I wish there was a coordinated public service campaign around "Hang up, Look up, Call back". I feel like if we could really ingrain those 6 words that it would go a long way to blocking these types of phishing scams.
Number one thing I tell folks in my security training is to never respond or click a link on an inbound message. Instead, look up your bank or service provider and make an outbound call (or direct URL navigation) to them.
I had a call from my bank, and they before the they could even tell me what it was about, they asked me to answer some security questions. When I pointed out out how ridiculous that was, and I asked them to prove their identity first, they didn't even have process for it. Calling back was also impossible since apparently there was no way to get connecter back to the person with whom I was speaking.
I was unable to get back in touch with them, and a week later someone else called from the bank trying to do the same, and the same thing happened again. I refused to answer their security questions and they had no way to prove their identity.
The next time they called, they didn't ask for the security questions anymore and just got to the point immediately. They have never asked for it since. I wonder if I'm flagged in their database as someone who shouldn't be asked security questions.
It looks like you didn't even try it. In order to do what the GP described, when your bank calls you, you say nothing and answer nothing. You hang up and call back on a number you know.
> Calling back was also impossible since apparently there was no way to get connecter back to the person with whom I was speaking.
You don't have to. You just ask the bank when you call them back: did someone just call me a little bit ago? What about?
If the bank can't answer that question, it's time to find another bank. Any reputable bank will be able to look at your file and see that a call was made to you and what the issue was.
> The next time they called, they didn't ask for the security questions anymore and just got to the point immediately. They have never asked for it since.
This does not look like success to me. It looks like failure. What your bank should be doing is sending you a message via some known channel--like the message center on their website, where you can see messages for you when you log in--telling you that there is an issue that you need to call them about. If you're giving information to someone who calls you out of the blue and says they're from your bank, you're setting yourself up to be scammed.
> It looks like you didn't even try it. In order to do what the GP described, when your bank calls you, you say nothing and answer nothing. You hang up and call back on a number you know.
I did do exactly that. I asked them for a reference that I could give when I call back. They couldn't give me that. I then did try to call them back, and said "someone called me about something just now, what was it?" and they were not able to tell me.
> If the bank can't answer that question, it's time to find another bank.
Thankfully, that's not my normal bank. This was the bank that has by car loan. That's my only interaction with them. It's unlikely I'll have more business with them.
> This does not look like success to me. It looks like failure.
Absolutely. This along with the other issues suggests that they value convenience over security. Also, this is not a small bank we're talking about.
I have never seen issues this bad with other banks, but the problem is that when there are banks that get away with this, that suggests people in general do not make a fuss about it and simply accepts whatever people tell them on the phone. If nothing else, it proves why phone scams work.
If the bank didn't even have an answer when I asked them to authenticate themselves, that suggests very few people even ask.
Asked who? The people who called you out of the blue and you weren't sure it was legit? I wasn't recommending that at all. I said, explicitly, that you say nothing and answer nothing when you are the recipient of the call. You only say or ask anything when you are the one who initiated the call, to a number that you already know via some other information channel belongs to the bank.
> I then did try to call them back, and said "someone called me about something just now, what was it?" and they were not able to tell me.
Did they say there was any issue with your account? If there wasn't, then that would indicate that the previous call you got out of the blue was not legit. If they weren't even able to tell you that, then yes, this sounds like a really incompetent bank.
> You don't have to. You just ask the bank when you call them back: did someone just call me a little bit ago? What about?
> If the bank can't answer that question, it's time to find another bank. Any reputable bank will be able to look at your file and see that a call was made to you and what the issue was.
That won't help: all the phisher has to do is make a call at around the same time that the legit employee called you. The person you called back would probably not be able to tell you what the call should be about anyway.
The idea is to call the institution back, often customer service, or log in to your account and check for alerts or messages. If customer support knows nothing about the contact attempt, I presume it's not legitimate.
> The idea is to call the institution back, often customer service, or log in to your account and check for alerts or messages. If customer support knows nothing about the contact attempt, I presume it's not legitimate.
And I'm saying that even if the customer support knows about the call, that doesn't mean that the next call you get in 2m from the bank is legitimate.
In all cases, anyone reaching out to you from your bank should be treated as not legitimate. The only way to do this is to call the bank yourself, and get put through to the person who wants to talk to you.
Any other way including the way you said you'd do it is vulnerable to phishing.
You don't call the bank, check whether it's legitimate, then wait for them to call you again. You call, confirm that they were attempting to contact you, then complete the issue on that same call.
You're not wrong about the incoming calls, but I can't figure out who you're replying to. Nobody above you in the thread seems to be suggesting that the bank ever call you. And certainly not call again in a short time.
> I'm saying that checking with the bank doesn't indicate that a call was legitimate
If you call the bank, using a customer service number that's already known to you, either they will say there's an issue with your account or they won't. So calling them does tell you, indirectly, whether the previous call (that you hung up on and gave no information to) was legitimate or not. But more importantly, it tells you, regardless of the status of the previous call, whether or not there is an issue with your account, and that's what you care about.
