It all sounds plausible except what were they going to do with the magic link email?
If you try to log into the app from a new device I thought it asked for your PIN? Or would that have been their next question from the scammers?
Probably their next question
Appears that the scam works - https://twitter.com/amylouisestone/status/1262848639644418048
That said, can confirm that a new device requires the card PIN. So they must have asked for that.
Yeah, thatâll be the next part of their script. There may be some obfuscating waffle after theyâve gained access through the forwarded magic link (in case people twig), but then there will be a part where âTo aid in our checks, could you confirm your card PIN?â, or theyâll ask for two digits of the PIN, hang up âwhile checkingâ, then call back later and âso we can check weâre speaking to the right person, can you confirm [other two digits of PIN]?â
tl;dr, they will have ways of getting the PIN
Surely Monzo knowing your motherâs maiden name would ring alarm bells
Always blows my mind that people fall for these scams. Why would Monzo want you to forward an email theyâve sent, why would they want you transfer to a safe account, why are they asking for your PIN, why do they need to ask for access to your account?
However, I do understand a bit of pressure and urgency can destroy peopleâs common sense and let their guard down.
Itâs a psychology thing.
Scams like this are hugely reliant on two things:
- Making people panic
- Pressuring them into decisions
Theyâre taking advantage of the fact that people who are panicking (oh my god! my money is at risk?!) are less likely to make rational decisions.
Thatâs why my advice to friends and family is to always, automatically, hang up and donât engage. Call back on a known number, or visit a physical branch if you want to be sure. But never engage with the intial call even if you think itâs legit - especially if, even. The chance of being wrong and the risks of making a mistake are too high.
Not banks, but a real example recently where I was upset by the family memberâs reaction.
âThereâs a message on the answerphone from Amazon about a Prime account, do you have a Prime account?â
[Conversation, ending with asserting that itâs likely a scam call.]
âWell, I didnât answer it/call back because I knew I didnât have a Prime account.â
Can you spot the mistake?
Itâs the part where they very strongly indicated that if they did have an Amazon account, they wouldâve called back or answered. I repeatedly made the point that âit doesnât matter if you have an account or notâ when it comes to dealing with such calls, but they didnât really get it
And again, thatâs part of what the scammers are relying on. That they can get this little window of opportunity where you are even entertaining the thought the call might be credible, and then they exploit the heck out of it.
(Above written before you edited that last line in to your reply)
People panic when money is involved. From reading it, they know a lot about you already, the number basically matches whatâs on your card. I do agree that the forwarding the email bit seems a bit sketchy and then Iâd be really dubious about handing over my PIN, but people do.
If youâre struggling with money, especially with how things are at the moment and someone is telling you that your last ÂŁ100 could go, your attention will move to that rather than âHow does this person on the phone know all about me?â
Yeah, Iâd like to double down on that.
There is absolutely zero mechanism in the Monzo admin tooling that staff use that would ever have access to that information about a customer. Itâs not information that Monzo staff would ever have, or would ask for, or get recorded anywhere.
So if anyone ever has that info - theyâve got it from somewhere else and they are NOT from Monzo.
I wonder if banks should start doing their own versions of this with the intent to detect customers vulnerable to scamming and educate them and the results would be used to influence fraud protections (a customer that constantly fails the checks would be met with more scrutiny when a new login attempt is detected than one that passes the checks).
The trouble is, itâs such a common security question and they know it.
If Monzo asked me for that, even if Iâd phoned you guys, I wouldnât think âHang, did I give that to you 2 years ago when I created an account?â
But are they even verifying?
âPlease can you confirm your mothers maiden name?â
âBeyonceâ
âThatâs correctâ
They donât know, they just want that info, which now that Iâm still typing I realise that is exactly what they are doing.
I think building a prompt in to the app where it pops up when you run the app saying âwe wont ask for this ever, he is some extra infoâ that could be triggered by Monzo when they see an uptick in login scams would be a nice solution. That way they hit a trigger of say X% of requests are these types of scam, trigger the prompt and everyone gets a reminder on screen when they run the app the next time and/or a push notification to say âwatch out for scamsâ which also shows the info screen would help.
2FA wouldnât solve this problem. The whole point of this scam is theyâre cunningly working around 2FA by getting you to create the authentication and supply it to them - cf asking for the magic link email.
Sorry if this sounds mean but I donât understand why people would ever believe someone ringing them is the bank?
Yes I get itâs the pressure and concern about your money but how many years have banks been telling us that theyâll never ring you?
I thought that but a colleague was rung by ulster bank a few weeks ago to ask if she wanted to take a 3 month holiday on her loan and mortgage.
So theyâll never ring you, unless they do
(And no it wasnât a scam. And they didnât ask for personal information)
To be fair a couple of years back NatWest did ring me from the fraud department as they blocked my account due to unusual spending pattern, I told them Iâd ring them back off another phone to the number on the back of the card, which they was fine with.
I got through to them after ringing them back and it was a legit call they wanted to check Iâd made the various payments out of my account before they released the funds.
Because sometimes they DO. That is part of the problem.
because Banks do ring people for legitimate reasons.
As someone that has been scammed (fortunately I didnât lose any money) there can be a lot of pressure for someone like me who uis not confident talking to people on the phone. Nowadays I simply say âI have no idea who you are and advise I will call backâ but if youâre expecting a call (a higher likelihood during the current Covid19 crisis) there needs to be a better system.
I always cite Metro Bank as an example. They require 3 digits from your password on the website and only 2 for phone banking so I asked them why is that not the 1st thing you see on their website?
Why not have a huge banner that says âWE WILL NEVER ASK YOU FOR 3 DIGITS WHEN YOU CALL US OR WE CALL YOUâ
Their answer was " thanks for the feedback, weâre always looking to improve our service"
I had a call about my HSBC credit card, They asked for a couple personal details, phone password, but I got nervous the call wasnât legit, asked to call back in to which they said it was fine. Called in and asked to be transferred to fraud dept. they did so and told me the call was legit.
Someone got a hold of my credit card details and tried to use it at a shop called American Golf. HSBC declined it, they just wanted to verify it was me or not.
To be fair In Barclays branches we were calling customers to check whether they need any help and we were guiding them how the can find help without obviously asking account details. But itâs good to see people questioning whether these calls are genuine, cause you never know.