Tangent: I used to receive at least a dozen bank scam calls per day in India, especially during insurance renewal. I wanted the banks to publish official phone numbers and mandate their employees to use only official numbers.
Recently the regulatory bodies did just that and so the banks should only use 1600 numbers to contact their customers. My bank scam calls have dropped to 0.
In France, basically every bank say (show in their app and everything) "if we call you and ask anything like code, confirmation, to do an action, anything, end the call and call us back, don't do anything on a call you didn't initiate".
Same in their app eg you try to do a sepa wire to a new recipient and you get a warning "are you on the phone with someone ? did someone ask you to do that ? please call your bank by pressing this button. By the way we will never call you to ask an auth code or to do a wire"
A few UK banks detect that you're on a phone call and show a message like "we've never called you" or "we are not calling you right now" in their app, I think that's really smart.
Here is a fun one, my mobile phone company has an account lock along with a pin and OTP over SMS system. In order for me to activate a new device (like an phone upgrade) with eSIM over the phone, I need to unlock my account with account lock, give them the pin over the phone, and read the SMS OTP to the mobile phone rep online. I get doing the account unlock and verbal pin, but I don't get why they ask for the OTP especially when they train us to never share the OTP over the phone. I even asked the rep about it, but he mentioned that you should never share the OTP if you did not initiate the service request. From a security posture point of view I think that stinks. I am not exactly sure how they expect SMS OTP to work in the case where my phone is not functional.
And then we have the national post office sending its notifications from the scammiest-looking domain they could find: noreply@notif-colissimo-laposte.info
In Turkey, if my bank calls me, they also send a push notification telling "We are calling you. The representative's name is $NAME. You can talk safely".
Unfortunately in the US, maybe elsewhere, pharmacies and medical offices have trained the elderly it’s okay to verify their dob when they call. Costco does that when they call and it drives me nuts.
Well, I could go with a different insurer that blatantly and brazenly lies about their network coverage[1], or I could go with one that doesn't, but still doesn't have my doctors in it, or I could go with the other one that people claim consistently denies care and coverage.
Also, if 'Just for a discount' isn't a reason to use them, do you have $3,000 lying around to wire me? If you do, I'll happily switch to a much more expensive insurer that meets my other criteria, and might or might not send me marketing materials disguised as fishing SMS. (I'll let you know if they do.)
---
Insurers aren't banks or ISPs or gas stations. They don't provide a fungible service that is nearly identical from one to the other. You can't 'just switch'. They are both heavily obfuscated, and heavily differentialized, because the healthcare 'market' is obfuscated and heavily balkanized.
And all of them are utter shit, but in different ways, and if you are lucky, you won't discover the ways in which yours is shit.
---
[1] How this isn't a statutory capital crime for anyone with the rank of director and higher, I have no idea. But the fact that the people orchestrating this are permitted in civil society does lead me to believe that maybe we don't live in a just world.
Knowing what numbers are real through an official publication is very good, but it only allows you to place trust in calls you make, not calls you receive, because making calls doesn't involve caller ID, receiving calls does, and caller ID is spoofable.
Ask them their name/ last initial, employee ID or unique identifier for the conversation, direct phone number, job title and what location they're based at. Scammers will pretty much always refuse/argue/hang up on this (once I had one start insulting my mother in Hindi when I asked him this). Then call your bank's proper number and verify all of these details.
(But in any case your bank will never call outwards to you, unless you've specifically requested that, which you almost never do.)
Unfortunately my UK banks (and others) DO regularly make calls to me unannounced and demand my ID to 'prove who I am'. They are not scam calls and the callers cannot understand what they are doing wrong. If I'd had more strength in the last round of this stupidity I'd have done a number on them with the regulator. (I used to work in finance and was the director of a regulated financial entity, so I think I'd have a head start.)
In the US Caller ID has been so hopelessly compromised (for almost two decades now, that's on Congress) that financial institutions almost never make outbound calls, and only ever use standardized published numbers; I wasn't aware other countries differ so much.
