You receive a call on your phone.The caller says they're from your bank and they're calling about a suspected fraud.
-
australopithecusreplied to Terence Eden on last edited by
@Edent
That is sneaky af.Good rule of thumb is: incoming calls are informational only, never "confirm" anything during an interaction that you did not initiate.
Two reasons this holds up:
First, remember that your bank doesn't even want to spend money on enough people to *answer* incoming calls, much less make outgoing ones. If your bank does need to contact you they'll probably just send an automated email or text.
Second, if your bank calls you, they already know it's your phone.
-
Terence Edenreplied to Mister Moo 🐮 on last edited by
@MisterMoo
No, don't you understand? They're *far* too clever to fall for it! Not like all those normies… -
A human beingreplied to Terence Eden on last edited by
@Edent That is so clever, but so obvious when the scam is laid out in front of you. Ingenious.
-
Resting Facebitchreplied to Terence Eden on last edited by
@Edent The notification would freak me the living fuck out I'd hang up, immediately transfer everything in that account to one of my other accounts and then ask the bank questions later.
That's provided I actually answered my phone in the first place.
-
Happy Thanksgiving! 🦃replied to Terence Eden on last edited by
@Edent to me it would be an obvious scam bc I don't have banking apps on my phone.
-
@Edent ahhh that's really nasty. Thanks for sharing
-
@Edent I once transferred a large amount of money from my phone. Immediately I got call from a unknown number. Due to my past experience with unknown numbers, I decided to hang it up.
Later becoming curious, I checked the number on TrueCaller and found that it was from my bank.
May be they called to confirm that it was actually me who transferred the amount or something bad happened?
I immediately checked all the transactions and found nothing suspicious. -
@Edent Lol. They have my number already. That proves nothing other than the chance that they’re especially crafty scammers. If it is your bank - they’ll send you a postal letter on letterhead with a name and number to call or an in-app message that you’ll see upon login. @lisamelton
-
Charles Johnsonreplied to Terence Eden on last edited by
@Edent test
-
@Edent This two-factor authentication is useless when both factors go to the same phone. One of my banks does this, and I can't figure out why they think it is secure.
-
@Edent I'm sitting here in 2024 wondering why we still don't have authenticated caller id.
-
@Edent My bank or any other entity I do business with (cable, doctor etc), I hang up and call them using a number in my phone.
-
Tristan Slominskireplied to Terence Eden on last edited by [email protected]
@Edent "If someone called you and you did not call the bank, hang up and report fraud" at the beginning would help.
Directionality is important in this protocol and needs to be of prime importance.
-
Pass the Dutchiereplied to Terence Eden on last edited by
@Edent I got a call saying it was my bank. Almost got me. But I decided to call my bank and hung up. The bank said they will never call me. The same scammer called me several more times trying the same tactic.
-
Douglas Kingreplied to Terence Eden on last edited by
@Edent
My bank just went out of business. So I'm protected from this scam. -
@infosec_jcp 🐈🃏 done differentlyreplied to Terence Eden on last edited by
This speaks to a CNE either in app being targeted or #StateSponsoredMalware already on the phone and this is just the #SSM being used with a phone call to get you to authorize and give passcode to scammers for later banking behind the scenes. Alert the Chase Bank via the number on the back of the card and cease using the banking app until you clear the SSM off you phone.
Banking Class security doesn't deal with SSM very well in my experience. Alerting them CAN help their fraud department and let them know to monitor so monitor your in/out on your accounts and look for anomalies like recurring charges, cloned card behavior using gas stations and ATM off bank.
-
Terence Edenreplied to @infosec_jcp 🐈🃏 done differently on last edited by
@infosec_jcp @Ric
It isn't SSM. It isn't a vulnerability in the app. Read the rest of the thread. -
@Edent I'd say out of the gate, "Oh, I'll be right there!" Then I'd hang up and call my bank directly. Cause I don't believe anything that comes in a phone call or email unless I instigated it from a system I'm familiar with and it's simple, like verifying a doctor visit, etc.
-
Glitzersachen.dereplied to Captain Janegay 🫖 on last edited by
@CaptainJanegay @Extelec @Edent
It's a men in the middle attack. And quite obvious in my opinion.
Only proper reaction: I call you back, gimme a number and your name. Then phone via the front desk of your bank.
-
@Edent @offby1 it is so frustrating, seeing this q and immediately knowing what the scam is and how to fix it and never being anywhere near proximity to the actual decision makers who can prevent stuff like this. Like please point me at a bank executive and let me give them a security design and threat modeling training, for the love of god