When banks call to verify your details how do you know the call is legitimate?
I got a call from my bank claiming that they're discontinuing physical credit card statements and asking for my email to send statements via email. Then they proceeded to also ask for my date of birth and home address to "verify details" after making the unsolicited call. It felt off but the call came from within the bank. When I said I don't want to give the information over this call, they implied that I'll be inconveniencing myself and will have to go to a physical branch to verify my details and be able to receive credit card statements via email.
If the bank is actually initiating this, they shouldn’t be asking for personal info like DoB or home address over unsolicited calls. To the person receiving the call, it sounds like a phishing or social engineering attempt.
My assumption is that the bank's process is flawed and this wasn't a phishing attack. Can anyone recommend what best practices banks can follow to ensure safety for both customers and banks in such cases?
For info exchanges like this, you should always insist on calling them back at a number listed on their card or website.
If they cannot do that then its a scam or you should change banks
Yes, I asked the caller to give me a bank number to call back, to which she replied that they don't have a dedicated line for that purpose (???) and that I had to physically go to a bank to get it done. I'll be changing banks for sure :/
> Yes, I asked the caller to give me a bank number to call back
Don't do this either. If the caller was a scammer, they can give you a number that would call them back, and now they have you "hooked" because you think you've called your bank, when you really called the scammer back.
Call them back on a number printed on your statements or a number you retrieve, independent of this caller, from the bank's website.
At most, you can ask if there's an extension you can dial after you called their public number to skip the phone menu. But yeah, otherwise, the same principle should apply here as with any user-input fields -- do not trust them.
Understood, thanks!
What country is this? It doesn't sound like a banking sector with mature security practices. Major banks in developed markets should have tightened their customer workflows by now.
I treat all unsolicited calls asking for personal information as scams.
Scammers can spoof calling numbers to make it look like it came from your bank. Basically everything they say on the call should be treated as being fraudulent. The scripts have been tailored to use a variety psychological tricks to fool you.
Yeah: Any legitimate institutions will have no problem giving you information (like an extension-code) that you can use to re-contact them back via official channels. (This does depend on not being tricked by going to a fake website with fake contact-info, of course.)
Anyone who threatens you with fines/arrest/whatever for ending the call early is a scammer.
This isn't necessarily true.
For example Equifax's TheWorkNumber won't do this (companies that don't do background references/verification of employment use this service), and their representatives and processes seem to follow similar practices employed by scammers.
A bank will never call you regarding this. They will send you a letter asking you to call them. In my case when the bank want to get in contact with me they send me a message through their online banking app.
My bank now sends alerts and verification codes via SMS. SMS should be assumed to be completely compromised given that it runs over SS7. 2FA using SMS is worse than an uncompromised password. I am disappointed that more and more banks and websites forcibly allow password recovery using nothing but SMS, but it seems like I'm just tilting at windmills.
It's quite possible that they do this for their online customers— it's a reputed bank here. I'm just using the bank's credit card and don't have a bank account with them, so I don't have access to their banking app.
That seems strange. There should be a portal for the credit card somewhere.
Anyways. Remember, you are in charge. You can always say you need to hang up and call the branch. If the service issue is serious, it can be handled at the branch or via an officially published bank phone number.
Trust no inbound call.
I've been contacted by my clinic before, by a nurse who's following up from labs or something. And it's tricky, because they need to be cagey for HIPAA reasons. A lot of times, a clinic leaving voice mail to confirm an appointment won't actually say what the appointment is for or who it's with, because that's giving away too much info. The nurse calling me needs to confirm that she's got the right person, so she asks for my name and DOB right off the bat.
I call it "authentication détente", because both sides of a phone conversation are no longer trustworthy enough to bootstrap a trusted connection. I say, just use some authenticated messaging on the Internet instead.
It is not uncommon for the fraud department to reach out to you when their heuristics have flagged possible fraud on your account or card. They will quiz you about your most recent transactions. They already know who you are. They shouldn't need to ask you about PII, just transaction details.
