I'm sharing this in the hope that it might help others, and to assuage my total embarassment by doing something positive.
Last week, my banking app notified me that a large amount of my money had just been spent on Facebook. Now, I don’t even have an active Facebook account, so I knew that wasn’t legit.
I reported the transaction as fraudulent to my bank, and received a message from the support team that their fraud investigation people would be in touch.
Two days later, I received a text message from a sender ID that matched my bank’s name, saying someone from their fraud team would contact me about a direct debit
I was already waiting for fraud team call…..so when a call came through from someone who said they were from <my bank>’s fraud team and wanted to discuss ‘recently reported fraudulent transactions’ - I believed they were kosher. Also, I was travelling at the time, so I was distracted.
I confirmed my mobile number, my name, my date of birth and my address. And how much was in my account.
Mr Scumbag, which is what I’m calling the chap who called me, then started talking me through the process of ’protecting my account’. Well, that’s what he said - what he was actually doing was setting me up for the next stage of his scam.
He said my card had been cancelled (and when I looked in the app, it was - but the real fraud team could have locked it at any point following my disputed transaction report) and that a new one would be sent out.
Mr Scumbag sounded exactly like professional call centre workers rattling off a script they’ve run through ten thousand times before tend to do. Lots of assurances that it happens a lot and the bank would do everything they could to sort it out. "Don't worry at all", he said comfortingly. "Don't worry, we'll make sure you're protected. We take our customer security very seriously." Standard corporate bullshit phrases - including “this call is being recorded for training and quality purposes”, and gramatically-incorrect usage of ‘yourself’ (commonly misused as a formal mode of address in the customer support environments). Accurately describing some of the processes involved in investigating and preventing this kind of fraud. Yeah, this was one Oscar-worthy scammer.
Looking back:
I should have asked the caller to confirm the fraud report reference number that the actual customer support team had given me through the secure banking app. (That didn’t even occur to me)
I should have called back on my bank’s official fraud reporting number (which I might have done if I hadn’t been travelling at the time, and late for a dinner engagement)
He asked if I’d given out my banking details or passwords to anyone. “No,” I said “I work in data protection, so I’m very careful about who I give that sort of information to”.
How he must have chortled.
Anyway, I asked if he could call back the next day as I wasn’t in a position to start doing bank account admin things right then. Which apparently was fine, because the fraud support team worked 24/7.
Yeah, right. At the time I thought ‘wow, great service’. Now, it occurs to me that I’m not nearly super-rich enough to be accorded that level of dedicated customer support by a corporate entity.
He gave me his name and told me it was important I only spoke to him, as he was assigned to this particular case. Okay yeah, that should also have been a red flag. Sigh.
So, the next day, Mr Scumbag called back, but I was in a conference so I missed the call.
Then the day after, I got another text message from a sender ID that matched my bank’s name, saying that my account was being placed under a higher level of protection.
Then another text saying “your new bank account number and sort code are <number> and <code>” and ‘confirming’ the ‘senior manager’s name as being the name that Mr Scumbag me gave.
He called again, and told me that several direct debit setups had been attempted, but that the bank’s fraud detection systems had blocked them. He reeled off details of transactions that had allegedly been attempted but stopped by the system, and wanted to confirm that they were in fact fraudulent. I mean yeah, he’d obviously invented them to make his “I’m from the bank and I’m here to help” routine sound more convincing, and claimed the reason I hadn’t had any notifications was that they’d been detected and blocked right away.
(I don’t know whether transactions that have been algorithmically blocked as potential fraud would necessarily be notified to the account holder. Seems like they should be.)
"I can see from our fraud monitoring systems that there are two devices logged in to online banking with your credentials", he said. "One of them is an iOS device - that would be your phone, right? The other a Samsung tablet. Do you know what that device might be?"
(When he'd called previously, he'd asked me what device I was using for the banking app under the pretext of trying to work out how my card details could have been scammed for the fraudulent transaction. I'd forgotten that I'd actually told him I was using an iPhone, so I believed that he could see the logged-in devices - that's definitely not implausible)
Since my account my account had evidently been completely compromised, Mr Scumbag-pretending-to-be-from-my-bank said they’d set me up with a new account, and my new card was on its way - he just needed to activate the new account details - but not to worry, my direct debits and standing orders would all be transferred to the new account.
Now, I actually have no idea whether or not that’s a) even possible, or b) a thing that banks do, but it would have saved me a ton of excruciatingly dull admin, so I was pleased to hear it.
Then he asked me to download an app which was ‘approved for secure account verification’ processes like this.
The app was Anydesk, which is a remote access tool.
That’s the first red flag I recognised in real-time. I said no, and why did he need remote access to my phone?
He said that another device was logged in to the banking app with my credentials, which meant that my device was compromised so he needed to check it for malware before activating my account.
Warning bells began to tinkle faintly at the back of my mind. I was adamant. No remote access.
Not to worry, he said, it was possible to activate the new account details manually, but it would take a lot longer. I didn’t care about that, I wasn’t going to let some rando onto my device!
(To me, corporations directing customers to use WhatsApp for support enquiries is on the same level of entitled, cavalier, privacy-invading bonkersness as asking for remote access to customer’s devices would be. Companies asking customers to do stupid things for corporate convenience is not something that surprises me, so I perhaps wasn’t as suspicious of this request as I should have been)
As you may have guessed by now, the ‘account activation’ process involved setting up a new payee. I queried the fact that the new account details seemed to be with a different bank. “Oh, that’s a security measure”, he said. “Because there’s another device logged in to the banking app - which you say isn’t yours, so this is to disguise the new account details and stop them from being compromised too.”
