Unexpected message from us? Here's how to tell if it's real

We want to make sure all our customers know what we’ll do if we ever need to contact you and, most importantly, the information we’ll never ask you to provide.

13 Likes

All useful stuff. Though I think PAN might need some explanation (long card number or full card number).

I remember the PIN change email coming from a weird email domain. It would be much better if they always came from monzo.com IMO.

Edit - as Rat au Van points out, PAN is explained earlier in the post. My mistake.

Your full PAN (16 digit number on your card)

Isn’t that explained well enough?

1 Like

Yes indeed. And CVC. I thought it was odd these weren’t explained. That’s what happens when you’re trying to take a call at the same time as reading a blog post and probably not giving either your full attention.

Just a quick comment:

How does Monzo verify that they are indeed Monzo to the person they are calling? If there is a spate of people spoofing Monzo’s number, and I am expecting a call, surely the scammer could do this too.

Sure, hang up and call back, fine - but I still believe Monzo to Customer verification should be a thing too.

10 Likes

I’m not sure if it’s a good idea to say online what the security questions might be.

Can I also add that the most scammy thing I’ve felt about Monzo is this:

And if we need to email you it’ll be from a @monzomail.com, @monzoemail.com, or @monzo.com address.

Three separate emails? Whenever I have had an email from Monzo, it just sets my alarm bells ringing when I see the first two on this list. (Plus monzo.intercom-mail.com which is also used).

I see someone else has mentioned this, but this is one of a couple of weird behaviours in the monzo ecosystem that don’t jive well with security.

Edit: Otherwise good post. Sorry to nit-pick…!

12 Likes

Although I do think there is a legitimate question about the intended audience for the post and whether it’s appropriate or necessary to use industry jargon such as PAN and CVC. “Full 16 digit card number” (subsequently “full card number”) and “3 digit card security code on the signature strip” (subsequently “[card] security code”) would surely suffice for an audience who aren’t for the most part financial geeks? (Thoughts partly prompted by reading industry research on Confirmation of Payee service today which mentioned the fact that many people don’t understand the difference between payer and payee.) Possibly a discussion for elsewhere but thought I’d ramble on while it was fresh in my mind.

Edit for punctuation

1 Like

I can’t see any harm if using the jargon if it’s explained properly. Financial education is also part of what monzo do

1 Like

I agree with this, it would be a major red flag for alot of people.

Also no DMARC set up by the looks of things.

2 Likes

Fair enough, but PAN = full card number and CVC = 3 digit security code makes little sense when you only have the abbreviations and not the words. I’m all for financial education by the way but to me (even taking into account the explanation I missed on my first reading) that doesn’t do it. Again, in my opinion.

Go through security questions with you before discussing your account, so we know we’re talking to the account holder.

Isn’t this the wrong way around? If you’re calling me, how do i know you’re the bank? Shouldn’t there be security questions that verify I’m talking to Monzo/the staff member the call was arranged with?

4 Likes

I would never answer any security questions if someone rang me. Could easily be a phishing attempt. Generally, as a rule, I would always ring back myself on a number I sourced myself.

3 Likes

Even when they’re arranged the time to call and there isnt a number you can call?

You cannot guarantee anyone who calls you. You can (to a degree) if you call them. Coincidences happen and so do man in the middle phishing attempts. Monzo are far from punctual these days and there is nothing Monzo couldn’t tell me that couldn’t wait for me to call them back. In the days of cheap unlimited free minutes, why risk it?

4 Likes

I think the only reason Monzo would call is in relation to a blocked or closed account so it’s rare they need to call

I’ve had a call back after calling monzo and getting the busy message.

1 Like

You call me? I put YOU through security.

3 Likes

Thanks for the help!

I wonder if Monzo shouldn’t push a number or phrase through to app if they’re going to call and then tell you that number or phrase when they phone.

It’s a fairly effective way of ensuring the person on the end of the phone is who they say they are.

5 Likes