Monzo phone number spoofed (scam call)

I’ve just received a text from ‘Monzo’ and then a call from Monzo’s number as on the back of my card who was nothig to do with Monzo. No one is answering the Monzo chat. The level of security and service is pathetic

2 Likes

Phone number spoofing

It’s an attempted scam, ignore it

If you notice any unusual transactions freeze your card immediately. In fact might be better to freeze it now until support get back to you

6 Likes

To add, it could happen with any bank (any phone number, really)

Nothing to do with how secure Monzo are

6 Likes

Also check to see if your email has been involved in any data breaches

https://haveibeenpwned.com/

1 Like

Monzo have not been compromised at all. Their number has been spoofed by the person calling you. They have no access to Monzo’s systems.

3 Likes

The latter point might be debatable (and it’s certainly not a good look if you can’t get a response when you’re worried about fraud) but as others have said, the text message and phone call that you have received could be “from” any bank.

It’s nothing that Monzo can manage - perhaps you’d like to write to your MP suggesting better regulation or funding for the police/regulator/telephony industry?

5 Likes

Fun fact. This industry already has the capability to put an end to this issue. They just don’t. Why? Profit.

It’ll always be a game of cat and mouse, but this is a very simple issue with a very simple, cheap, and easy to deploy solution.

There are some smart solutions banks could deploy to put a stop to these as well, particularly the app only banks. You have an app. Make use of it to verify a call.

ETA: just browsing through some Monzo FAQ pages, and it turns out Monzo already do use the app to verify a call is from them, by letting you know in app ahead of time that they’ll be calling you.

This is nice. Something to emphasise more I think given the current prevalence of scam calls.

5 Likes

Tell us more!

Intuitively it doesn’t seem like anything that would be technically impossible. I wonder why the government / regulators aren’t stepping in?

I don’t think it’d really help in this case though. The victim gets a call, nothing in the app. The fraudsters have a script that explains why that doesn’t happen. Doesn’t feel like much of a protection.

That said, I’d much rather it over the horrendous security practice of calling customers then insisting they give out security details. The person calling must be the one to identify themselves!

4 Likes

Are you looking for an insomnia cure?

Good news, ofcom has a report that can help

Stir/Shaken is the possible solution

2 Likes

They’re getting James Bond on it?!

3 Likes

I’m just glad it’s not yet another stupid acronym that I will inevitably get jumbled up

1 Like

I’ll do my best! I should preface by saying this is not actually my field, although it’s very similar and I do have some experience with managing PSTN and VOIP, the latter becoming cheaper and more widely available allowing for the increase in spoofed calls.

The simplest method to mitigate these calls is to make use of whitelisting and blacklisting rules. Another method is for a service to screen incoming calls in order to try to validate if the call is genuine or not. Usually with spoofed calls, they’re automated and there isn’t actually a human on the end waiting for you to answer. Screening shuts those down.

You can also validate calls using the rest of the PSTN metadata to determine the origin of the line on which the call originated, which is much harder to spoof. Known bad origin points get blacklisted and so the calls don’t get through no matter the number they appear as.

My VOIP provider use a combination of these methods and provide additional options for me because false positives can still occur. Likewise some bad calls do get through but they’re very rare and can by fixed through basic crowdsourcing. I’ll fire off an email containing the meta data and recording and they take care of it.

Yep, there’s no easy solve for this besides perhaps making your policy clear, in big letters, somewhere that’s noticeable.

Monzo currently say they’ll send an in app message prior to calling, so if you get a call and haven’t had a message, then it’s not Monzo. They need to shout that somewhere!

The solution I was thinking of was something a bit more extravagant that involved push notifications and a whole UI flow. Where the app clearly lays out who the support agent is, why they’re calling, and something that can be used to verify that it’s genuine.

I think something along the lines of a shared rotating secret in the monzo app that only you and a monzo customer service agent looking at your account can see may help circumvent these calls too.

You answer the call, check the app for the shared secret, ask the agent for the secret, and when they can provide it you know it’s not Monzo.

Tried speaking in layman’s terms as much as possible, but here’s a glossary for the acronyms:
VOIP = voice over IP. Phone calls but they’re routed over the internet.
PSTN = Public switched telephone network. The thing that routes calls from one line to another.

3 Likes

I don’t mean to ruin your day, but it is an acronym! :blush:

2 Likes

All I’d need, I think, is a notification from the Monzo app saying that Jo(e) is about to call and for them to identify themselves as such when they call.

I’m still not, in any circumstances, going to give anyone who calls me personal info, though. That’s really playing into the hands of bad folk.

2 Likes

In spirit only. As they look like real words it’s easier :grin:

3 Likes

Ultimately the phone carriers somehow know to bill each other and for how much so there’s definitely an end-to-end audit trail for each call. It shouldn’t be hard to trace these calls all the way back to the source and stop it if there was an incentive to do so, but as it stands they actually get paid to route these calls so it’s more profitable to look the other way and let spam through.

1 Like

Note that the OP has yet to return to read any of this so, for the moment, I’d say this a dead topic.

4 Likes

Banks calling people then demanding personal info from the people they’d called to ‘verify’ them used to be a massive problem. It’s been a while since I’ve been called by a bank though so I’d expect the practice has been stopped by now.

1 Like

image

The problem is that major corporate systems work by you guessed it, spoofing the main corporate number. So you’ll have a call from say Joe Bloggs Corp main customer services number, but the call is actually originated from another number and the presentation number set to the main number of the company.

There is definitely work going on in the background to try and put a stop to some of these calls. However it’s like spam emails, some will always get through and there will be false positives, so people have to be vigalent and aware of things to look out for

3 Likes