Note that you never have the bank call you back in this scenario. You call them, and that's it. You don't call them and ask them to call you back.
They wanted to tell me that I hadn't made my loan payment. They were right about it. I did miss it. I had made a larger payment a few months earlier, and I hadn't resumed regular payments.
Most banks have separate customer facing departments and back office departments that process paperwork. In the full evolution of this setup the customer facing departments are basically useless, and answer your questions by putting you on hold while calling up a back office department. Getting the actual details of some issue is like pulling teeth with these arrangements, because the front end has no domain knowledge. But every so often a person from the back office will call you to ask a question and you'll get to speak to a real human who can intelligently tell you the status of an issue. And so when you get calls like that, your choice is to either just roll with their insecure process where they want to verify you but you don't verify them, or give up getting that additional visibility and ultimately spend more time on the phone working through the front end.
The issue I imagine here is that calling the bank can be costly both in hold time and in phone fees. If banks were able to remove this disincentive to call by ensuring that their phone lines have zero wait time, and offering to immediately call back to avoid billed-by-the-minute phone charges (or in the case that they already offer this, by making it clear to customers), then I think there’s be a larger uptake of the idea of “hang up, look up, call back”.
As it stands, I’d be afraid of needing to wait 30 minutes in hold, and getting billed 30 minutes of call time by the phone company for the privilege. I’m not from the US, so it’s possible that your banks are doing this part better than the local ones, but that’s always the worry with the phone for me.
A citibank security call I received impressed me, they seemed to completely understand me wanting to call back and gave me instructions to get back to them through the phone menu of the corporate line (that I looked up). Iirc it included a case id that got you right back to the same security team.
On that note, I should name and shame T-Mobile USA. They called me back after my line got disconnected and proceeded to ask security questions to verify me and pretended to not understand my concern when I said how do I know you are who you say you are. They were calling me on my T-Mobile line.
While that's a real problem in general, I would think that for this particular group of people it might be less of an issue.
We are well paid, and as such majority of HN'ers should qualify for premier banking. One of the advantages in that is that you get access to quality in-house customer service, and may be able to call them directly from the banking app. (A really nice feature.) They tend to have good availability too. The plural of anecdote is not data, but I've never had to wait for longer than five minutes when I do have a problem that requires CS's involvement.
> I’m not from the US, so it’s possible that your banks are doing this part better than the local ones, but that’s always the worry with the phone for me.
Since the person is asking about what it’s like here I’m providing that perspective. In Canada banks also provide 1800 numbers so it should generally be free. I thought Canada has mostly unlimited plans but I haven’t had a Canadian phone plan in over a decade.
> The issue I imagine here is that calling the bank can be costly both in hold time
The solution to the time wastage problem is for the bank to have a better method of sending you information than random calls out of the blue. Most banks have a message center on their website, where you can see any messages waiting for you when you log in and can send messages in reply.
this is why I have a credit union with multiple locations nearby and they only have 1 phone number for customer service and I know it by heart, good luck scamming me over email or txt, at least when it comes to my bank account :)
Obviously if your bank asks you to "verify" yourself after they've called you, it is 99% chance of being a scam and you just tell them you're going to call back and if they get desperate sounding it is 100% a scam.
It immediately eliminates anyone not thinking to spoof-call GPs small credit union. Given that most of the scammy calls I receive are about accounts with places that I don't have accounts, I don't think that level of targeting is the norm.
I have absolutely been called by Bank of America, both by an automated "did you really do this?" sort of fraud detection, and by a human calling to tell me my card number was known to be stolen and make arrangements.
Heck, I'm pretty sure I've gotten sales calls from them as well, though I never stay on the line long enough with those to be sure.
Same here. I also have a BoA account for most of my day-to-day stuff.
I use credit cards (in particular, an Apple Card) for almost every transaction. In fact, I seldom carry cash, which has been a problem, from time to time.
I won’t use Venmo, or PayPal with direct bank account connection. It has earned me scorn, but you really only need to have a problem once, to learn religion. I don’t use credit cards for Venmo or PayPal for cash transactions, because cash advance fees.
I always pay my account in full, every month. It also means I get Apple Cash, for a slush fund.
I do use direct bank account connection for a few things like utility bills, but that is a fairly primitive setup process, where there is no doubt about the other end. Even so, many outfits now allow bill pay, via credit card.
I've been called by Chase and at least one other for fraud alerts. If I recall correctly, the Chase message instructed me to call back using the number on my credit card.
It is not correct that banks will never call you in the US.
However, a bank should not ask you to verify your identity when they call you. This is the missing piece. If anyone calls me, I should not give them any information they don't already have. If they are the fraud department, they already know everything.
What are they calling about? Just curious - it seems like I’m wrong. Also maybe there is opportunity to develop some service for them so they do not need to call.
I think it will work way better when companies will plain stop calling customers at all.
