Mastodon

This is your bank, please verify your details – No, you verify YOUR details!

The phone rings from a concealed number and you pick up:

Hello?

Silence.

More silence.

Eventually a foreign voice enters:

Hi, this is your bank, we need you to verify some details.

This is the point where you should be disclosing absolutely nothing, at least nothing that is not known already which is probably just your phone number and perhaps your name if they’ve greeted you with it. No, I’m not revealing my address or my account numbers or my password because frankly, I don’t trust you. Don’t get me wrong – it’s not because of your foreign accent – but it’s because it’s part of a larger tapestry of suspicious attributes of the call.

This is precisely what happened to me this week and it’s worth explaining why this is worrying, how you should respond and what the bank did wrong. Yes, the bank, the call was actually legit.

Reluctance to verify

Going back to earlier conversation, it proceeded like this after they asked for my personal info.

I’m sorry, I need to verify YOUR identity before I provide that information.

This apparently took the operator by surprise.

But, but – this is your BANK!

As it turns out, simply emphasising a word isn’t really sufficient verification so I suggested a compromise.

Ok, how about I call you on the number on your website?

Now at this stage, I’m not sure if the operator is just being helpful or instead trying to snare me in their web of banking deceit:

Oh, I can give you a number to call.

Yes, that was really said. After telling them I wanted to independently verify their identity by contacting them on a number published to a verifiable channel such as their secure website, they instead wanted me to call them on an arbitrary number they would provide.

How can I trust you to give me the correct number for the bank?

Evidently, this was not in the handbook and the operator was left speechless.

Ok, based on the information you’ve requested from me and your inability to provide a satisfactory means of verification, I’m concluding that this call is a scam. Goodbye.

And that was that, at least until I called the bank back on their published information and established that it was actually legit – wow!

Understanding scam signals

The problem with this exchange was that it set off a heap of the typical scam signals. I’ve dealt with more than my share of them in the past so I have a bit of sense of how these things normally go down and those signals include:

  1. Call by an unlisted number: clearly scammers don’t want to be identified.
  2. Long delay on connect after picking up: typical of a cheap VOIP connection.
  3. Foreign accent, particularly from a developing nation: especially prevalent with scams run out of India and beyond most foreign governments’ reach.
  4. Establishing a sense of urgency: claiming to be your bank is always going to make people sit up and pay attention (is my money alright???)
  5. Requesting information before establishing identity: asking for address or other personal info.

Some of these may be unavoidable in a legitimate query, but a combination of multiple signals should immediately put you on high alert.

Lessons for customers

So this is actually very easy – verify your bank. Disclose nothing and advise that you need to verify them before disclosing personal information. Any well-trained bank operator is going to make this easy but the bad ones – or the scammers – well that’s a different story.

So how do you verify your bank? Clearly not by them giving you information such as a random phone number to call! It’s very easy, just turn your bank card over:

Back of a credit card containing contact information

See that? “For Customer Service…” – exactly, you just call the bank on a number you can have a high degree of confidence in. If it’s not on the back of your card then grab a number from the website. This particular bank wasn’t too keen on that which made the whole thing reek of scam even more, but others are great with this. For example, I’ve had several incidents where American Express has wanted to verify a transaction. As soon as I ask if I can call them back they suggest pulling out the card and using the number there. How easy is that?!

Oh – and the picture of the card above? Go and check out @NeedADebitCard on Twitter and marvel at the things people will share on the web…

Lessons for banks

Look, I get that you want to outsource local jobs to cheap labour markets and of course us customers want you to do it too regardless of how much we jump up and down about the ethics of it because ultimately we want those lower fees and mortgage interest rates. People are going to have foreign accents and cheap VOIP lines there are going to be noticeable delays. It’s the “now you have to pay to choose your airline seat” of the banking industry – we get it.

But identity verification can be easy. Defaulting to a position which requires your customers to entrust an unknown caller with personal information is counterintuitive to everything you try to distil about banking fraud. You have to earn trust in these calls and not doing so is to your detriment because that’s precisely not what you want happening when your valuable customers are being scammed!

Next steps

In my view (and I dare say in the view of most of my readers here), this behaviour by a bank is totally not on. I’ve lodged a complaint with them which, ironically, is just the same as the complaint I lodged with them a year ago when this happened because the same annual fee on an account I never touch caused it to be overdrawn at the same time of year. Like last year, I expect they’ll apologise profusely and agree how poor the practice is because there’s really no other rational response available to them! As for whether or not we repeat this in 2015, time will tell.

Scam Banks
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals