You receive a call on your phone.The caller says they're from your bank and they're calling about a suspected fraud.
-
Terence Edenreplied to Ric Harvey 🇪🇺🌍💚 on last edited by
@Ric actual Chase app.
-
@Edent I think I’d be taken in by that. My thought was: why do they need to check they’re on the phone to me if *they* called *me*? But on balance I’d decided it was just poor wording or an ill thought through system (both of which I still think, in fact!) so I wouldn’t have challenged it.
-
@Edent I had to look up what Chase is. As sophisticatingly horrifying as this is, I guess those of us who aren't with Chase are not vulnerable to this?
Yes, that was a legit question
-
@engravecavedave it depends. Does your bank's app send notifications like this? If so, you're probably vulnerable.
-
flabberghasterreplied to Simon Wood on last edited by
@simonwood @Edent one might assume even if they believed the bank was calling them, that they still need to confirm they got you and not someone else.
-
Simon Woodreplied to flabberghaster on last edited by
@flabberghaster @Edent I have had my actual bank call me, and then ask me (via security questions) to verify that I am actually me. I feel that was *training* customers to divulge information insecurely, as I had no way of knowing that they were who they were, and they wouldn’t have provided it if I’d gone along with their request.
-
Derick Rethansreplied to Terence Eden on last edited by
@Edent How and what is faked there then?
-
Terence Edenreplied to Derick Rethans on last edited by
@derickr nothing is faked in app. It is a genuine notification from your bank.
-
flabberghasterreplied to Simon Wood on last edited by
@simonwood @Edent yeah, same. I had told my bank I intended to travel internationally and then when I got there my card stopped working and they called me saying there was suspected fraud on my card. I knew it was legit because I called back on the number on my card, but I think it's bad practice to initiate calls.
-
Shannon Skinner (she/her)replied to Terence Eden on last edited by
@Edent
The remedy is to hang up and call the bank directly, right? -
Richard W. Woodley NO THREADS 🇨🇦🌹🚴♂️📷 🗺️replied to Terence Eden on last edited by
@Edent
Nothing in that image to prove it's actually your bank app . -
Chris Ferdinandi ⚓️replied to Terence Eden on last edited by
@Edent Yea, I definitely think it's a scam.
-
@[email protected] in this example you can assume the notification came from the Chase application itself, the one installed on your phone.
For the sake of example you could also substitute this with an SMS 2FA, that is a similar attack vector.
-
@Edent Could be scam, no?
Method:
1. Scammer calls you and Chase at same time
2. Chase is unsure of scammers identity, so sends them in-app 2FA dialog
3. You hit yes, and Chase thinks scammer is you -
@zoe bingo!
-
Captain Janegay 🫖replied to Extreme Electronics on last edited by
-
funbaker #AssangeIsNotGuiltyreplied to Terence Eden on last edited by
@Edent there used to be a time where they told customers at every possibility: our employees will never ask for your password etc.
I think they still do.
Wtf happened. -
Terence Edenreplied to funbaker #AssangeIsNotGuilty on last edited by
@funbaker they haven't asked for your password.
You haven't given the person on the phone any details. -
Lexreplied to Terence Eden on last edited by [email protected]
@Edent I love this scam. The banks need to repeat the standard advice of never passing information to a caller about your account, ever. Their security advice is you must call back on their standard number.
It's definitely the bank's failure to not make this explicit on the app notification. I hope they are rushing to fix it :blobsweats:
"We will never call you and ask for information"
-
dinosaurdiggerreplied to Terence Eden on last edited by
@Edent no because i never answer my phone