back to article Average chump in 'bank' phone scam is STUNG for £10,000 - study

UK consumers have lost more than £21m to "social engineering" scams where fraudsters impersonated bank employees and tech support since the beginning of the year, according to GetSafeOnline. A range of tactics including phishing emails, fraudulent phone calls asking for personal or financial information or phone calls from …

COMMENTS

This topic is closed for new posts.
  1. JimmyPage Silver badge
    Flame

    It would help an awful ****ing lot

    if the banks themselves put their house in order.

    I still get phone calls - genuine - from banks who expect me to cough up personal details before they will tell me what I am calling about.

    To be fair it's not just banks. All sort of organisations do it.

    The single biggest thing that could tackle these frauds is a industry agreement (mandated by legislation if needs be) that a calling agent never asks for security details.

    1. Ben Tasker

      Re: It would help an awful ****ing lot

      Never thought I'd use this sentence - Ill give HSBC their dues on this one.

      They phoned me recently and authenticated themselves rather than asking me to do the same.

      There are still far too many bad practices that leave us exposed though. If verified by visa increases the likelihood that I'll be liable for a loss, they should damn well let me use special characters in my password *grumble*

      1. Anonymous Coward
        Anonymous Coward

        Re: It would help an awful ****ing lot

        Never been a fan of that. Especially if you wind up getting sent over various departments. One call they asked me to confirm security details 3 times for 3 different departments (I'd called them)

        On the one hand I can understand why they need to do it, but on the other it just feels like they're conditioning us to give away our details when asked (DAMN YOU PAVLOV!)

      2. Rich 30

        Re: It would help an awful ****ing lot

        Re Special Characters?

        Would having special characters in your Verified By Visa password help THAT much?

        You can't brute force the Verified By Visa password system - after a few incorrect attempts your account is locked - so you just need to make a password that cant be guessed easily. If you replaced every special character you wanted to use, with the letter A, in this case it's just as secure.

    2. Anonymous John

      Re: It would help an awful ****ing lot

      I had one from my bank a while back asking for my mother's maiden name before telling me the reason for the call. I refused, assuming it was a scam. Found out a few days later that it was genuine..

      1. Roger Greenwood

        Re: It would help an awful ****ing lot

        "mother's maiden name"

        Standard reply:- "Smith" then see what happens.

      2. Stevie

        Re: It would help an awful ****ing lot

        I can't authenticate using my mother's maiden name because around ten years ago someone managed to get it changed from what I told the bank when I established the account. Apparently whoever it was providing the help couldn't be more helpful to the would-be ID thief because that was the extent of the damage. Thank Azathoth for multi-tier customer support, I suppose.

        I'd change it back but the process involves me and the wife appearing in person at out branch, and why would I bother since the would-be thief already broke that code once?

    3. tfewster
      Happy

      Re: It would help an awful ****ing lot

      Last time HSBC bank called me, they authenticated themselves by giving part of the information and asking me to confirm the rest.

      e.g "Our records state you were born on the Nth day of the month; Please confirm which month it was"

      and "How much was your last payment to XXX Building Society"?

      Maybe they have a flag on my record that says "paranoid" :-)

      1. P. Lee

        Re: It would help an awful ****ing lot

        > "Our records state you were born on the Nth day of the month; Please confirm which month it was"

        Not paranoid enough with 1 in 12 random answers being correct and that not being very well protected data. We had personal data copied from a dentist's surgery used in a scam letter sent through the post. We know it was from there because there was an identical mis-spelling in our surname. I presume the rest of the data including DoB was taken too. In the above example, there's a good chance many people will blurt out the correct month and also provide the last payment to XXX Building Society too.

        The correct procedure is: "We'd like to talk to you about X. Please call the freephone number listed on all our paper correspondence and our website and quote the following reference: abc.

        Don't trust any unsolicited calls which request information. There are a million and one websites which ask for mother's maiden name as a backup authentication system. Anyone of those sites could be compromised and the info is then out in the wild.

        Adding poorly kept secrets to a secure system doesn't add to security, it reduces it by providing work-arounds.

  2. Anonymous Coward
    Anonymous Coward

    Authentication works both ways...

    Would help if the banks, when they called out of the blue, authenticated themselves rather than starting the conversation with "For security reasons, could you confirm to me your date of birth, and the amount of the last payment to leave your account?"

    Um. Shouldn't -you- be telling -me- that?

  3. Richard Hewitt

    Phishing calls in my house now have a good chance of be answered by my two year old grandson. Comedy usually ensues when a conversation goes like the following Phisher: "Hello", Grandson " " 'ello." Phisher: "Hello", Grandson " 'ello." Repeat until phisher gets fed up.

    1. Lamont Cranston

      Nice!

