You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
I always consider myself to be pretty savvy when it comes to spotting scams.
Got a phone call last night claiming to be from my internet bank.
They knew my name, postcode and at least the last 4 digits of my bank card. They sounded very professional and articulate.
They asked me to check some payments made to Groupon from my account. I told them I hadn't made them and then they refunded them, then and there.
There was another payment, several thousand pounds, that I hadn't approved and had failed to go through.
They claimed it was a "scheduled" payment and I needed to approve it and then they would be able to refund it if I didn't, the payment would go through at 8pm.
I politely declined.
He kept me on the phone for nearly 30 minutes and I must admit I did think he could be from the bank. Luckily for me I dug my heels in.
Looking back with hindsight there were a few red flags and I should of realised it was a scam much sooner.
I feel like a bit of a mug this morning even though I didn't approve it, but did consider it for a moment.
No wonder a lot of people fall for these people!
I have now found the feature on the app that tells you if the person who is calling you is from the bank.
I think that any*incoming* call has to be treated with extreme caution.
If you aren't sure it's a scam, just say you wish to be careful and you'll call the bank back. Hang up, Google the number you need, then call them yourself.
They phoned my wife's mobile and asked for me.
She had recently signed to a new supplier's website but had used my card for payment but the account had her mobile phone registered. I suspect they had hacked the website.
They only mentioned the last 4 digits of the card number which is what is shown on a transaction. Although I don't know how they made the smaller payments?
Although he was convincing and patient. I think he had previous call centre experience.
I should of just asked him to tell me my account number and sort code and confirm some other transactions on my account.
So had they already made the Groupon payments from your account and refunded them to convince you? Blimey, that’s a clever/nasty trick.
That's what nearly got me.
When I challenged him, he explained that if he wasn't from the bank how could he of refunded those payments? I guess with Groupon, you can make a purchase and cancel shortly afterwards and you get a refund.
If in doubt, ask the person at the other end to confirm the amount and date of last two payments into your account and the two direct debit commitments.
If they don't have current access, they won't know all of it.
I assume you've now cancelled your cards?
If in doubt, ask the person at the other end to confirm the amount and date of last two payments into your account and the two direct debit commitments.
If they don’t have current access, they won’t know all of it.
Most banks will not ring you directly or email you, so that's an immediate red flag. They might text and ask you to get in touch with the fraud prevention team, but then you ring back the main customer service number.
So it's best to not engage with someone who rings you out of the blue claiming to be from your bank. Just tell them you'll ring the bank back. If they object to this, they are 100% a scammer.
Always, always hang up and call the bank (or whatever) back. And do it on a different phone, and don't use the number they have given you, or that shows up on your phone. Check it elsewhere first.
I go on the assumption that someone phoning me about money is most probably a scam.
Most banks will not ring you directly or email you, so that’s an immediate red flag.
Bloody Barclays Business do!
I repeatedly refused to talk to them. It turned out it was legit and I was about a dormant account that was £20 overdrawn and they closed it. It was a pain in the arse as I needed to some info from it for closing a company down.
They had wrote to me about it as well but as I signed up for paperless banking, just assumed anything from them was trying to sell me a credit card etc.
I also immediately block any spam numbers.
They can be quite sophisticated, I had my card skimmed in a petrol station. Fraudulent transactions picked up by my bank and all sorted but the real sneaky bit was the scammers rang me two weeks later pretending to be from my bank... of course they had details of the previous dodgy transactions and they obviously knew I had just received a new card etc. nearly fell for it
I did have a fun conversation with one building society call centre where they rang me up and then immediately tried to 'take me through some security questions'. The idea that they probably knew who I was, because they'd rung me, but I had no clue who they were, didn't seem to compute.
Looking at the groupon site, I guess they just set up a vendors account to control the transactions.
Bank of Scotland text you from a number saying they're going to send you a message. Last few came from a mobile number.
The person in the fraud team seemed surprised that given their anti fraud / fraud awareness messages I wouldn't trust an unsolicited text from a random number.
I had a very similar call a couple of months back from someone claiming to be from my bank with the same detilas of mine. Sounds like yours was a bit better ran than mine.
