My bank phoned me yesterday. "Hi, this is Dave from [your bank]". But was it? It's easy to determine if an email is fraudulent because so far they've all been done really badly ("Dear Cahoot Customer" rather than my name, badly hidden links in the HTML etc), but other than hanging up and then phoning back I'm not sure what can be done about phone calls.
How do uk.finance readers verify that the person talking to them is who they say they are? I can predict a market in the future for some kind of auth software, perhaps based on voice analysis or encryption.
Ask them for details they should know and scammers wouldn't, eg when did I open the account, what is the balance, what was the last credit etc.
I've had a couple of calls claiming to be from BT, the first thing they wanted to do was ask *me* questions to verify to them who I am. The first question was the address. Now this is a pretty stupid question for BT to ask since they should know what the address the number is at, so the person answering will be at that address so will almost certainly know it, whether or not they are the real account holder.
Anyway before answering I demanded they prove who they are to me. I asked them to give me my BT account number, or a couple of digits of it. They couldn't or wouldn't. Either it was some sort of scam or BT are being thick as pigshit.
I had one of these from the IR a few weeks ago - they would not tell me anything until I provided them with details. I would not provide them with details until they proved to me they were the IR.
My favourite is Morgan Stanley credit card who are (or were) extremely security conscious and used to phone me on my mobile if I'd made more than one transaction in the same place within a few hours. The call used to start something like
MS "Hi this is Morgan Stanley, we need to discuss your account, can you give us your password"
Me" No, you could be anyone"
MS "It's Morgan Stanley sir, we need to discuss your account, but before we can we need your password, it's the Data Protection Act you see."
Me "You rang ME, you must know who I am"
MS "Yes but we need your password before we can discuss anything."
Me "I don't particularly want to discuss anything with you. Don't you consider it a security risk if you habitually phone people up out of the blue and ask for their passwords? You could be anyone."
MS "It's Morgan Stanley sir..."
.......
Had another one from Orange today wanting to discuss my business's account, demanded my password though before they'd discuss anything with me. I said when I required any more services on the account then I'd be happy to call them back and give my password. The poor girl seemed most upset.
How can these idiots tell you not to give out your passwords and personal details one minute and then ring you up demanding them the next? How are you meant to tell whether they're halal or not?
and they often call with number withheld, unavailable or international. They could at least have a presentation number of the number which you have to ring to contact them. I have also had it where someone rings and leaves a message on the answering machine, saying they are from X financial institution and they leave a number to phone them back on. But this number is *not* the one listed on the card or any statements etc. When phoning back you have to go through the identification phase. Again, this could easily be a phishing attempt as criminals could easily set up a phone line and announce themselves as X when someone calls and then obtaining the information from them. I think that there should be a single, well publicized number on which to contact all the different departments of the financial institution - or they should publish all the contact numbers for different purposes on the statements. Also when they call you they should present this single contact number as the caller-id.
1) Offer to call them back. Ask them for their full name, and a direct number. Then ignore the number they give me, and call the main access number. If the company disavows any attempt to call me, I'll check with them whether the number given to me would be likely to be one of theirs. (I'll probably ask them whether the name's one they recognise, too, but that's not such a useful data point, because known employees can be impersonated.) If not, it's time to pass the given number over to the Fraud Squad (sneaky, huh?);
2) Ask them an "authenticator question", explaining that they have to authenticate with me first, as I don't hand out security-sensitive information to anyone who cares to phone me. What would comprise an authenticator question would depend upon who they claim to be, but it wouldn't be anything that could easily be obtained by an inspection of my bin, my filing cabinet, the telephone book, my Web sites, or intercepted postal mail. For obvious reasons, I'm not going to broadcast the sorts of things I might ask.
Same here with some losers calling themselves Disability Care, which may, or may not, be some sort of DSS quango. Wanted my bank details for the new chip and pin benefit payment system. I gave them short shrift.
The same way I verify all people who I don't know. "I will call you back imediately" Then you check the number in the phone book, phone and ask for them personally.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.