Please tell us more context with regard to your UK banks making multiple unannounced calls demanding your ID ... were you an individual customer? finance director? MD? or what? Why on earth do they do that? Have you told them in writing not to? There must be more backstory to that.
Banking example: trying to move some savings from one UK bank to another - back to where the money had originally come from, and that had just purchased the first bank too. It took 8h on the phone over a week or so to get the money back, which was interspersed with a comedic number of calls from withheld numbers and people unknown to me demanding enough info to get access to my money. And other very poor practice. The bank even conceeded at least once in writing that it knew that it was screwing up and sent me £100 by way of apology - but carried right on screwing up.
Non-banking: getting a call out of the blue from my Internet Service Provider again demanding enough credentials to get access to my (business) account, and unable to understand why that was very poor practice. I used to like that ISP a lot, and have been with it for a looooooong time, but the angry exchange with who seems to have been my account manager has soured the relationship a lot.
Happy note: just had a sensible interaction with my bank where it called me back but the caller understood why NOT to ask data that could be used to access my account, and we managed to resolve the issue that I was having (which, I think, was my error)!
My bank (big green French one) pretty much always calls me whenever I do some unusual money transfer, even between my company and my personal accounts (they're both with the same bank), even though the transfers are authenticated either via the app or by an SMS code. However, the people calling me don't ask any details, just "is this vladvasiliu? Is it actually you who initiated this transfer, for x amount on y date?".
What are they, then? Sales/marketing calls? Or some security notifications ("we noticed some suspicious operations in the last 3 days...")? If it's the former, that's still scam in my books. Specifically, it's a first-party scam, as opposed to a third-party scam, where some third party pretends to be your bank.
They both should be treated similarly; unfortunately, you can't report first-party scams to police.
In my experience they're security calls. UK has good opt out marketing rules for legit companies.
But the usual security call is exactly like a spam call, no authentication from their end, immediately requesting id verification "answer these security questions", and refusing to go off script.
People have been asking for years to be able to lodge a security challenge code on their profile that can add confidence in the caller. Given there are already multiple security questions on an account, this could be a process change: the security challenge script becomes "the first and sixteenth characters of your mother's maiden name are 7 and F, what are the third and fifth characters of your first pets name".
In the UK, banks like Starling, Monzo and Revolut (and building societies such as Nationwide) have added a call status feature in their apps [0][1][2] that tells you if they are actually the ones calling.
Yeah, this is a no brainer (and I think most banks let you verify via the app rather than personal info) to avoid the annoying uncertainty (but note my mother would not be able to handle that I expect)
No "challenge code" your profile can be used to authenticate a caller. Profiles get leaked, almost all of them have been at some point, or at least that's the safe assumption to operate under.
Yeah as sibling points out, lots of orgs have scammy official security calls. This leads to a dance I have been through quite often.
<phone rings, I pick up> Hello
Them: Am I speaking to Sean Hunter
Me: Yes
Them: This is <rubbish bank who should know better>. Can you confirm your <date of birth/full address with postcode>
Me: Yes
Them: Err, … sorry I didn’t quite catch that.
Me: Yes.
Them: <thoroughly confused>I asked whether you can confirm your <date of birth/full address with postcode>
Me: Yes. I can.
Them: err… I can’t talk to you without you passing security.
Me: You called me.
Them: I’m sorry…?
Me: You called me. You wanting to talk to me about something is your problem.
Them: I need you to pass security before I can talk to you.
Me: OK, well. Have a nice day. <hang up>
Almost this exact thing has happened multiple times with one of my bank accounts which I can’t completely shut because of boring reasons but I have basically deprecated because they do this sort of nonsense. My main bank now is much better.
One of my banks refused to talk to me over the phone and informed me to go to a branch with 2 pieces of ID. Fair, it was a credit card opened online.
Only to find the 2 pieces of ID were just for them to talk to me and ask for more documents. Rubbish like employment letters (uhhhh, how about YOU call my employer instead of me printing out the “letter” they’ll email me?) or tax return stuff mid-year.