I mean, that sort of made sense to my exhausted post-conference, travel-addled brain. I was primed to believe I was talking to a legit representative of my bank, and I really didn’t enjoy the thought of going through all this palaver again if my ‘new’ account info was compromised.
(Down in a locked basement, my subconscious was yelling and screaming that the sort code of the ‘new’ account was much too dissimilar to the one on my present account. I’m no expert on financial systems, but I do know that a sort code contains identifiers for the bank it’s assigned to and the issuing branch. I didn’t actually compare the ‘new’ one with the present one, but feelings of vague disquiet were mounting beneath my threshold of awareness)
The next step, he said, was to make a transfer to the new account to activate it, and to signal to the fraud systems that it was the right account. It was very important to enter the correct amount, as the fraud systems would only respond to a specific combination of numbers.
“Okay”, I said, expecting it to be 76p or something trivial like that.
He said. “Right; enter this number in. 9-3-5-“
“Er, hang on,” I said “you want me to transfer nine hundred-odd quid to this new account?”
“Yes,” he said and started telling me all about the ‘fraud systems’ again.
But I was like; hell no. And told him I’d be hanging up and calling the official fraud number because this didn’t sound legit at all. At which point Mr Scumbag hung up.
And I kicked myself hard for an hour, because in retrospect; there had been several warning signs that I’d just breezed right past without noticing or giving appropriate consideration to.
He didn’t get any more of my money - but he did end up with my name, my address, my date of birth, my bank account number, my sort code, and he may already have had the card details which were fraudulently used on Facebook in the first place.
Oh yeah, and then ten minutes later, my ACTUAL bank got in touch via the app and confirmed that they’d come to the conclusion the Facebook transaction was indeed a fraud that had now been refunded.
Lesson learned: when my bank says someone will be in touch, they mean that I’ll get an in-app message three days later. They will not call me within 24 hours.
Other things I should have spotted for warning signs at the time, but didn’t:
Mr Scumbag told me that the bank had investigated and found that my card details had been used on a website that was affected with malware - and that was why all the fraudulent transactions were happening. I happen to know that investigations like that take weeks, if not months - there is no way the bank could have traced the transactions to the source of compromise that quickly.
He said that the malware on the site my card details had been used on had spread to my phone and compromise my banking app. I hadn't used my phone to pay for anything online recently, but I had used my laptop. As far as I know, there is no way for web malware to pass from my laptop to my phone without my actually having connected the two or downloaded executable content. So that had to be incorrect.
An bunch of other stuff he’d said about banking and app security didn’t sound quite right - but this is where my ex-infosec-nerd knowledge actually worked against me - I’m so used to customer support and non-infosec company people mis-using security terms, misunderstanding infosec concepts or controls, and incorrectly referencing data protection or cybersecurity law and policy, that I just thought it was more of that sort of thing. It didn’t occur to me the reason that what he was saying didn’t sound quite right was because it was in fact complete nonsense. (It also doesn’t help that as a hyperlexic pedant, I am frequently confused and sidetracked by people (who aren’t nearly so particular about precision and accuracy in their language as I am) using language that doesn’t mean what they think it means).
As soon as I’d realised I’d been hoodwinked by a scammer, I went and signed up for Cifas protective registration. And made a report to Action Fraud. And gave my bank a heads-up that I was squarely in a scammer’s sights. I'm thinking it might be as well if I did shut down that bank account entirely and open a new one. I can't feasibly change my name or address and obviously can't change my date of birth though. As this info and mobile number is known to scammers, SIM-swap fraud is now a distinct possibility. Gah!
I hope this description of my experience is helpful to others in avoiding being done over by this sort of scam. While I know all of the right moves for avoiding being scammed on a theoretical basis, it’s useful (if infuriating and inconvenient) to be reminded of how easy it is to know all that stuff and yet still be hooked in with psychological tricks from a plausible-sounding source.
One has to be supremely sceptical and cynical by default as soon as anyone initiates contact to talk about money stuff. Sounds easy - and yet, engaging and maintaining that frame of mind is actually quite hard work when you hadn’t expected to be needing it.
To sum up:
Always check a customer support caller’s bona fides by phoning back to the official support number, even (especially?!) if you’ve been expecting their call.
If you are expecting a call off the back of a fraud report you’ve made, ask the caller for the fraud reference number before disclosing anything.
If what the caller is saying to you about security sounds a bit……weird…..then it’s just as likely to be a scammer’s flimflam as either a) you not understanding the topic or b) that company doing security stupidly
Caller ID can be spoofed for text messages, meaning that the sender name might not be accurate and legit
If you get scammed, you’ll probably feel stupid and guilty and ashamed for having fallen for it. These feelings are unfair to you and unwarranted - scammers are successful because human beings are eminently scammable. Sales tactics (pushing against boundaries, creating urgency, faking goodwill, pretending to be on the other person’s side, manipulative language, finding and pressing on weak spots, bullshitting with confidence, steamrollering over/wriggling around resistance, pretending to be helpful) are used, taught, lauded and encouraged because they work - and they work every bit as well for criminals as they do for legit business.
All of this has just reinforced my absolute hatred of the phone call as a medium of communication. Serves me right for answering in the first place, I guess.