But it's helpful if you can recall what you've been doing with that card. You will always have the option to contact them via the number published on your card, but time is of the essence in catching fraud, or helping to clear a legitimate transaction.
> It is not uncommon for the fraud department to reach out to you when their heuristics have flagged possible fraud on your account or card.
Which is something they should do but if they do that through a phone call the wise action is for you to hang up and call them back using their main switchboard number.
>That seems strange. There should be a portal for the credit card somewhere.
Yeah, they don't. The bank seriously needs to up their game.
> Trust no inbound call
This needs to get on their website :)
Banks do not do this. It sounds like a phishing attempt because it is.
Imagine the cost of calling every single client individually. If something like this would change, they would send a letter.
Don't forget that spoofing caller ID of telephone numbers is possible.
Here's what's on the Patelco site. It's good advice. Since the contact numbers are theirs, just go to the home page of your bank and look for info on phishing and Financial Institution Spoofing.
Their contact info should be easy to find.
https://www.patelco.org/financial-wellness/fraud-center/fina...
Biggest take-away:
3. Don’t share your personal information when you didn’t initiate the conversation
Whether by text, email, or phone, WE will never call you for personal information like:
We may call you to verify something, but we won’t ask you for the information above unless you initiate the conversation or request we contact you.Appreciate the insight, thanks!
The only time I saw this handled correctly, and I forget the company now, worked like this:
They would call you and then want to verify themselves to you. You would be asked to open the companies app. The app noticed you were in a support call and had a link at the top taking you to the support section of the app. The caller would then read you a code you would type in and it would let you know if the call was legit.
This can be easily attacked with two scammers executing a MITM attack. One calls the bank to impersonate you and steal your money, the other calls you to get your app code.
Correctly? Try explaining your grandparent that they should open the app and type in some codes while on call. This habit will expose them to a whole class of attacks.
The only proper way is to send push to that app with the information about the issue.
They would also offer to hang up and when the person finally found the official number and called back, that same code could be given back over the phone to reconnect to the original agent. Or they could go through whatever process they want.
Tell them you don't have a computer or an email address. Say you prefer receiving mailed statements, and have no interest in saving them less than a dollar each month, but they're free to close the account if that's important to them.
Scam. No reputable bank will do this.
I had an incident with a debt collector once(UK), they call me saying I had some pending parking tickets to pay and asked for my address, DoB, etc to confirm it was me, I refused and asked them to tell me the details they had, they refused.
This kept going on for about a year, the legal limit they can chase a debt, so at that point they gave in and share the details and as it happens, it wasn’t me. Don’t even own a car, which I mentioned multiple times.
Anyways, I’d never share my details over the phone if I’m not fairly certain who’s in the other side. This company was legit but had very suspicious tactics.
Bank won't make the effort to call people. They would send out a letter that they will change it and if you don't want it changed you have x days to contact them.
My bank's phone app (in Finland) has a feature to authenticate a call from the bank.
(I've only actually used it once - a couple of years ago - so I'm sorry, I can't recall how it worked or what exactly the authentication procedure was.)
I stop the call in similar situation and call the bank to verify.
You call them. Full stop.
You have no other good mechanism to verify they are who they say they are, unless you initiate the communication.
Banks will never do this.
You should always verify with an app or by calling back.
Even the apps you might want to randomize the service worker in case of insider criminal
I don't pick up the phone for unknown numbers so I wonder what the plan would've been for someone like me.
They ask you to call them back. They ask you to go to the website to lookup the number yourself.
Calls I have received from banks have never been from Unknown Numbers.
I mean not in my contacts.
> Can anyone recommend what best practices banks can follow to ensure safety for both customers and banks in such cases?
You should never entertain any telephone interaction with your bank or any other organization, unless it was you who called them first. Just hang up. You can call them on their officially listed phone number when it suits you, or visit in person.