You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
this is a very good example of how con tricks work because the individual stages are credible and build your confidence with the caller at each step.
TLDR;
Phone call from 'bank'
Goes through an id verification process that involves a real text from your bank.
Read your actual transactions out to you to confirm they're not fraudulent.
Final step: ask for PIN so they can 'block' your card.
explantion:
they have your phone number and bank account details - the text is from them doing an online account access reset (the text from the bank is genuine and you read the reset number out to the people doing the reset).
when they ask for the PIN they already have full online access to your account and are trying to transfer all of the money out.
(I'm not clear if they are using one of those card devices where you have to slide your card in and enter your PIN but if they can clone a card it wouldn't surprise me)
https://twitter.com/DigitalLawyer/status/1181348689756864513?s=20
Why would anyone tell anyone, including the bank, their PIN?
That's pretty clever.
My simple rule is do not give any bank details / ID details to anyone who cold calls.
Why would anyone tell anyone, including the bank, their PIN?
because people are a bit daft.
It's a con trick - that's how con tricks work - they gain your confidence. They tell you lots of info that 'only your bank' could know, they're sympathetic, speak good English, even send you a real text from the bank. And the kicker is the request for the PIN, casually, 'Oh, coudl you just confirm your PIN for me?'
I can see a lot of people being drawn in by it.
Pedantry I know, but that's not strictly 2FA.
That is 2 different instances of single-factor auth... (Reset code THEN password)
The attempt was actually blocked later on by correct application of 2FA (Password AND PIN)
My simple rule is do not give any bank details / ID details to anyone who cold calls.
Very much this, unexpected call from bank = what's it about? & call back to known bank number.
call back to known bank number.
That's not good enough either on a landline. On a landline a call is only disconnected when the caller hangs up. If the recipient hangs up, then picks up the receiver again, the call is still connected.
So, a scammer could call you, you go "I don't believe you, I'm ringing the bank." You hang up, pick up the phone again, the scammer plays a dialtone down the line, you dial the number on your bank card, the scammer goes "hi, we're totally Barclay's Bank, how can we help today?"
I've actually had a call from my bank asking me to confirm my identity. And from the anti-fraud team, too.
Needless to say, I hung up and called back. There are scams however where they keep the line open (land lines only I imagine) and you think you've called back but haven't.
When I call the bank, they ask me ID questions. When they call me, I ask them for the answers to my ID questions. They don't need to identify me, they know they just phoned me.
When I call the bank, they ask me ID questions. When they call me, I ask them for the answers to my ID questions. They don’t need to identify me, they know they just phoned me.
Absolutely.
You don't know who is calling you these days...
Simple rule really - don’t give out personal info to anyone who rings you up. Look up their number yourself and ring them back.
SMishing or vishing. It's what all the cool kids are doing these days.
Moral of the story, use MFA where you can and never give out PIN or passwords to anyone. A bank will _never_ ask you for your full password or a PIN.
this. Plus, the banks run TV adverts explicitly telling you never to disclose your PIN to ANYONE, even them.When I call the bank, they ask me ID questions. When they call me, I ask them for the answers to my ID questions. They don’t need to identify me, they know they just phoned me.
So, slightly clever, but not really! If you are aware of & follow basic security advice you'll be ok 😃 I guess if you're worried about any relatives then make them a poster to stick by the phone saying "DO NOT GIVE OUT YOUR PIN TO ANYONE EVEN THE BANK" is probably a good idea!!
On a landline a call is only disconnected when the caller hangs up.
That certainly used to be the case when lines could be open for a number of minutes but now it's just a few seconds.
How does the scammer know your transactions to read out to you?
they’re sympathetic, speak good English
That would rule out the possibility of it genuinely being my bank.
Soooo... It turns out my dad was targeted yesterday. Luckily he wrote down their bank details wrong so the £17k he was trying to transfer didn't go through..
They had my mum on her mobile at the same time...
**** a brick!
Soooo… It turns out my dad was targeted yesterday. Luckily he wrote down their bank details wrong so the £17k he was trying to transfer didn’t go through..
They had my mum on her mobile at the same time…
**** a brick!
The only way to solve the problem is to make it the bank's liability when this sort of thing occurs. Until then, they'll happily transfer money about in quick succession through multiple dodgy accounts to hide/dilute it.
How does the scammer know your transactions to read out to you?
Because they initiate a password reset via the bank's website when they start the call with you - the password reset is then completed when you read the auth code the bank sent out via the text to them and they have access to your account online, then they just need your PIN to transfer the balance of your account elsewhere.