As with yours I was kept on the phone for about 20-30 minutes until I started to think that something wasn't right. I can't remember what it was but there was somehting he kept saying which I found odd but not enough to hang up. In the end my suspicions were up and he started askign about balances on accounts etc and when I aksed him if he could tell me what they were I relaised there was something massively wrong so hung up. He then actually called me back and I told him to **** off.
When I called the bank they were very helpful and said it's a common scma now, the caller spins you the story then eventually tells you that you'll receive a message from them and they need the code. The code in question is the OTP code they give you for purchases.
I can easily see how people can fall for this, especially the older and less tech-savvy.
I did have a fun conversation with one building society call centre where they rang me up and then immediately tried to ‘take me through some security questions’. The idea that they probably knew who I was, because they’d rung me, but I had no clue who they were, didn’t seem to compute.
😁
I had a very similar call with Santander a few years ago and reached the same impasse. The lady was insistent that she was from the bank and I must answer the security questions, even after I'd pointed out that we receive regular emails and letters asking us not to give out security details to cold callers. I rang them back, she was from the bank.
The fact they did what they could to keep you on the line is a sure sign of a scammer. Any company, if you said to them you were unsure of who it was you were talking to would immediately ask you to call the company directly.
Anyone calling you is effectively just an operator, has no power and just conveying a message, so by trying to keep you there they are trying to force you to do something there and then.
There is a sense of immediacy in preventing scams/or illegal transactions on your account, but not to the point that it needs done in minutes and not at night beyond normal working hours as problems in reality would take days to sort out.
not at night beyond normal working hours
Another red flag that just never occurred to me!
Most banks will not ring you directly or email you, so that’s an immediate red flag.
That's not true. I've had calls directly from my bank's fraud department.
I did have a fun conversation with one building society call centre where they rang me up and then immediately tried to ‘take me through some security questions’.
Of course, if it's a scam, they now have the answers to your security questions.
I always end the call and ring the bank back when I get a call claiming to be them.
On this, be aware: if it's a landline call, the originating end has to terminate the call. So if you hang up and pick the phone up again, they're still there.
9 months or so ago I did fall for a scam, but then through dumb luck escaped it before there was any harm done.
I was doing the school run and a guy in a van in a bit of a rush tried to nip into a gap that wasn't quite there and the metal cage bit ofnhis van gauged a fair chunk out of the side of my beautiful car. I got out, took pictures, exchanged details, dropped my daughter at school drove home then quickly tried to call my insurance Co to get the ball rolling on that before starting work.
My insurance Co took details, passed me to their claims handling firm, had me send in further details, pictures, statements, and set up a 'password' that only they would know so I wouldn't talk to anyone who didn't know the password as they could be scammers.
They offered me a hire car to use while my car was being repaired, and went out to the other driver to ask him to agree he was at fault as he had done at the scene. He had a change of heart in the hour or 2 after hitting me and was now saying it was my fault, this then meant the claim handling people passed me to a different team. This was the first thing that felt odd.
I also didn't like the term 'hire car' when I was sure it was usually a courtesy car, so I asked about how this was paid and the person on the phone answered but was obviously sort of nervous in answering, enough that it made me worry. Luckily we have 2 cars in the family and could manage with 1 if needed so I told the claims mgmt Co that I didn't want a hire car, please just fix my car. They called me back later to push the hire car again and I again refused, at which point they told me they couldn't help me and I would have to go back to my insurer.
I called my insurer to complain about how their claims firm / dept had wasted my time for a week etc, and they had no record of ever having spoken to me about the incident. The scam is the claims mgmt firm have google return their phone number when you search for 'direct line claims' or similar, then as you call them in a semi panic under the guise of verifying who you are they collect all your info, then they get a recording of you agreeing to use the claim mgmt firm which you are being told is a good idea by who you think are direct line. The password they set up means if your real insurance Co phone you you'll think they are the scammers as they don't know it. Then the money grab is the expensive hire car they have you agree to which if you lose your insurance claim you are then personally liable for.
In the end ingot a courtesy car, my car fixed, and the other driver found at fault eventually after they ignored all correspondence for 6 months so it worked out in the end, but I was hook line and sinker for a week or so
They knew my name, postcode and at least the last 4 digits of my bank card.
