It all sounds plausible except what were they going to do with the magic link email?
If you try to log into the app from a new device I thought it asked for your PIN? Or would that have been their next question from the scammers?
Probably their next question
Appears that the scam works - https://twitter.com/amylouisestone/status/1262848639644418048
That said, can confirm that a new device requires the card PIN. So they must have asked for that.
Yeah, that’ll be the next part of their script. There may be some obfuscating waffle after they’ve gained access through the forwarded magic link (in case people twig), but then there will be a part where “To aid in our checks, could you confirm your card PIN?”, or they’ll ask for two digits of the PIN, hang up “while checking”, then call back later and “so we can check we’re speaking to the right person, can you confirm [other two digits of PIN]?”
tl;dr, they will have ways of getting the PIN
Surely Monzo knowing your mother’s maiden name would ring alarm bells
Always blows my mind that people fall for these scams. Why would Monzo want you to forward an email they’ve sent, why would they want you transfer to a safe account, why are they asking for your PIN, why do they need to ask for access to your account?
However, I do understand a bit of pressure and urgency can destroy people’s common sense and let their guard down.
It’s a psychology thing.
Scams like this are hugely reliant on two things:
- Making people panic
- Pressuring them into decisions
They’re taking advantage of the fact that people who are panicking (oh my god! my money is at risk?!) are less likely to make rational decisions.
That’s why my advice to friends and family is to always, automatically, hang up and don’t engage. Call back on a known number, or visit a physical branch if you want to be sure. But never engage with the intial call even if you think it’s legit - especially if, even. The chance of being wrong and the risks of making a mistake are too high.
Not banks, but a real example recently where I was upset by the family member’s reaction.
“There’s a message on the answerphone from Amazon about a Prime account, do you have a Prime account?”
[Conversation, ending with asserting that it’s likely a scam call.]
“Well, I didn’t answer it/call back because I knew I didn’t have a Prime account.”
Can you spot the mistake?
It’s the part where they very strongly indicated that if they did have an Amazon account, they would’ve called back or answered. I repeatedly made the point that ‘it doesn’t matter if you have an account or not’ when it comes to dealing with such calls, but they didn’t really get it
And again, that’s part of what the scammers are relying on. That they can get this little window of opportunity where you are even entertaining the thought the call might be credible, and then they exploit the heck out of it.
(Above written before you edited that last line in to your reply)
People panic when money is involved. From reading it, they know a lot about you already, the number basically matches what’s on your card. I do agree that the forwarding the email bit seems a bit sketchy and then I’d be really dubious about handing over my PIN, but people do.
If you’re struggling with money, especially with how things are at the moment and someone is telling you that your last £100 could go, your attention will move to that rather than “How does this person on the phone know all about me?”
Yeah, I’d like to double down on that.
There is absolutely zero mechanism in the Monzo admin tooling that staff use that would ever have access to that information about a customer. It’s not information that Monzo staff would ever have, or would ask for, or get recorded anywhere.
So if anyone ever has that info - they’ve got it from somewhere else and they are NOT from Monzo.
I wonder if banks should start doing their own versions of this with the intent to detect customers vulnerable to scamming and educate them and the results would be used to influence fraud protections (a customer that constantly fails the checks would be met with more scrutiny when a new login attempt is detected than one that passes the checks).
The trouble is, it’s such a common security question and they know it.
If Monzo asked me for that, even if I’d phoned you guys, I wouldn’t think “Hang, did I give that to you 2 years ago when I created an account?”
But are they even verifying?
“Please can you confirm your mothers maiden name?”
They don’t know, they just want that info, which now that I’m still typing I realise that is exactly what they are doing.
I think building a prompt in to the app where it pops up when you run the app saying “we wont ask for this ever, he is some extra info” that could be triggered by Monzo when they see an uptick in login scams would be a nice solution. That way they hit a trigger of say X% of requests are these types of scam, trigger the prompt and everyone gets a reminder on screen when they run the app the next time and/or a push notification to say “watch out for scams” which also shows the info screen would help.
2FA wouldn’t solve this problem. The whole point of this scam is they’re cunningly working around 2FA by getting you to create the authentication and supply it to them - cf asking for the magic link email.
Sorry if this sounds mean but I don’t understand why people would ever believe someone ringing them is the bank?
Yes I get it’s the pressure and concern about your money but how many years have banks been telling us that they’ll never ring you?
I thought that but a colleague was rung by ulster bank a few weeks ago to ask if she wanted to take a 3 month holiday on her loan and mortgage.
So they’ll never ring you, unless they do
(And no it wasn’t a scam. And they didn’t ask for personal information)
To be fair a couple of years back NatWest did ring me from the fraud department as they blocked my account due to unusual spending pattern, I told them I’d ring them back off another phone to the number on the back of the card, which they was fine with.
I got through to them after ringing them back and it was a legit call they wanted to check I’d made the various payments out of my account before they released the funds.
Because sometimes they DO. That is part of the problem.
because Banks do ring people for legitimate reasons.
As someone that has been scammed (fortunately I didn’t lose any money) there can be a lot of pressure for someone like me who uis not confident talking to people on the phone. Nowadays I simply say “I have no idea who you are and advise I will call back” but if you’re expecting a call (a higher likelihood during the current Covid19 crisis) there needs to be a better system.
I always cite Metro Bank as an example. They require 3 digits from your password on the website and only 2 for phone banking so I asked them why is that not the 1st thing you see on their website?
Why not have a huge banner that says “WE WILL NEVER ASK YOU FOR 3 DIGITS WHEN YOU CALL US OR WE CALL YOU”
Their answer was " thanks for the feedback, we’re always looking to improve our service"
I had a call about my HSBC credit card, They asked for a couple personal details, phone password, but I got nervous the call wasn’t legit, asked to call back in to which they said it was fine. Called in and asked to be transferred to fraud dept. they did so and told me the call was legit.
Someone got a hold of my credit card details and tried to use it at a shop called American Golf. HSBC declined it, they just wanted to verify it was me or not.
To be fair In Barclays branches we were calling customers to check whether they need any help and we were guiding them how the can find help without obviously asking account details. But it’s good to see people questioning whether these calls are genuine, cause you never know.