It's good. It wouldn't get me because I would never give out my pin but lots would. I would also never call back on the save device, I always change to another phone or use Skype but I'm paranoid. It's our main rule at work now is always authenticate using a different route. Not foolproof but helps
My mum rang the local branch on her mobile. The woman they normally deal was out and was told she'll call back in 10 (all true). (However) 2 mins later someone calls claiming to be from bank (phone number ID was correct) and tells her that they need to transfer the money.
My dad must of given them her mobile number has he doesn't have one and they could overhear my parents conversation about calling the branch.
molgrips
Subscriber
How does the scammer know your transactions to read out to you?
Read the twitter feed in the first post.
tl;dr, they use the bank's reset system which sends you a text for 2fa, get you to give them answer from your phone then using the code you give them reset it to whatever they like.
they’re sympathetic, speak good English
That would rule out the possibility of it genuinely being my bank.
very good!
The only way to solve the problem is to make it the bank’s liability when this sort of thing occurs. Until then, they’ll happily transfer money about in quick succession through multiple dodgy accounts to hide/dilute it.
This.
Currently the banks don't care and aren't doing anything about it.
Am I being a bit thick? - how did they know what bank it was, and hence how to initiate the password reset?
Which banks only require a pin to setup a new transfer?
The ones I've used require unique codes linked to new payee account details.
Which banks only require a pin to setup a new transfer?
The ones I’ve used require unique codes linked to new payee account details.
Yes but they know that as the new account is their account. They just need the user's pin to calc the authorisation code.
You shouldn't be able to calc the Auth code. It uses a unique device to generate the code.
how did they know what bank it was, and hence how to initiate the password reset?
They get hold of your name (and maybe your email), sort code and account number - not hard to find, it's written on all your cheques, for example. From the sort code they know the bank. They go to the bank website and try to log in as you, since they don't know your password they click the reset password link. The bank send you a text, with a code to be typed into the website by you to confirm that it's you resetting the password. They phone you at the same time, pretend to be the bank and ask for the code, so they can then reset your password.
Then they need your PIN, apparently, to set up a transfer. I don't think either of my accounts need a PIN and nothing else, but some must. One requires me to put my visa card into a card reader, then enter my PIN, and the other requires a code from time-synced gadget, which requires my PIN.
2 things. You set limit of maximimum daily transfer amount with your bank. Or you set limit of single transaction from your bank acc without 2fa authorisation.
Stop adding my name, address and account details to every single piece of paper you send me.. Lloyd's... The letter advising me of fraud and I'd theft is generic. It does not need all my details on it, it adds another chance that some of the b bad people will have the details, means I have to shred more, and you have used more ink.
OK sko the ink thing is mleh but the rest. Ironing. A
They get hold of your name (and maybe your email), sort code and account number – not hard to find, it’s written on all your cheques,
Aah ok.
And if you do get random calls from your bank telling you to move all your money to a secure account, or give your pin and /or password go along with it
Make it last as long as you can, oh the postman's banging on the door, just a min etc.
Wasting 20 mins of their time might save 2 or 3 calls to less savvy people and frustrate the scammers in the process
They need the pin so they can request a new card once theyre logged in as you and change the delivery address.
Any texts from my bank explicitly say dont give the code to anyone.
But you can't even get into my online accounts without a password & security number and to reset anything there is a cooling off period & a load more information required. What crap banks do you guys bank with?
It’s a shame there isn’t a place or building on the high street in most towns and villages where you could pop in and talk to your bank manager. Oh.
If you got a random password from your bank (that you hadnt asked for) at the same time as someone phoned and asked for your pin would you not be suspicious? Every single time I log in I get a message telling me not to disclose my pin to anyone, not once, not once in a while - every single time.
Both Lloyds and Halifax have a system where you have a password and they ask for three characters/digits which are different every time, it’s not like a conventional PIN.
And if I get a call from my bank, it’s almost always from an unidentified number, but as soon as I hear the voice I know exactly who it’s from, because I’ve had the same personal account manager for years, and her voice is instantly recognisable, which is probably as secure as it gets.
I just hope she stays in the job for as long as possible!
How do you know she’s your account manager? Maybe she’s just a crim in deep cover ! 😂
Any texts from my bank explicitly say dont give the code to anyone
Same here, I often get them to confirm online transactions and every single one makes it very clear the code shouldn't be revealed.
That's from
Don't most online accounts need a username/customer number? How do they get that?