      I let my kids do this, too. All cold-callers read from scripts, so are virtually indistinguishable from pre-recorded auto-diallers, and thus don't get to say very much before being told to "shut up, stupid robot!" and being disconnected. Quite satisfying, really.

      1. Richard Plinston

        Re: Nice!

        > All cold-callers read from scripts, so are virtually indistinguishable from pre-recorded auto-diallers,

        Many years ago (decades) there was an infamous carpet cleaning business in this country that had one of the early auto dial-response systems that made a call then listened for a response, such as may occur if someone actually wanted their services. Whenever they called I put the phone on top of the radio so that it filled up their tape.

        I do believe in free speech. Callers are allowed to say what they want for as long as they wish, but I am equally free to not listen to it. They can talk to my desk as long as they are paying for the call. It stops them annoying someone else for a few minutes.

      2. Anonymous Coward
        Anonymous Coward

        Re: Nice!

        > All cold-callers read from scripts, so are virtually indistinguishable from pre-recorded auto-diallers

        Not true. I made one cry once. The trick is to get them off-script. I felt slightly bad about that one.

        Scammers from "Windows Support" are my favourite. I had one hooked on the line for around 40 minutes and managed to wind him up so much that he ended up threatening to have forceful sex with my children.

        Tsk tsk, customer support ain't what it used to be!

    2. jcitron

      I love doing that! :-)

      I have my parrot Barney answer the phone for me. HELLLLOOO!!!! he screams followed by an ear wax moving whistle.

      Another time I got one of those "Your system is infected and Microsoft has been notified" calls. I put the phone inside my grand piano and played an octave etude. The caller hung up promptly!

  4. Khaptain Silver badge
    Holmes

    That's a lot of chumps

    So there have been 2000 people, this year alone, that have over 10 grand on average in the bank that have stumped up all their details over the phone and then got ripped of for the 10K.

    People with over 10k in the bank are usually not in the "*chump" crowd.... I am a little bit dubious about what the bank are claiming to be scams.

    Now if the bank manager needs a new car / GPS for his yacht or house repair and is a little short then I can easilly see how it might get taken care of....

    Needs a little bit of this guy in order to verify the validity of the claims ------->>>>>>

    1. JimmyPage Silver badge
      Stop

      People with over 10k in the bank are usually not in the "*chump" crowd.

      Wanna bet ? Here's a story from .... oh, yesterday, about chumps losing money ....

      From the article:

      Hundreds bought plots of land near the World Cup destination of Fortaleza, for which they typically paid £10,000. But at the end of last year, they learned that Pantheon had been wound up by the Insolvency Service after failing to file accounts.

      Although I have very little sympathy. These people are venal and greedy, and got stung by their own appetite, and parsimony (since they skimped on using a proper financial adviser).

      Was it P.T. Barnum that said "There's one born every minute" ?. As true now, as then, as the lads from Lagos know only too well.

  5. Nick Kew
    Facepalm

    Highest in Europe?

    Could this be the natural consequence of an expectation that the bank will always compensate you for your stupidity? Take a gamble ... heads I win, tails the bank loses.

    Whether they will actually compensate you is immaterial (and looks like a grey area). It's the expectation that counts.

  6. g7rpo

    Always refuse calls from anyone who asks for any kind of information

    If your bank want to speak to you then they need to get away from this calling and then asking you to prove your identity,

    if they ask for this, they get a polite "No Im sorry, I cant give that info out"

  7. Anonymous Coward
    Anonymous Coward

    What I don't understand

    - and I say this with a complete lack of knowledge of how technically feasible this is - is why we aren't offered the ability to create a whitelist of 'phonenumbers from which we are willing to accept calls. Any number not on your whitelist or from the emergency services gets automatically barred (and for preference, still charged for the call, if possible). Whilst I don't suppose that'd solve the problem in one, it'd surely go a long way to reducing it, wouldn't it? Or is there some technical reason that whitelists can't be created for phonecalls?

    1. Anonymous Coward
      Anonymous Coward

      Re: What I don't understand

      BT sells phones that block some numbers of your choice apparently (but not international ones for some reason) but you have to remember that BT makes money from phone calls so they're not going to make it easy for the average subscriber to screw up their revenue stream.

      1. Anonymous Coward
        Anonymous Coward

        Re: What I don't understand

        Simply blocking a few numbers is no good. They need to block ALL numbers except for those specifically allowed. And charge those that cold-call anyway for trying to get through to a number that won;t accept (so cold-callers pay twice - once at the sending end, and once at the receiving end, whilst still leaving teh intended target undisturbed). BT doesn't lose out that way - in fact, if it;s true that almost all cold-calling originates outside the UK, BT would actually gain from such a setup, until the cold-callers give it up as a bad job.

