You receive a call on your phone.The caller says they're from your bank and they're calling about a suspected fraud.
-
Happy Thanksgiving! 🦃replied to Terence Eden on last edited by
@Edent to me it would be an obvious scam bc I don't have banking apps on my phone.
-
@Edent ahhh that's really nasty. Thanks for sharing
-
@Edent I once transferred a large amount of money from my phone. Immediately I got call from a unknown number. Due to my past experience with unknown numbers, I decided to hang it up.
Later becoming curious, I checked the number on TrueCaller and found that it was from my bank.
May be they called to confirm that it was actually me who transferred the amount or something bad happened?
I immediately checked all the transactions and found nothing suspicious. -
@Edent Lol. They have my number already. That proves nothing other than the chance that they’re especially crafty scammers. If it is your bank - they’ll send you a postal letter on letterhead with a name and number to call or an in-app message that you’ll see upon login. @lisamelton
-
@Edent test
-
@Edent This two-factor authentication is useless when both factors go to the same phone. One of my banks does this, and I can't figure out why they think it is secure.
-
@Edent I'm sitting here in 2024 wondering why we still don't have authenticated caller id.
-
@Edent My bank or any other entity I do business with (cable, doctor etc), I hang up and call them using a number in my phone.
-
Tristan Slominskireplied to Terence Eden on last edited by [email protected]
@Edent "If someone called you and you did not call the bank, hang up and report fraud" at the beginning would help.
Directionality is important in this protocol and needs to be of prime importance.
-
Pass the Dutchiereplied to Terence Eden on last edited by
@Edent I got a call saying it was my bank. Almost got me. But I decided to call my bank and hung up. The bank said they will never call me. The same scammer called me several more times trying the same tactic.
-
@Edent
My bank just went out of business. So I'm protected from this scam. -
@infosec_jcp 🐈🃏 done differentlyreplied to Terence Eden on last edited by
This speaks to a CNE either in app being targeted or #StateSponsoredMalware already on the phone and this is just the #SSM being used with a phone call to get you to authorize and give passcode to scammers for later banking behind the scenes. Alert the Chase Bank via the number on the back of the card and cease using the banking app until you clear the SSM off you phone.
Banking Class security doesn't deal with SSM very well in my experience. Alerting them CAN help their fraud department and let them know to monitor so monitor your in/out on your accounts and look for anomalies like recurring charges, cloned card behavior using gas stations and ATM off bank.
-
Terence Edenreplied to @infosec_jcp 🐈🃏 done differently on last edited by
@infosec_jcp @Ric
It isn't SSM. It isn't a vulnerability in the app. Read the rest of the thread. -
@Edent I'd say out of the gate, "Oh, I'll be right there!" Then I'd hang up and call my bank directly. Cause I don't believe anything that comes in a phone call or email unless I instigated it from a system I'm familiar with and it's simple, like verifying a doctor visit, etc.
-
Glitzersachen.dereplied to Captain Janegay 🫖 on last edited by
@CaptainJanegay @Extelec @Edent
It's a men in the middle attack. And quite obvious in my opinion.
Only proper reaction: I call you back, gimme a number and your name. Then phone via the front desk of your bank.
-
@Edent @offby1 it is so frustrating, seeing this q and immediately knowing what the scam is and how to fix it and never being anywhere near proximity to the actual decision makers who can prevent stuff like this. Like please point me at a bank executive and let me give them a security design and threat modeling training, for the love of god
-
I wonder how long it would take for banks to put in security measures to prevent this if they had to pay for the losses, instead of passing them on to their customers?
"The scammer is on the phone to you.
Their accomplice is on the phone to your bank, pretending to be you.
Your bank send you the notification.
You accept, and scammers proceed to drain your account."Someone has just lost £18,000 because of this."
-
@Edent Chiming in to say I experienced this scam with Capital One, who uses in app notifications or text messages for verification. I only barely caught on to it in time to tell them I'd hang up and call them back.
Come to find out, Capital One does not cold call you for suspected fraud under any circumstances.
-
Word of Mouth 🍄 :emacs:replied to Terence Eden on last edited by
@[email protected] Definitely. My habit is to receive the fraud notice call, then hang up, and dial the number on the back of my bank card. If it's really fraud, they'll know about it and we continue. Otherwise, it was a scam and I dodged a bullet.
-
@Greengordon
In the UK, banks often *do* have to pay.
https://www.theguardian.com/money/2023/jun/07/uk-banks-to-reimburse-victims-under-new-rules-regulator-confirms