Don't be fooled by cunning con artists

peterbaker

agrinnall wrote: »

You really have a very low opinion of people on this forum don't you?

You might think that. I couldn't possibly comment.

Many of us either work in banking or have done so in the past, often in highly skilled and responsible positions. But that doesn't mean other people aren't just as capable of understanding the type of things that you seem to think are the domain of a select few, and those of us who have regularly responded on this board for many years understand that perfectly well.

Doesn't it? You might think that. Having worked in banking and finding myself overskilled on technical and compliance but underskilled on blind adherance to top down sales and unfair customer service imperatives, perhaps I couldn't possibly comment on that, either. I tried it once at CEO level, suffice to say I didn't last very long. :rotfl:

Sapphire

Terry_Towelling wrote: »

Is there also a need for financial institutions to be made aware of vulnerable customers who are still managing their own finances? That could be a very sensitive issue with all sorts of ramifications.

Yes, I totally agree with that. Such problems are very difficult to resolve, and the issue has many ramifications.

I think it would help if potentially vulnerable customers did not, in fact, have to deal with their finances online, but could do so in the traditional simple, 'slow' way, by going to a local bank and speaking to staff in person and so on. My relative could never have coped with dealing with financial matters online, particularly since the systems appear to be getting more complex (too complex?) and time consuming to deal with.

agrinnall

Cornucopia wrote: »

Things that might be controlled:-

- Large value transfers and withdrawals.
- Setting up new recipients for Bill Payments and Standing Orders.
- Requesting new Cards, PINs and Cheque Books.
- Changes of personal details such as eMail addresses, Phone numbers and Addresses.

Most, if not all, of these things are controlled by the banks that I use, although in different ways by different banks (card reader, text codes, etc.).



However, 99% of people don't want any more obstacles put in their way to performing standard banking functions, so if banks try to implement more levels of security there will be more complaints, and possibly switching to less secure institutions.



The banks really can't win, either they put in so much security that it becomes difficult for customers to actually perform the banking functions that they need so they leave in frustration, or they implement security at a level that is acceptable to customers who then have to accept a slightly greater risk of fraud.

Cornucopia

agrinnall wrote: »

Most, if not all, of these things are controlled by the banks that I use, although in different ways by different banks (card reader, text codes, etc.).

I probably wasn't clear enough on what I meant. What I mean is this: additional controls (probably more than one type) that individual customers and their carers can opt in and out of. When I log in to Online Banking (with the banks I use), I am presented with a variety of options some of which have very little risk of fraud/misuse (like transfers between my accounts with the same Bank), and some of which are very risky (like setting up a new Bill Payment authority using details that are part of an attempted fraud). Similarly a payment of £75 for the Utility Bill is not suspicious, but a payment of £7500 to a brand new Bill destination is.

So, what I'm suggesting is that the Banks get some consistent options about (a) the relative risk levels of different transaction types/values, (b) the security options that will be mandatory to authorise them, and (c) what other controls it can/could provide on these very rarely conducted instructions to improve customer confidence.

However, 99% of people don't want any more obstacles put in their way to performing standard banking functions, so if banks try to implement more levels of security there will be more complaints, and possibly switching to less secure institutions.

I'm talking about additional controls that would probably be optional.

The banks really can't win, either they put in so much security that it becomes difficult for customers to actually perform the banking functions that they need so they leave in frustration, or they implement security at a level that is acceptable to customers who then have to accept a slightly greater risk of fraud.

I don't accept that - I don't think it is, nor can be a grey scale of the acceptability of fraud. I think that the Banks should be wise to more of the issues, and more proactive in dealing with them.

As someone who has acted as a Carer, I have found the vulnerable person's bank (ironically Barclays) to be positively obstructive. In particular, it seems to be relying heavily on the prospect of a PoA (which may never come) before being willing to take practical steps to help.

peterbaker

agrinnall wrote: »

Cornuopia wrote:

Things that might be controlled:-

- Large value transfers and withdrawals.
- Setting up new recipients for Bill Payments and Standing Orders.
- Requesting new Cards, PINs and Cheque Books.
- Changes of personal details such as eMail addresses, Phone numbers and Addresses.

Most, if not all, of these things are controlled by the banks that I use, although in different ways by different banks (card reader, text codes, etc.).