Do you have a shredder? They could have got all that from going through bins, even easier these days now that paper recycling is a commonly a separate thing. Receipts routinely show your card details as "* * **** 1234" which is useless in itself but handy for 'proof' of legitimacy. The discarded receipt from a pint of Large at the Flying Swan and a copy of your missus' phone bill and they're away.
I just refuse to do online banking beyond paypal. If there is one thing in the equation that is needed for any of these scams to work, it is that you need to be connected directly to your bank over the internet.
Its not that its far easier in a world with less high street branches, its that i dont trust banks to pay you back should someone scam you. They may do it currently, but if they were to refuse, it would be excused along the lines of it was your fault for not taking enough precautions, or you dont have up to date security software or such Banks are greedy feeckers, and cannot be trusted.
Do you have a shredder? They could have got all that from going through bins, even easier these days now that paper recycling is a commonly a separate thing. Receipts routinely show your card details as “* * **** 1234” which is useless in itself but handy for ‘proof’ of legitimacy. The discarded receipt from a pint of Large at the Flying Swan and a copy of your missus’ phone bill and they’re away.
Definitely from a suppliers website.
There are too many coincidences.
It happened just after she registered with them.
She used my business card and name to pay but put her phone number on the account. She also used our business email address which isn't actually registered on the bank account. My personal one is.
They called on her number but asked for me.
They also sent an email to the business email with fake bank log in link.
We will speak to them on Monday, just to warn them. They have been hacked or have a rogue member of staff.
I just refuse to do online banking beyond paypal.
We couldn't survive without internet banking. Paying suppliers etc.
They may do it currently, but if they were to refuse,
I have had a card hacked twice.
Both times the unrecognised payments were refunded immediately.
No wonder a lot of people fall for these people!
Yeah. Once of a time I would have argued "how could you fall for this, you're an idiot." But we have to understand, these people are criminal gangs. They are organised, they do it for a living, they are good at it.
The crap attempts, the ones that start "dear costumer" or what have you, I'm reasonably confident are intentionally crap because if you're dim enough to fall for a blatantly obvious hook then you're less likely to get cold feet further down the line and waste their time.
Report the company which leaked details to the Information Commissioner and Action Fraud while you’re at it. If they’re not actually complicit in the scam they’re at least negligent. You might save others from getting scammed.
We will speak to them on Monday, just to warn them. They have been hacked or have a rogue member of staff.
There is regulatory compliance here, called PCI-DSS. It is a mandatory requirement for anyone taking card payments.
If it is an inside job or they otherwise have been negligent in handling your data then there are big fines to had. They could also lose their right to act as a merchant. You'll have a fine old time actually proving anything I expect, but the suggestion that they might be about to get investigated by ICO and potentially spanked hard might motivate them to take your complaint seriously.
I assume any number not in my phone is a scam and let it ring out. I then Google the number, it usually comes up as a business I'm not interested in or dodgy and I block it. The complete unknowns that might not be a scam I ignore calls but leave the number unblocked so they can send an SMS. If they do send and SMS it's usually accompanied by a "possibly spam " alert from my telecom provider.
Revolut have a handy facility where you can generate a one time use card for online payments.
No wonder a lot of people fall for these people!
My Mum phoned the other day saying she'd had some calls on WhatsApp along these lines, she'd thankfully hung up on them and blocked the numbers. So I once again had a chat with her about fraud, never give out details, neither me or my sister will ever message going "Hi Mum, it's me, this is my new number...." and so on and she was really quite dismissive.
Yes yes I know all this, I won't fall for any scams. 🤔
And that's how they get you, because you think you're too smart to fall for any scams.
I very nearly got done on an old laptop - Facebook said my account had been hacked and I needed to verify some account info and then it got to the point where it asked me for card details. I was actually half way through inputting the card number when I realised that FB will never ask for payment so I shut everything down and gave it to the IT Manager at work who cleared it of the (really quite nasty) virus it had. Turned out the bloody virus had come from a memory stick belonging to...that's right, my Mum. She had a habit of saving loads of pics onto a flash drive and taking it to friends; that drive must have been in and out of a dozen computers so of course it was spreading virus like a wildfire.
I once again had a chat with her about fraud, never give out details, neither me or my sister will ever message going “Hi Mum, it’s me, this is my new number….” and so on and she was really quite dismissive.