    2. Gavin King

      Re: What I don't understand

      Ignoring the technical feasibiblty, I'm not sure that it would be practical. An example of this could be you have a blocked drain, and call up the plumber's office. They send someone around to arrive at a given time, but there's (say) mechanical problems and the plumber in the van is held up, so calls to let you know from his mobile phone. If you don't know the number, he can't get through and you're left fuming at the useless sod for not showing up.

      I wonder though if it couldn't be set up to have a whitelist that can directly call, and other numbers get an answerphone which can be looked at "off-line". That'd solve my above problem, and still avoid having to deal with the so-and-sos.

      1. HelpfulJohn

        Re: What I don't understand

        If someone wants my number, I tend to offer a personal number from www.yac.com , these cost about 50p /$.80 per minute plus 20% VAT when called from standard telephones.

        I don't get many cold calls.

      2. Nigel Whitfield.

        Re: What I don't understand

        "I wonder though if it couldn't be set up to have a whitelist that can directly call, and other numbers get an answerphone which can be looked at "off-line". That'd solve my above problem, and still avoid having to deal with the so-and-sos."

        That's more or less what I have set up with various rules on my phones (which are all VoIP now, and fed into 3CX; even the line that carries the DSL is bridged into that, via a FritzBox).

        Office number, all calls come through, unless explicitly blacklisted, which are dropped, and withheld/unavailable, which go straight to voicemail.

        On the number in the phone book, all calls unless blacklisted get an announcement reminding them I'll be very rude if it's a sales or survey call, and they can press a button to speak to me, or another to leave a message.

        On the ex directory number, whitelisted numbers get through directly (typically older/more bewildered/best loved members of the family), blacklisted ones get dropped, and the rest again get the choice of message or reaching me

        Net result is no cold callers that actually bother me, with a few exceptions on the business line, and tradesmen etc can still reach me, as long as they listen to the instructions and press the right number.

        There are a few who call and start with "Can I speak to Mr Nigel Whitfield?" to which my usual response is "Who are you and what do you want?" If they don't give a good account of themselves, they get told to go away pretty sharpish.

        If the bank calls (First Direct), I won't answer security questions on a call that I receive. I ask for their extension number and department, and call them back.

        1. P. Lee

          Re: What I don't understand

          We just don't plug our landline in - give out mobile numbers only.

          Personal friends have plans with cheap minutes, but it raises the bar for commercial callers.

    3. Graham 32

      Re: What I don't understand

      I don't know of any devices that can do this for landlines but on a mobile there's loads of apps for it. I use Call Blocker on Android and have it configured to bump anyone not in my contacts straight to voicemail. If it's important they'll leave a message.

  8. Stevie

    Bah!

    Who has 10 grand in the bank these days? All the amounts I have on that scale are caught up in long-term "investments*" which cannot be liquidated easily.

    You see I have three whopping cash-sucks: A wife, A kid and a house, who get to all the "spare" dosh faster than a phisher can put finger to autodialer and then some.

    * A banking term for a place where money can be left for years safe in the knowledge that it will not increase in value to any appreciable amount.

    1. HelpfulJohn

      Re: Bah!

      "Who has 10 grand in the bank these days? "

      Well, *I* do. I just happen to because I can't yet decide which of several expensive follies to waste it on to piss off the relatives who are eagerly awaiting my dissolution.

      A 77-inch TV is not in the running.

  9. Herby

    A fool and his money...

    ...are soon parted.

    It has been that way for a LONG time. The convenience of computers just makes it easier to find the fools. While (say) 50 years ago, scammers wanted the "big score", the more recent model is to find LOTS of fools and suck what little they have out of their "wallets".

    Life goes on. As mentioned in previous posts, their needs to be a "standard" method of authenticating the "bank" on the other end of the phone. If all banks agreed (like calling you by name and something else) it would go a long way.

    Will it happen? Probably not.

    1. HelpfulJohn

      Re: A fool and his money...

      My standard method is: "Sorry, I don't recognise your voice, could I take your number and extension and call you right back?"

      Then I check the number is something vaguely similar to what their literature says it should be. You should find your bank's number, for example, on your statements.

      If it's a strange number from a strange place and it doesn't resemble the publicised numbers, I'll search-engine it. If I can be bothered. If not, I just ignore them.

  10. Maty

    Voice calls? sooo 20th century

    Recently I saw a presentation for a new phone (I forget which) in which the ability to make and receive voice calls was not even mentioned.

    And a good idea too. I don't like strangers walking up to me in the street and selling me stuff. Why the hell should I let them do it in my living room? With IM and email, you can filter out the spammers and crooks much more easily. With friends and family you have a clear record of who said what, and you have time to think it over when you need to pick your words carefully.

    Particularly with strangers, voice conversations should be like face-to-face meetings. Something you set up beforehand.

  11. Darren Barratt

    My method

    Always ask them to call back and google the number they call from. More often than not, it'll bring up whether they're legit or not.

This topic is closed for new posts.