My legacy bank (Lloyd’s) recently sent me quite a good leaflet on spotting scams which got me thinking, how good are the big banks at spotting fraud (social engineering based) and is the reason there is so much lately because they’ve worked out it’s cheaper to pay back the customer rather than solve the actual issue?
Thoughts very welcome!
It’s just another number on a spreadsheet for them and another cost to pass onto their loyal customers.
My experience not about social engineering scams but banks’ general culture of writing it all off rather than investigating.
A year or two ago my other half had fraud on every account due to a colleague taking pictures of all her cards and using them online (can that even be called ‘cloning’ when it is so simple?). They got about 3-4 thousand pounds in goods and services before the 3 day delay in transactions started appearing and it continued to show up after cancelling them all.
She had to make a lot of phone calls and was anxious that banks might question or investigate whether it was her or a fraudster, and she was expecting a police investigation.
Not a single raised eyebrow on the banks’ customer service end. All quite helpful as if they deal with it every hour of the day. They just take down all the fraudulent transactions you are claiming, put in a reason on the system and revert all the charges, but they state their fraud team will now investigate and they may revert it back if they find it isn’t fraud. At the point of putting the phone down the whole thing feels gone with the wind as you suspect this fraud team are busy elsewhere.
If the bank had taken it more seriously it may have stopped the fraudster but o/h found out months later that more people at her work had been done afterwards in the same way and the suspect had left the company, prob to do fraud elsewhere.
It’s strange because if you called an insurance company to say someone has stolen my diamond rings, they wouldn’t just transfer £3000 to you. They would demand crime numbers and send their investigators round to quiz you and then still try to find a technical reason to not pay out. Banks just write it off along with all the other billions of pounds of LIBOR rigging and PPI scamming charges they are passing on to their loyal customers.
A job I was at had a major fraud via telephone banking (which the company never used, and had never set up). The bank simply asked security questions that were easy to answer by looking at the company registration, and the fraudster managed to transfer the entire balance to another bank without a single fraud flag being raised (a number that had commas in it, so should have at least raised an eyebrow).
The bank was apologetic, and refunded the money. They also insisted it be investigated internally and the police not be contacted. To them the risk to their reputation was worth eating the cost.
My impression of legacy bank fraud prevention from both personal experience and various stories told to me is (a) it has a massive false positive rate, and (b) it has a massive false negative rate.
They’re trying to use AI to do something that if they gave the customer enough information fast enough, wouldn’t be anywhere near as much of a problem (It’d be hard to get multiple fraudulent transactions through a monzo card as the owner would be notified immediately and freeze the card).
I think I actually had a bank employee ask me if data was correct - ie. Read my postcode to me and ask me if that was right, read my DOB to me etc. for authentication.
Sighs
That reminds me of the classic bank security stupidity (which fortunately is getting less common but still happens).
“We’re calling from Moneybags Bank. We need to authenticate you please tell us your full name, date of birth, and security code…”
I had major problems with Virgin Media. They were trying to upsell me and needed to confirm if I’m the account owner. They asked me for postcode/address, and I asked them to identify first. Lady went on that it’s just verification to inform me about “best deals” and I said that I can only tell BN1 part of my postcode and if she can provide the rest, I can give my full address (street name and house number). We couldn’t agree, she said that she can’t reveal the rest of the postcode because of DPA, and I didn’t want to give my full postcode to on a call with an unknown person (and a call I didn’t request in the first place). I hung up.
I highly recommend this approach for less desired marketing, it really baffles salespeople when something is not in the script. I also noticed I don’t receive them anymore. 
Have just had a fraud on my legacy bank again. Third time in three months. No satisfactory answer from the bank as to how. who, or why and the somehow veiled accusation “its your fault”. And in addition my account is clearly being watched and several legitimate transactions have been blocked with subsequent apologies. The aggravating thing is the “security” make calls leaving no ID other than Freephone number. Well, I never answer unsolicited calls I dont’t use answerphone, in fact I gave O2 explicit instructions not to activate the service. I have just moved all my funds as a precaution and told the legacy bank I want a full explanation for how they authorised this DD.
Which means that the true scale of the problem is never known with frauds going unreported.
Banks like doing this. They’ve worked out it is cheaper for them to pay out rather than actually deal with the problem 