If you think this is a likely occurrence - and it shouldn't be, no-one needs a "new number" unless they're avoiding a stalker - then agree a password that all your family know. "Hi mum, this is my new number" - "OK love, what's the third and fifth letters in our password?"
Most banks will not ring you directly or email you, so that’s an immediate red flag
As Cougar said, some bank fraud departments will call you. I had that for a payment to Wise that I was using for a foreign money transfer as that is often a way scammers route money to stop it being reversed (as I understand).
My incident was a dropped card. Someone used it a few minutes before I made a phone payment miles away.
HSBC card generates an online number which is not your card number. It seems to work that I put in card number and ghost number appears on the transaction.
I still feel pretty shit about this.
Dreamt about it last night!
Still can't believe how close I came to pressing the button. Absolute mug!
Look at it this way.
You didn't. And as I wrote above, these sorts of scams are getting increasingly sophisticated. As it turned out, you had a learning experience and you got to relay a warning to others who might otherwise have fallen for it.
I'm with HSBC and they have phoned me about fraudulent payments before but they never asked for any passwords or to approve anything. I think they just went through a few recent transactions to see if they were genuine.
Revolut have a handy facility where you can generate a one time use card for online payments.
AFAIK all Applepay payments use a one time code.
I know but it's still bugging me.
God knows how I would be feeling if I had lost a few thousand! PTSD I reckon!
“I always end the call and ring the bank back when I get a call claiming to be them.”
On this, be aware: if it’s a landline call, the originating end has to terminate the call. So if you hang up and pick the phone up again, they’re still there.
This! My sister (who is a bright lady, medical consultant etc) got done a few years ago. Got call on landline saying problem with her card being cloned. Straight away they said put phone down and call bank on their official number. She did, dialling tone when she picked up phone, it rang, the bank answered it and that was that. Hook, line and sinker. Not only did she give them her pin, an ‘official courier’ came round to her house and took possession of her card to securely destroy it! And promptly took it to the nearest cash point! Her biggest worry was that she’d told ‘the bank’ that she was off abroad on holiday and that they now knew her house would be empty. I told her that these types of scammers don’t tend to go in for breaking and entering, which indeed proved to be the case.
Suspect that the decrease in landline use makes this less likely.
I had an incident in London where a cashpoint ate my card. I was trying to cancel the transaction when this guy rocked up, well dressed and polite, asked what the problem was, said he’d seen this before and what I needed to do was hold down three buttons with my left hand whilst inputting my pin with my right. I realised this meant that either he, or the camera in the fake cashpoint that they’d put over the top of the real one, would know my pin. I left it, cancelled card immediately and that was that. But I nearly did what he said, which would have given them direct access to my account.
I have however been done by guys flogging high quality speakers that were accidentally loaded onto their van - though in fairness they were really good speakers - and similar with guys selling leather jackets (that turned out to be fake). I was a lot younger though!
"Always, always hang up and call the bank (or whatever) back. And do it on a different phone, and don’t use the number they have given you, or that shows up on your phone. Check it elsewhere first."
Is this only a problem on the older 12V phone system?
More to the point, is this a problem on the new DV (ie via your smarthub and over the internet)?
And that’s how they get you, because you think you’re too smart to fall for any scams.
I think a lot of successful scams also rely on coincidence. I nearly fell for a HBOS Business Banking scam a while ago, the coincidence was that I was at that time being set up as a second signatory for HBOS Business account for a charity. The scammers didn't know this, but I was expecting communication from HBOS. Pretty sure it was a complete coincidence. Its enough for you to just relax your guard.
This is why you see so many Royal Mail missed delivery scams around Christmas, as everyone is expecting Royal Mail deliveries.
I think a lot of successful scams also rely on coincidence.
You're right.
In my case I had had a few annoying niggles with this new bank account. The support was poor and frustrating.
I was starting to think I had made a poor choice and was considering closing it and going somewhere else.
When the call came in, I was just starting to think that their system was poor and basically flawed.
I even said so to the caller.
