely expecting a parcel.
yup, now with EU/Brexit import duties and VAT on everything, the carriers (DHL/UPS/FedEx) have been made responsible for collecting the fees on the govts. behalf, but they also don't want to slow down delivery, stop it at customs, send a letter to you, wait 3 days for you to pay, etc - so they send a text with a link to a really shady payment gateway where they tell you there's a fee to pay. Mind you, this is what the legitimate carriers do.
After that, it was easy for fraudsters to just spam links to everyone to similar looking pages. I often have 5-6 pending order now, since COVID I buy literally everything online, and I can't keep track of everything that's inbound. I'm sure a lot of people are in a similar situation, which makes this scam very effective.
This only makes sense if the courier has your digital contact info. Some of them don't even hold your parcel now, they just send it anyway, alongside an invoice with the duties due.
Part of the problem is too many databases have been compromised. If a scammer calls up and knows all the victim's details, the scammer is much more convincing and the victim is much more likely to be fooled.
As for why the UK is a hot spot, I could guess it's to do with the phone system? I get loads of spam calls, but I have no way to find out what company or person the caller phone numbers are used by.
Yeah spam calls are a nuisance in this country. Oddly I've gotten far fewer recently. My technique for answering unknown numbers seems to get me removed from a lot of lists:
Pick up the phone, but stay silent. If it's an auto-dialler, it usually disconnects automatically after 4 seconds, and seemingly gets you removed from the list (as either a dead line or a machine I guess). Sometimes this catches legitimate call centres, but I probably didn't want to talk to them either.
In some cultures, most callers (private individuals) would not start speaking themselves before hearing a sign of presence from the other side: you filter out auto-diallers, but also contacts you did not have in your address book.
In the US the criminals forge the ANI so it looks like a legit number, e.g a local business. We just never answer the phone. Real people can leave voice-mail.
I'm familiar with this custom. Unfortunately, I've adopted the habit of not leaving voicemail (if I'm determined, I talk gibberish until the callee picks up).
And I haven't listened to recorded VMs for years. Way back when, I actually bought a machine for answering phone-calls. I have no idea what I was thinking :-)
Voicemail transcription is the only reason the "ignore it and if it matters they'll leave a voicemail" strategy works for me. I never, ever checked voicemails back when I had to actually listen to them. Now I can skim ten of them in a few seconds to see if any were legit. Most scammers/spammers don't leave a message anyway, so the volume's pretty low.
I think the UK is a hot spot because its population speaks English, which means the same scammers that target the US can easily broaden their target market.
I moved to Britain a couple of years ago, and I was surprised at how many legitimate transactions are done in an insecure way.
For example, I had had to talk my credit card number out loud on a telephone call to put a deposit on a flat and to renew some subscriptions.
At the same time, most high street banks have terrible security infrastructure: HSBC regularly calls me and asks me to give sensitive information and sends me PIN codes via snail mail and text message.
These things tend to work in a first-world high-trust society like the UK, but I'm not surprised that people fall for these scams. I'm lucky that most of them seem to target older and more gullible people than I; otherwise they could be impossible to separate from legitimate actions.
The US isn't much better. It's still common to hand your credit card to the waiter in a restaurant where they walk off to some terminal in the back with it and do whatever they want.
> The fraudsters had told her to shift her "at risk" cash to an account on a cryptocurrency platform that they emptied - while isolating her from family by stressing secrecy and coaching her on how to respond to sceptical bank officials. "They knew the name of my financial adviser, they were utterly convincing as FCA staff," she said. "And they told me I could not tell anyone about the investigation as it would damage their efforts to catch the crooks."
I think it can be easy to read things like this and see them as obvious scams but the fraudsters only need to trick a few people as the payout is large, and they are strongly incentivised to come up with the most optimised flow for scamming people.
This is an underrated observation - you could target 1000 people for £100 each, or you could put your time and effort into targeting and tricking the whale for £100k, a payout worth putting the homework into.
For too long, the onus has been on us, the bank customer to prove our identity using a series of "security" questions. However, we can't actually prove that _they_ really are our bank: AFAIK there's no mechanism in place.
So how about a facility for setting up a passphrase on your account that _you_ could ask the bank for?
"I'm your bank"..
"What's the passphrase?"
"errrrr...."
"goodbye scammer".
When I make a mortgage payment at usbank, I am redirected through two additional third party domains that have no obvious connection to either usbank or banking in general.
Oh, Mastercard and Visa do this systematically. You get redirected to a site whose name I can't remember, that has no apparent relationship with either Visa or Mastercard, that asks you to input some piece of personal info.
