There’s definitely more banks could be doing to help prevent these types of scams. I also believe there is an effort to secure caller ID from spoofing attacks, which would go some way to preventing them from appearing so legitimate.
Looking at the other fintechs, Starling auto generate a customer service PIN in the app, though I’ve no idea how this is used by them. I’d hope it isn’t just used to identify the customer when calling but also to identify Starling when they call the customer.
Barclays also have a fairly novel feature for premium customers to verify a legitimate call in the app. This should really be rolled out to standard customers as well. Extending this to a push notification advising they will be calling soon would also help.
That said, until verification of the caller is normalised by the bank scammers will always be able to socially engineer vulnerable customers out of their funds.
There should be a way to verify the new email by authorising the change from the old email. If you don’t have access to your old email, then further checks should be made. Change email and add new payee within minutes should be a red flag.
Is this not the case? I’ve not changed my email with Monzo, but with other companies I’ve often received an email to the old address advising to click a link if I didn’t make the change.
Interesting - I don’t use Starling enough to have ever seen this - but I’ve been saying for a while this type of implementation would be good within Monzo.
It’s similar in approach to how Apple verify support tickets, I believe - ‘enter the pin shown on your [iDevice] to continue’ style.
Isn’t the issue how do you stop people giving out the PIN over the phone? Even when people get a text saying don’t give this out to anyone, they still do.
I don’t know how they use it to be honest as I’ve never called them or been called by them, but there’s a rotating Customer Service PIN at the bottom of the Help page.
Someone on the other end of the phone knows your name, dob, address etc. They sound professional and they are calling to help you, they are calling to try and stop your money disappearing. Money that you need to live and eat.
It’s very easy to say afterwards “But you should…” and “You shouldn’t have done…” but this isn’t being sold magic beans on your doorstep, this is sophisticated and well planned out.
I sorta kinda have stopped answering phone calls from numbers I haven’t saved in my contacts these days. Any stranger with anything really important to say to me can leave a voicemail message or send a text.
I get it, so there should be more automated security checks as I said. Like if you change your email and then add a new payee immediately. That should be an instant red flag.
yes 100% agree that we shouldn’t be providing the details at all costs, but when you are in that situation and there might be any panic happening, you don’t think straight …
A huge lessons learned for me! and hope for everyone reading this post
This is one I got alerted of recently in May via HaveIBeenPwned. If a CRM database was breached, I can potentially see how such details are obtained - it doesn’t take too much to come across as having a credible amount of knowledge about you.
The only thing I would add to this is to call back via a different phone. As it is possible for it to look like you have hung up but when you call back you’ll be reconnected to them rather than your Bank I.e. if spoofing the number