I work in IT, and consider myself pretty tech-savy. I work for an IT security company and I regularly receive training to specifically look out for these types of scams. Despite this I was almost caught out last year too - either I'm gullible, or the scammers are getting very good (no need to comment 😀 )
These are my notes from it in case it helps anyone, there are similarities to the OP's experience;
If you're interested, or in case it helps you in a similar situation, the full details are below;
- Mobile rang about 6:45pm, bloke says he's Derek Robins from Halifax Card Fraud team
- He asks if I'm <my full name>, I confirm that I am
- He tells me my Halifax card has been blocked as they've detected suspicious transactions
--- At this point I'm suspicious and almost say I'll call the bank directly, but he hasn't asked for any details yet so I let him carry on
- I then receive a text from 0345 944 4555 saying my Mastercard ending in wxyz has been temporarily blocked
--- There's then another text from that number confirming his name and giving me a case reference number
- He asks if I've made any large purchases from Scan Computers or Apple, or whether I've used my card in Southampton recently, I confirm that I haven't
--- I then get another text from 0345 confirming that all mentioned transactions have been marked as fraudulent
- I can't fully recall the next part, but I'm 99% certain I didn't give him any details that he didn't already have (although I prob confirmed bits he wasn't certain about)
- He told me I'd get another text letting me know that I'd need to confirm recent activity, I did but this one came from a different number that my phone auto-resolved to "Halifax", but I didn't have to do anything with it
- He said there'd be another text asking me to confirm (Yes or No) a purchase from Scan Computers, but I mustn't respond to it. This came from a 3rd number (07401 260953), I didn't respond, but there was a quick follow up text implying I had confirmed it. When I mentioned that he said it was normal (alarm bells were starting to tinkle)
- He then said I'd get another text with a 6 digit code (this also came through on the "Halifax" number), he needed me to give him that so he could block all further transactions. This made no sense, surely the bank can block whatever they want. This was the first point that he'd asked me to give him any info he didn't already have (alarm bells were ringing louder)
- I asked him to clarify why he needed that number, he gave some waffle that was reasonably convincing but at that point I said I was going to hang up and call the bank directly
- He was perfectly calm and professional about it (as he had been all the way through), he made a slight attempt to get me to give him the number but wasn't pushy.
- I was prob on the phone to him for 10mins in total
- I then rang Halifax banking, they confirmed the card wasn't blocked, and that there'd been a refused purchase from Scan Computers, but weren't able to help much further. The gave me the number for their fraud team.
- Rang fraud team, who were absolutely amazing. Properly professional, no time on hold, knew what they were talking about, dealt with everything with minimal fuss, didn't try to rush me off the phone, offered tips and advice for future. 10 out of 10!
- Told me;
--- The 0345 number is a genuine Halifax number, but not the fraud dept, so he was spoofing it in some way
--- They only give out their first names to avoid becoming targets themselves, so the surname is a red flag
--- The Private number would have been the scammers own, but the 07401 is a Halifax thing
--- Not quite sure what the 6 digit number was (presumably 2FA of some kind) but if I'd given him it would have opened a world of pain
- My card is now blocked, new one on its way
^That is very sophisticated.
It must take some time and effort to set that up.
I wonder if they have a way of selecting targets or is it just opportune and random?
I mean if you go through all that effort and you hack someone with £150 in their account, it's hardly worth it is it?
Also, if you had been scammed, then would it of been Halifax's fault, as their phone system had been compromised?
Also, if you had been scammed, then would it of been Halifax’s fault, as their phone system had been compromised?
It's not been compromised - the scammer isn't "in" their phone system, they're spoofing it.
https://www.ofcom.org.uk/phones-telecoms-and-internet/advice-for-consumers/scams/phone-spoof-scam
Not quite sure what the 6 digit number was (presumably 2FA of some kind)
Almost certainly
Yes, but it's not a 2FA that I have set up. Presumably it's something Halifax send to get confirmation that you're who you say you are, but how it's triggered isn't clear to me. I'm often asked to open my banking app to confirm a large purchase, I guess there may be an "I don't have my app available" option which sends a text instead.
I think a lot of successful scams also rely on coincidence.
Yeah, and it's particularly dangerous.
I got caught out by a phishing test at work. We'd had an internal email warning us to expect a login request from a third party for a new system. We then got a link emailed, I didn't really read it properly as I was talking with someone and so clicked through, onto a phishing landing page.
Personally I think it was a dirty stunt to pull, it's essentially entrapment. But the mantra I tell everyone else is always "was I expecting this?" and in this case, yes, I was expecting something like it so that didn't work.