I've sometimes aborted purchase transactions with significant value on being confronted by that challenge.
It's a bit like handing your card to a teller, inputting your pin, and then the teller passing you on to some rando asking personal questions.
That's pretty interesting, because the US is often stereotyped for being aggressively cost-cutting in pursuit of margin. And yet in the middle of nowhere in the US local bank branches are still very common. I can easily get someone from my bank on the phone any time I need to. And if anyone attempts to move a large sum of money out of my account, the bank will promptly call me and freeze the action unless I allow it. Best of all the account is entirely free of fees with no minimum balance.
That's still considered normal customer service by a local bank here in the US. I assume it degrades if you bank with one of the giants like Bank of America.
The US has weird banking regulations dating back to the depression that lead to this situation. I'm sure banks in the US would love to close everything and consolidate into 2-3 megabanks like in the UK.
You know the answer - because branchless operations are cheaper. If you want to mandate in-person transactions, who would you have pay the extra costs?
Is it better to spend money subsidising bank branches? Or generally improving security and beefing up the police? I would say the latter - it benefits everyone and reduces crime.
The actual actions of the government have been to do neither.
You can't even talk to a live support person on the phone anymore. Just moved to the UK (from Czech Republic) and was shocked how everything is IVR here. We are all just numbers in the database here.
For most of us avoiding telephone queues is a blessing.
I have 3 "proper" bank accounts (different banks), a couple of "challenger"/app bank accounts, and 3 credit cards and haven't stepped foot in a branch to open or deal with any of them in 20 years. I've had to get on the telephone with a couple maybe a couple of times.
I couldn't be happier with this arrangement, as long as someone is reachable when shit really does hit the fan.
It is a huge problem if we cannot have vital services because they disappear. No banks given the trends, no cars given the trends, no documents given the trends... (In the terms of, many would not use a computer at all if the only option were UntrustedOS.) You can raise the issue of "more profits the other way", but it does not fully work ("dirt served at the restaurant, cheap and profitful") and an amount of people will remain serviceless.
> "The UK is the hotbed of activity for fraudsters. Currently the UK accounts for about 80% of our global personal fraud losses," it said.
> The NECC's Reed said another problem was that just 1% of policing resources were dedicated to fighting fraud, despite it making up over a third of all crime in England and Wales.
Astonishing, but in some ways not surprising given the Met's ability to cover for colossal failings like the Sarah Everard murder and the "spycops" fiasco.
The political system is .. not in a position to improve this, despite it affecting a lot of the supposedly critical marginal elderly voters.
I had an APP scam attempt where I intentionally played their game (by providing fake details) to see how it would go. They were claiming I owed taxes and a legal case was underway that I could resolve by paying said taxes but I'd need to pay the money to the court-appointed lawyer/public defender (whose name & account details they provided me) and not HMRC.
They also repeated say in bold "don't send money to people you don't know" and "We will NEVER ask you to transfer cash" and "Once sent money cannot be retrieved" etc.
A lot of very dumb people have 5 or 6 figure cash piles.
I imagine this is weirdly easy to socially engineer your way around, as a scammer. "Oh you can ignore that, we're a subsidiary department of the bank so it shows up differently" etc
Two days ago, I purchased a subscription online and my bank app thought it was a security incident, blocked the transaction and discarded the online virtual card I was using, informed me about the whole process and asked me to create another virtual card to replace all my other 6 subscriptions that were linked to the now defunct card.
Are you saying this is a good feature of Revolut, or that you'll be switching to Revolut because of this incident? Personally I'd be happy with this level of fraud protection, as a previous victim of fraud.
I once made a fruitless suggestion that financial emergiencies should be treated the same as all others, ie diall911/999.
When the operator would answer you'd say I've got a financial emergency and you'd be redirected appropriately.
Further, I suggested that one's account should be deemed protected from the moment one dialled 911.
That way, no matter how plausible the scammer sounded , everyone wouold know that a simple foolproof course of action was available, dial 911.
I just got a fraudulent email from someone impersonating my bank about small changes to the terms of service, but all of the links appear legitimate. No phone numbers either. I guess this is some sort of long-con to get me to trust the email address? It ended in the legitimate domain name of the bank.
In the event that something looked strange on your account the 'HSBC Fraud Department' would text you and ask them to call you on a phone number.
A phone number that didn't appear anywhere on their website. "We don't want it public.
OK,well at least put it on a non-linked page so that if you SEARCH for the number on the website search tool, it returns a page with the number on "Well, I suppose that's an idea I could pass on".
Even when I said to them "You are training your customers to accept potentially fraudulent text messages" they didn't get it.
Infuriating.