In relation to digital initiated large transfers there should be live voice interaction between bank staff and the customer to fully verify before the transaction proceeds.

Previous pattern of banking is already used to some extent to interrupt transactions - why not extend it further to question unusual transactions using much cleverer algorithms based on risk of individual customers being tricked, and not just based on risk of tricking bank systems (since currently we are more and more being told by those that should know best that banks claim the ownership of these two risk problems as separate)?

All the other functions Cornucopia lists should indeed involve non-digital interaction to verify (that means immediate human to human voice instigated calls - SMS is no good - automated voice is no good). If the processes used to permit customer required amendments to account profiles or to trigger new items in the post are successful without any human interaction, then they make account takeover fraud far too easy.

However, 99% of people don't want any more obstacles put in their way to performing standard banking functions,...

In my experience, what 99% of people don't want any more of is the disgraceful 'as bad as the post office' or 'A&E on a Friday night' type queueing in branches which usually ends up with half a job or worse being done at the desk anyway. Banks simply do not wish to fund really robust customer service because they just want volume. They don't actually wish to know their customers beyond tick box KYC.

For ten years they have had juniors patrolling queues of branch customers waiting to speak with humans and having them direct customers to machines in the wall. A machine never offers "Hello how are you today?" or "anything else I can help you with?" with any real feeling, does it?

The banks really can't win, either they put in so much security that it becomes difficult for customers to actually perform the banking functions that they need so they leave in frustration, or they implement security at a level that is acceptable to customers who then have to accept a slightly greater risk of fraud.

The banks aren't entitled to "win". They are entitled to reasonable business and reasonable profit if they offer reasonable customer service and provide good security for customer's accounts. You need to spend time in a branch to see how much frustration arises mostly through inadequate staff skilling, knowledge and fluency of anything other than the simplest bank functions.

Banks created the mess in branches that cause the frustration. We need branches, but we need much better service in them.

Cornucopia

peterbaker wrote: »

All the other functions Cornucopia lists should indeed involve non-digital interaction to verify (that means immediate human to human voice instigated calls - SMS is no good - automated voice is no good). If the processes used to permit customer required amendments to account profiles or to trigger new items in the post are successful without any human interaction, then they make account takeover fraud far too easy.

In my mind, I am thinking of both minimum regulated standards for access to certain very sensitive banking functions AND a series of optional additional security functions that could be initiated by a vulnerable customer and/or their carer.

The issue being that Banks seem to want to treat all customers the same, and I'm not convinced that that is sensible, or in the interests of some vulnerable customers.

In the case of optional additional security, I think there could be a simple pick-list of additional options like this:-

- Transaction barred through this channel (online/mobile/automated phone) and can only be conducted in-branch.

- Transaction requires authorisation using a physical security device.

- Transaction causes warning message to carer.

- Where a carer has a joint account with the vulnerable customer, transaction requires authority from both parties.

peterbaker

May I clarify that when I mentioned the risk of items too easily triggered in the post or address and email changes being too easy, I wasn't thinking of problems with carers and family though I accept they can exist. Every vulnerable customer is unique, and the word care and carer is key in banking even before a person becomes so vulnerable that they really need a "carer".

We may have got to the crux of it. We are actually talking about whether banks "care". eskbanker has tried to drive some point about whether in questioning the lack of affirmed social purpose of banks I really meant to drop in the phrase "social care" as if I couldn't make up my mind which was the right phrase. He offered that banks might have a "social conscience" which is a typical kind of commercial high-minded non-committal sop type phrase in my mind and dilutes any affirmation of purpose.

There is clear confusion by bank staff when thinking about what is right and fair and kind to customers about how far the bank should go. I saw it when I worked in banking. Caring for customers gets in the way of sales and profit even at the lowest levels in the banking hall. Better that people who care more about such are left to deal with customers who need care.

Is that the same in all business?

How far should the milkman go? What's his business? How does he make his profit? Does he treat customer vulnerability as not his problem? Does he insist every vulnerable customer orders and cancels bottles and pays him in the same way? Or is he prepared to spend time with a customer who has got his or her little notes and receipts confused, and in looking out? I think customers are prepared to pay a premium for caring service, but what we see currently is the exact opposite - banks are prepared to pay stupid premiums for customers to anonymously switch all the time.