There are a couple of points to take away from it though. A moment's inattention on a real scam email that coincidentally ties into some other aspect of your life and, well, boom. I get them all the time for things like "your iTunes account has been suspended" - I don't have an iTunes account so it's clearly a scam, but a heck of a lot of people do and a percentage of them are likely to be having issues with their account at a given moment.
I get them all the time for things like “your iTunes account has been suspended” – I don’t have an iTunes account so it’s clearly a scam, but a heck of a lot of people do and a percentage of them are likely to be having issues with their account at a given moment.
Yep, I've had them for "your Santander account..." and a couple of others.
Older folk are particularly vulnerable to this sort of thing as everything has transitioned so quickly to apps and online.
I got caught out by a phishing test at work. We’d had an internal email warning us to expect a login request from a third party for a new system. We then got a link emailed, I didn’t really read it properly as I was talking with someone and so clicked through, onto a phishing landing page.
We had the Phishing test at work. Problem is I quite often open them just to see what URL comes up as the scam site never has the correct URL or has something close to it but generally has some small add-on to make it look close.
Anyway I opened the test email to check the sender email and then got the email saying I could have compromise us. I agree though, It's entrapment.
I was kind of scammed last year (a couple of years).
In my defence I'd taken call after about 4 hours sleep after just got back from holiday. I confirmed a few things, they asked if I had other accounts, and kind of left it at that. I started to get a bit concerned and cagey near the end, and ends the call. Called my bank, no it wasn't them and they gave me a ticking off ("everyone thinks they're savvy, SIR").
Nothing really came out of it which was a bit weird.
“everyone thinks they’re savvy, SIR”
Everyone is savvy right up until they aren't. Like I said on the previous page, these are professional scammers, not some 12-year old in his bedroom.
A moment’s inattention on a real scam email that coincidentally ties into some other aspect of your life and, well, boom. I get them all the time for things like “your iTunes account has been suspended” – I don’t have an iTunes account so it’s clearly a scam, but a heck of a lot of people do and a percentage of them are likely to be having issues with their account at a given moment.
And one of the big problems with this is banks and companies are still sending out official emails with links in to log into accounts, they are training their customers to respond to phishing emails.
Oh yeah. I've had legit calls from the bank, "can you confirm your identity?" You rang me, dickhead, I know who I am. Who the hell are you?
To be fair they were quick not to argue when I refused and asked me to call them back on the number on my card. Though that really rather should have been what they asked me to do in the first place.
I asked if there was some way they could put a note on my account with a password they could give to me as way of legitimising an unexpected call and got "computer says no."
I don't know but I rather suspect that if we knew what most banks' infrastructure looks like we'd very concerned. I was discussing this elsewhere on the Internet earlier today. "You must choose a password using characters from these groups" - why? You're artificially restricting my password entropy for reasons that shouldn't really have existed 20 years ago. I have lists of compromised passwords running to billions and whilst I (obviously!) haven't read them all I don't recall ever seeing the copyright symbol, letters with diacritics... Foreign language wordlists exist of course, but no hacker in their right mind is going to be using them to attack a .co.uk account.
And one of the big problems with this is banks and companies are still sending out official emails with links in to log into accounts, they are training their customers to respond to phishing emails.
I've some from network rail asking me to click a link to authenticate my log in. I'm a registered user on some of their software but it's an unsolicited email asking me click a link that otherwise screams phishing. It's a minefield.
Afternoon for older folks being left behind the rapid switch to digital is leaving many many more behind than just the old. A lot of the safety critical paperwork on the railway is now digital. Great for the office but for many on site it's a nightmare that they can't suscout. A lot of the guys are there because they can't hack 'office work' (I paraphrase).
I got caught out a couple of years ago, phone rang, 0800 number - I quickly googled it and saw my bank listed under that number. Of course I now know there are number-spoofing apps for that.
Asked a bunch of questions, knew some dets about me and my account. Questioning went on a while and then call came to an end, without getting anything out of me, maybe the scammer lost their bottle or was a trainee.
Only realised next time I spoke to my bank and I mentioned the call I had from their fraud department. Every call is on their system so the guy instantly knew it was attempted fraud