You receive a call on your phone.The caller says they're from your bank and they're calling about a suspected fraud.

australopithecus

@Edent
That is sneaky af.

Good rule of thumb is: incoming calls are informational only, never "confirm" anything during an interaction that you did not initiate.

Two reasons this holds up:

First, remember that your bank doesn't even want to spend money on enough people to *answer* incoming calls, much less make outgoing ones. If your bank does need to contact you they'll probably just send an automated email or text.

Second, if your bank calls you, they already know it's your phone.

Terence Eden

@MisterMoo
No, don't you understand? They're *far* too clever to fall for it! Not like all those normies…

A human being

@Edent That is so clever, but so obvious when the scam is laid out in front of you. Ingenious.

Resting Facebitch

@Edent The notification would freak me the living fuck out I'd hang up, immediately transfer everything in that account to one of my other accounts and then ask the bank questions later.

That's provided I actually answered my phone in the first place.

Happy Thanksgiving! 🦃

@Edent to me it would be an obvious scam bc I don't have banking apps on my phone.

Franz Graf

@Edent ahhh that's really nasty. Thanks for sharing

Arun Mani J

@Edent I once transferred a large amount of money from my phone. Immediately I got call from a unknown number. Due to my past experience with unknown numbers, I decided to hang it up.
Later becoming curious, I checked the number on TrueCaller and found that it was from my bank.
May be they called to confirm that it was actually me who transferred the amount or something bad happened?
I immediately checked all the transactions and found nothing suspicious.

? Offline

@Edent Lol. They have my number already. That proves nothing other than the chance that they’re especially crafty scammers. If it is your bank - they’ll send you a postal letter on letterhead with a name and number to call or an in-app message that you’ll see upon login. @lisamelton

Charles Johnson

@Edent test

tdietterich

@Edent This two-factor authentication is useless when both factors go to the same phone. One of my banks does this, and I can't figure out why they think it is secure.

jmjm

@Edent I'm sitting here in 2024 wondering why we still don't have authenticated caller id.

Pete

@Edent My bank or any other entity I do business with (cable, doctor etc), I hang up and call them using a number in my phone.

Tristan Slominski

@Edent "If someone called you and you did not call the bank, hang up and report fraud" at the beginning would help.

Directionality is important in this protocol and needs to be of prime importance.

Pass the Dutchie

@Edent I got a call saying it was my bank. Almost got me. But I decided to call my bank and hung up. The bank said they will never call me. The same scammer called me several more times trying the same tactic.

Douglas King

@Edent
My bank just went out of business. So I'm protected from this scam.

@infosec_jcp 🐈🃏 done differently

@Edent @Ric

This speaks to a CNE either in app being targeted or #StateSponsoredMalware already on the phone and this is just the #SSM being used with a phone call to get you to authorize and give passcode to scammers for later banking behind the scenes. Alert the Chase Bank via the number on the back of the card and cease using the banking app until you clear the SSM off you phone.

Banking Class security doesn't deal with SSM very well in my experience. Alerting them CAN help their fraud department and let them know to monitor so monitor your in/out on your accounts and look for anomalies like recurring charges, cloned card behavior using gas stations and ATM off bank.

Terence Eden

@infosec_jcp @Ric
It isn't SSM. It isn't a vulnerability in the app. Read the rest of the thread.

EarthOne

@Edent I'd say out of the gate, "Oh, I'll be right there!" Then I'd hang up and call my bank directly. Cause I don't believe anything that comes in a phone call or email unless I instigated it from a system I'm familiar with and it's simple, like verifying a doctor visit, etc.

Glitzersachen.de

@CaptainJanegay @Extelec @Edent

It's a men in the middle attack. And quite obvious in my opinion.

Only proper reaction: I call you back, gimme a number and your name. Then phone via the front desk of your bank.

Glyph

@Edent @offby1 it is so frustrating, seeing this q and immediately knowing what the scam is and how to fix it and never being anywhere near proximity to the actual decision makers who can prevent stuff like this. Like please point me at a bank executive and let me give them a security design and threat modeling training, for the love of god