Cornucopia

I think "care" is a good word for it.

FWIW, I've found individual members of bank staff to be very considerate. However, they are dealing with policies and systems that are inherently inflexible (and through inflexibility can come risk and lack of caring).

peterbaker

Yes. Care.

I was actually standing in when I went to support the elderly friend who was scammed two weeks ago. I have known her through friends of mine, her neighbours, for a long time. I was the backstop whilst her neighbours were away.

We have all eaten together many times before, and since. Last night I was humbled when given a special present and a very caring note of thanks. I was told yesterday "Peter, when you arrived at the door after I had called you in panic two weeks ago, I felt safe again". That's how it should be when any tricked customer reports to their bank.

This morning I have just received a text message from my friends back from holiday saying that when I can pop over, the victim, now relaxed with all her money back and getting back to normal is now asking which text messages can be deleted from her ancient Nokia as there are a rash of them since the fraud began. My friends son is a data scientist and I had consulted him a number of times soon after the fraud. He is now reformatting the quarantined PC's hard drive. The victim understands none of the texts including the ones I caused when I was hacking into the fraudulent email account and software accounts. She understood them loosely at the time I caused them, but only to the extent I told her to expect them and I needed the code to hack into what the fraudsters had been doing. She naturally understands that other texts where caused by what the fraudsters were doing because I have told her - she has no idea of the importance or otherwise of the texts in the fraud process and didn't even know they were there until I checked with her. I forgot to quarantine or religiously document the read status of the texts, but I am pretty certain they were all sitting in the Inbox unread until I went looking for them!

She trusts me. She trusts her neighbours and their son implicitly. She trusts her local bank staff branch in a personal sense, and they trust her and me too now because they see their customer and friend is calmed, and because I volunteered not only to accompany the victim but to discreetly positively identify myself with full photo and other ID, so that their fraud department could also see my photo ID when talking with me.

I wasn't asked for it, but I understood that the bank might wonder who I was - not family, and not anyone the victim had mentioned to her local staff ever before the fraud. So I handed it over saying "Here - photocopy my full ID for your file so you can say and fraud department can see exactly who I am".

I cared that the bank might be worried because I had gone much further in DIY investigation than most victims could. I knew if they worried it could cause more delay to the victim. I knew they could more easily care for their customer if I cared about obstacles my involvement might have created for them. I also knew from the outset that I would have to persuade the bank that the customer was not responsible for her own loss because the customer could not do it alone - she had no idea of the technical reasoning and leading required. It was a balance.

Care can be a two way street. Care is often a balance of conflicting interests. Care when done well creates real trust and it creates loyalty which banks just seem not to value anymore. They just exploit any almost inexplicably loyal untouched business that remains on their books completely with the awful returns they've given on many older customers life savings for example for a couple of decades, and not just in the last low BOE interest one.

And suddenly when the life savings gets triggered outbound suddenly all in one go, they (the bank in the biggest sense) don't really care why. They often don't KYC, let alone care, but they tick numerous boxes daily that say they do. My friend was luckier on two counts. She knew the local staff over many years - she used to be a colleague many years ago but that wasn't enough for them to be able to specially help her. They had to follow quite inflexible processes just as Cornucopia suggests.

Sapphire

peterbaker wrote: »

completely with the awful returns they've given on many older customers life savings for example for a couple of decades, and not just in the last low BOE interest one.

And suddenly when the life savings gets triggered outbound suddenly all in one go, they (the bank in the biggest sense) don't really care why. They don't KYC, let alone care, but they tick numerous boxes daily that say they do.

Yes, and they are trying to portray themselves in ads as somehow caring for the poor, the needy and the disadvantaged ad nauseam, in their increasingly bizarre ads, which even seem to be attempting to convey the impression that they are charities of some kind. Banks are not 'caring': they are now vast corporations that care only about profits, especially for the bonus-laden individuals at the top. (I would be more impressed by banks and more inclined to see them as 'caring' if they gave decent returns on savings for their customers.) There were times when some managers of local banks, who were involved in their communities and knew them, did help people out in times of need. But with globalisation those times have gone (perhaps something like them will one day return, for a variety of reasons).

By the way, well done for helping out the lady.