“Hello, this is Monzo. The secuity word is sausages”
2 Likes
Whatever it maybe, done right, it would be difficult to fake and obvious that the call was genuine.
2 Likes
Just wait until it’s that person’s safe word, we’ll see a post by someone convinced monzo has been spying on them.
But in all seriousness , usually the message says Hi, my name is xyz, then when they call they say their name so it’s kind of implemented already.
I still don’t think that’s enough. Even if I have arranged a call, there’s a slim chance I’m going to give away my PII over the phone.
Any scenario that is:
“Hi, it’s John Smith from Definitely Your Bank. Can you please tell me the first line of your address, DOB, and mothers maiden name to pass security”
Is going to scream Scam. Even if I have arranged it, I’m probably not going to give you that info cold, over the phone. Call me a cynic.
What I’d rather see is:
“Hi, it’s John from Monzo. You should see the verification code “123 456” in the verification section of the app, can you press “OK” to continue the call”
Boom, Monzo verifies themselves to the user.
14 Likes
Just quickly on the jargon thing - I dont understand most of the acronyms on here so end up looking them up on the interweb. A bit of a pain having to leave the disccussion for a moment and it has been known for me to look up the same phrase more than once - but thats an age thing.
I also agree [another diversion] that the security should be two way - there are so many atttempts to get our data these days and I do feel at risk in these situations.
R-
3 Likes
I recently had a few calls from BUPA, who always seek to start by asking security questions to verify who I am.
The first time around, I told them they should be proving to me who they were, so asked for the reference number of my case, as well as my month of birth - and in exchange, I provided the day and year.
After that, I recognised the number from which they were calling, but that’s fairly unreliable since it can be spoofed. It’s always a tricky balance.
2 Likes
That’s good - I like that idea. R-
This detail seems to have been lost in the thread, but Monzo is the only bank I’ve checked that don’t have a DMARC record.
(HSBC/FD are sitting on the fence a bit and have it set up to report data, but not block emails. The rest have a reject policy.)
4 Likes
I’m slightly late to this, and others have made similar points, but two important thoughts from me:
If we need to call you we’ll always:
…
- Go through security questions with you before discussing your account, so we know we’re talking to the account holder.
Please reconsider this. If I call a bank, I expect to go through security. If a bank calls me, I will never answer any security questions. By asking people to do this you are normalising a phishing attack vector. This might seem low risk (especially if you’ve agreed a time to call) but you’re actually reinforcing the feeling that this is normal and expected. And will raise risk over all. Please don’t do it.
Instead, there have been some great ideas on here - why not turn the Community into a virtue and run something like a citizens’ assembly (users’ assembly?) online to figure out a better solution. Then open it up for other banks and utilities to use. Then lobby government to adopt it as a regulated standard.
And if we need to email you it’ll be from a @monzomail.com, @monzoemail.com, or @monzo.com address.
Others have said this, too, but having (at least) three domains just looks sloppy. Worse, none of them seem to be DMARC enabled. This is a quick fix and, for a tech company, almost inexcusable. We need you at the front of the pack, not the rear, Monzo!
(4/10 must do better).
19 Likes
Why oh why do people fall for things like this ? I’m totally NOT criticising the victim (s) but if I ever got a call like this I’d try not to panic and verify the callers identify using the Monzo advice. My advice would always be to take a breath and VERIFY VERIFY VERIFY!!!
So sorry for anyone who’s fallen victim.
Hi there,
Unfortunately I became a victim yesterday. I fell for all this and all my funds are now gone! Who ever called me was very convincing and i nievely gave into everything even after I questioned them a bit. I feel sick and so stupid. I’m in contact with Monzo now to try and resolve it but I have a feeling that I won’t be able to get the money back. Can anyone shed any light on this?
What did they tell you to do, transfer money or forward them your log in email?
Sorry to hear you’ve become a victim of fraud 
I hope you get your funds back soon 
they told me to forward them my log in email and the email they told me to forward to was support@monzo-team.uk
As the victim you can also report the domain to the registrar
1 Like
Panic is exactly it.
You get someone who sounds professional on the phone, they know all about you and they are trying to help and protect you!
“OMG! I can’t lose my money”
“We can help you sir”
“I’ve got kids to feed and I won’t be able to pay my bills”
“We’ve stopped the issue before it happened”
And then you’re so grateful about it, you’ll do what the kind soul on the phone asks.
Emails/texts etc, you have a bit longer to process. Don’t click the link, go direct yourself. But on the phone there’s a pressure to do it now.
1 Like
Good point well made !
Just happened to do a google search and found a website where you can force send spam emails en masse. That’s an interesting thing I’m mentioning for no reason.
What’s the site , for educational purposes of course.
I’d hate to tell anyone, incase they used it to bait people’s inboxes with e-mail. I don’t think that info ought get out.
3 Likes