As it stands now I receive ‘legitimate’ calls from a credit card company to open new options on my account. Or from my phone company to switch my plan. And the interesting part is that as it is ultimately to improve the caller’s monthly numbers, they won’t offer the same conditions online or through mail, I tried. And calling back the same person is a royal PITA. So in some cases, it costs me to not deal with transactions on the phone, inbound, from a person I need to trust to be what they say they are.
Most cyber criminals have a script. They don't deviate from the script unless they think they have a potential home run. Even then, going from this to sending out fake mail correspondence... That's a whole different toolbox. 99%+ of the time they will not even consider it. Especially since it's not scalable.
I remember that scammers got in touch with my wife, trying to get personal info. It was fairly elaborate. She got a call from a man that she said had “a golden voice,” followed by official-looking mail correspondence (very quickly, which was suspicious, in itself -it can take many days for my bank to get me correspondence). They had our home phone number, her name (not mine), and address; either through public records, or via a breach (which is why “they didn’t get customer credit card info” is a worthless reassurance).
It was “Synchrony Bank,” telling her she was victim of a fraud. I contacted the real Synchrony Bank, and let them know about the fraud. The contacts stopped.
Unfortunately financial companies act outside of the best practices that make it impossible for the consumer to distinguish.
After being transferred during after hours, American Express asked me for some unnecessary information and I hung up. I called back and got someone different with a local US accent and I told them what I encountered and they said that's normal (facepalm).
I called back during normal business hours and the more expected experience occurred.
You can hardly teach a large part of the population how to drive a car and use the indicators when switching lanes. How can you expect to be able to teach them security processes?
The only working approach would be to make a law that phone companies must ensure that caller numbers cannot be spoofed in any way and make them responsible for loses due to spoofed numbers.
And require that banks publish which phone numbers they call customers from (like spf is for email), and do so in a format that mobiles can use. So the mobile can show the customer "this is really your bank" or "unknown caller".
has there been a breach of credentials associated with clicking on a link and having firefox or chrome fill in your password saved from the site? i am pretty paranoid but if firefox says it's able to fill in a saved cred from this site i assume it's probably the right site. now i am paranoid enough that i don't do this for sites with a lot of downside like banking or the like... those are a strict "i'm calling the number on the back of the card or lookup the number from their website" kinda things.
Firefox/Chrome will link the saved credential to the domain name, so unless your bank lost control of its domain name, that's an unlikely attack vector. To be safe you can confirm that you're on the right site by manually looking up the domain name.
Yeah that I get but I am curious if there is a more subtle hack or technique that would bypass that somehow. like a MitM attack or something more clever.
I recently heard about an incident where hanging up turned out to be more difficult than it should have been. Stay calm. Call from another phone perhaps?
If you don't have another phone would it be safe to first call some other known number and see if that goes through?
If it does, then you should be able to infer that the previous inbound call has (probably [1]) hung up, and it is now safe to call your bank.
[1] A sophisticated enough scammer could hold the line, give a fake dial tone, detect that the number you are dialing is not the bank number they expected you to dial, dial that number themselves on a different line, and relay between that line and yours to convince you that you really did have a clear line, and then keep holding the line when you then hang up and try to call the bank.
The tricky bit is I know some legitimate departments of my bank follow this policy -- so if they make an outbound call to me, they will trust what I say on the phone, but if I hang up and call them back, they will take down my number and call me back later.
I tried to buy something, but it was a large amount - over my normal usage. I had to call the bank, and they said "we're sending a code to your phone..." and the text message said "DO NOT share this code. We will NEVER call you or text you for it. Code xxxxxx. Reply HELP if you didn't request it."
So... they then say "what is the code?" that specifically says "DO NOT share this code". I know what's going on, mostly, but it was still confusing.
It’s worth pointing out that if you are not the one initiating the call, then this is a legitimate attack vector, and not just via SMS text message or email two factor but also any type of OTP. The attack goes like this: (1) given that the whole point of two-factor auth is to prevent access to your account in the event that your primary authentication tokens (usually a username and password) are compromised, let’s assume for this attack that a bad actor already knows your username and password. (2) the attacker calls you up and says “this is <your bank>”, then (3) the attacker logs into your account with the username and password they already know (4) this either triggers an email or text message with the second factor, or if you use a hardware token or an app then the code is available there. Either way, the attacker requests you to read back the code over the phone (5) the attacker uses this secondary code to gain access to your account, and can then take any action including changing your password and 2nd factor setup. I think this is the reason security teams set up these messages to say things like “NEVER share this code!” and the like.
It was definitely poorly written. It's correct, since they never called you, it was you who called them. But it does raise the question as to how to teach people that who initiates the contact is very important and completely changes the security analysis.
The message should have read "You were speaking to one of our agents who indicated in the last minute or so they would send you a confirmation code. The code is XXXXX. Do not give this to anyone unless you initiated contact with our bank." Or... something closer to the actual scenario as it was playing out.
Number one thing I tell folks in my security training is to never respond or click a link on an inbound message. Instead, look up your bank or service provider and make an outbound call (or direct URL navigation) to them.