I cut up the credit card and mailed the pieces to their legal department. Someone called me pretty quick and without any authentication hassles.
That’s wild.
If my bank needs something from me they send an email saying that a message is available in the online portal - or in some cases they send me a physical letter.
Anything else would be highly suspicious
I generally say at some point before terminating the call "you should not train your customers to give out account access credentials to strangers" and the caller usually has no clue what I mean. Does no one in the security teams have theory of mind?
This will be the way I bring up the issue with the regulator if I do. I can think of many ways round this issue that would be much safer and not especially arduous.
A few of the bank people that I spoke to during the last caper were pretty senior and those did understand the issue that I raised but found themselves constrained by their rules, though one or two got creative with me in a good way. (Pretty much none of those who called me were 'minimum wage' in my estimation.) But very more senior management should be setting good scripts and expectations for the less-well-paid staff doing the grunt work. That is what their higher pay should be buying, IMHO.
I dream of a time I don’t have a bank, or not in any traditional sense.
I’d been hunting for ways to use a Wisecard standoff a bank but got a bit wary of what would happen if they went bust. Government backed guarantee do not exist for Wise.
I ask them for all of that and their credit card details, mothers maiden name, name of their first pet, first school they went to, and what colour underwear they’re wearing.
I should probably learn how to insult their mother in Hindi too.
Or, which has worked great for me; just never answer the phone. If people need something they will email or chat. If not then it is not going to be important.
This. If people have a "real" reason to correspond with you they will have no problem making a record of it via a voicemail or text or email or whatever.
I've had friends that got into a spot of bother and tried calling from an unknown number. If it's a phone you can't text from, then leaving a voice mail with voice transcription is about the only way I'll know it's a friendly call
Nowadays, when banks call you here, they allow you to verify the bank is actually calling you with the mobile app - you can see their name and number they're calling you from in the app. Also, you can often verify you're you with the app too, same as any other app authorization, so you don't have to share any details over the phone. I feel like this is a pretty good improvement.
That does seem better than blind trust but that app infrastructure could get compromised. I would still be wary in any situation where I did not originate the call with the bank.
Ye, I only get called by banks when my transaction gets classified as potentially fraudulent (which pretty much just means that it is for a bigger amount of money) or some other even more rare situations like finishing a loan application. Still, I'd rather be double sure that it is the bank that's calling me because I don't want to assume solely based on the convenient timing.
If the app infrastructure is compromised, the bank is liable so it feels like less of a problem. If the app does offer authorizing through the app, I shouldn't be asked any personal details that my bank already knows so I (hopefully) would still be wary, if put in such a situation though. Obviously hard to know what I'd actually do unless it actually happens to me.
We have an app called bankid. If my bank calls me they'll ask me to open the app to auth, the app shows that the specific bank initiated auth and also says that they called me.
Same app is used to auth to government pages and all kinds of stuff online, even purchases.
That would take nothing to implement. Services like Truecaller already do live caller ID against databases on iOS / Android. All it would take is a sensible register of verified numbers
Won't stop people from trying to make Truecaller, et al. prove that, though.
The problem here is that the correct security posture of the bank against third-party scams also protects the customers from first-party scams. Telling people the bank will never call them for anything, and even if, they're to always hang up and call the number on the back of their card, works equally well against criminals and telemarketers.
I feel like this is kind-of a solved problem in the jurisdictions where banks are liable for customer losses not arising from gross negligence.
If a bank calls their customers directly and trains them to get phished, the bank does not get to claim gross negligence when this happens and has to refund the customer.
If a bank tells their customers that they'll never call them (and actually doesn't), they have much better chances of claiming gross negligence on the part of the customer.
"Hello, I'm calling from Blockchain, I would like to talk about your investment portfolio"
it weirded me out they would pretend to be from the underlying technology instead of an exchange or something. I kept thinking I should pretend to be the CEO of TCP/IP or something when they called.
Recently the regulatory bodies did just that and so the banks should only use 1600 numbers to contact their customers. My bank scam calls have dropped to 0.