Cyber security, savings accounts and banks

JSmith321

I had a query about an ISA with a UK BS which I posted via secure message. I received a call from them and they wanted me to prove who I was by revealing personal information and password details. Although I'm fairly confident the call is genuine is there no UK standard for banks and BS to prove who they are when they call? It seems to be an open invitation for fraudsters. A simple password or the secure message ref number only known to the customer and the bank might help. Any views?

Eyeful

So call them on a number you know is theirs, go through security and ask your question and get an answer.
The scammers already find ways around passwords, so I think they would find a way around your method.

eskbanker

I don't believe there's a standard for such verbal ID verification but would agree that it's less than ideal to make outbound calls when secure messaging was used to initiate contact - which BS are you referring to and exactly what did they ask for?

born_again

JSmith321 said:

I had a query about an ISA with a UK BS which I posted via secure message. I received a call from them and they wanted me to prove who I was by revealing personal information and password details. Although I'm fairly confident the call is genuine is there no UK standard for banks and BS to prove who they are when they call? It seems to be an open invitation for fraudsters. A simple password or the secure message ref number only known to the customer and the bank might help. Any views?

Actually a standard would be less secure. As fraudsters would know exactly what is required.

Best way to deal with this is to simply say. I will call back. Then use a known number. If on a landline. Then make sure that there is a dialling tone before calling. Or you could end up with fraudster still on the line.

eskbanker

born_again said:
If on a landline. Then make sure that there is a dialling tone before calling. Or you could end up with fraudster still on the line.

I thought the basis of such scams was the fraudsters playing a recording of a dialling tone in order to trick the punter into believing that they'd terminated the previous call, so merely hearing a dialling tone isn't sufficient to be sure of not succumbing to the scam....

mon3ysav3r

Using a different phone is the only real way to be sure you are making a genuine new call. 

I had this when a credit card company phoned me due to actual fraud (a restaurant copied my credit card, the old we can't get a signal here and moved out of view to clone it). The credit card company refused to tell me what it was about unless I gave them personal information and I refused because they wouldn't provide anything to prove that they were genuine. I ended up phoning back on their main number, they then proceeded to ask had I been withdrawing cash using my credit card in India, I was phoning from a UK land line!

Eco_Miser

Eyeful said:

The scammers already find ways around passwords, so I think they would find a way around your method.

Since their method involves the bank quoting a reference number generated when the customer contacted them, there's no way a scammer could know that number. A hacker, possibly, but in that case they could just clear out the account by themselves.

haze23

I do think this is a valid concern for customers and companies could and should do better.

On the one hand, everyone is warned about scams, safeguard your details, jump through hoops to contact them etc. On the other hand they expect you to give out those same details to an unscheduled call from an unknown number simply by saying they are from company X. They put all the risk on you; even if they somehow end up paying as a result of a future scam the impact on the individual is likely far greater, and it feels avoidable.

Whilst advice to call back on their public number is a sensible option, unfortunately it doesn't always work. Some enquiries may have been passed on to other teams, or even a single person and it can be very difficult to get in touch with them directly. Or the front line guardians have no idea about who was calling. At best all you achieve is a response they'll call back at some unspecified point. Back to the original problem. And yes, I've have people call and refuse to give a reference number first 'for data protection' but expect to be given security details.

So, with the OP on this one.

dunstonh

I had a query about an ISA with a UK BS which I posted via secure message. I received a call from them and they wanted me to prove who I was by revealing personal information and password details.

Banks never want you to reveal password details.  Although some banks will operate a secondary password purely for internal ID purposes (such as phone banking) and may ask for certain letters in that password.

DjangoUnchained

Had a strange experience last year with barclays. My wife got a phone call one evening claiming to be from barclays fraud team, blah blah and was aking her to confirm things. I overheard and told her to not say anything, i said we would call barclays , on another phone . The caller got quite irate, saying they needed to sort it out quickly. Alarm bells told me it was a scam and to hang up.  we did call barclays, different phone, looked up number. Turned out the fraud call was genuine and there was some nonsence going on with her account. We both complained that the guy who called us acted like a scammer, and we believed we were doing everything correct as regards to how we should treat these calls. The person agreed with us and said it would be looked into ( some chance). Basically we are warned and prepared for scam calls, then a genuine bank acts in a scammy manor . 

eskbanker

DjangoUnchained said:

We both complained that the guy who called us acted like a scammer, and we believed we were doing everything correct as regards to how we should treat these calls. The person agreed with us and said it would be looked into ( some chance).

Was this a proper formal complaint, i.e. logged with a reference number, etc, or just a passing comment?