4 minute read
Rowenna’s story: How I nearly got scammed
Lots of assurances like “don’t worry, we’ll make sure you’re protected. We take our customer security very seriously”, and “this call is being recorded for training and quality purposes”. He was accurately describing some of the processes involved in investigating and preventing this kind of fraud. This was one Oscar-worthy scammer.
I asked if he could call back the next day as I wasn’t able to start doing bank account admin things right then. He gave me his name and told me it was important I only spoke to him, as he was assigned to this case.
So, the next day, Mr Scumbag called back, but I missed it. The following day, I got another text message from a sender ID that matched my bank’s name, saying that my account was being placed under a higher level of protection.
Then another text with my new bank account details and confirming the “senior manager’s name” as the name Mr Scumbag gave me.
He called again and told me several direct debit setups had been attempted, but that the bank’s fraud detection systems had blocked them and wanted to confirm that they were in fact fraudulent.
“I can see from our fraud monitoring systems that there are two devices logged in to online banking with your creden- tials,” he said. “One of them is an iOS device – that would be your phone, right? The other a Samsung tablet. Do you know what that device might be?” Since my account had evidently been completely compromised, Mr Scumbag said they’d set me up with a new account, and my new card was on its way – he just needed to activate the new account details – but not to worry, my direct debits and standing orders would all be transferred to the new account.
I had no idea whether or not that’s a) even possible, or b) a thing that banks do, but it would have saved me a ton of excruciatingly dull admin, so I was pleased to hear it. Then he asked me to download the Anydesk app claiming it was “approved for secure account verification” processes like this – it was a remote access tool. That’s the first red flag I recognised in real-time. I said no, and why did he need remote access to my phone? He said that another device was logged into the banking app with my credentials, which meant that my device was compromised so he needed to check it for malware before activating my account. Warning bells began to tinkle faintly at the back of my mind. I was adamant. No remote access.
Not to worry, he said, it was possible to activate the new account details manually, but it would take a lot longer. The ‘account activation’ process involved setting up a new payee.►
I queried the fact that the new account details seemed to be with a different bank. “Oh, that’s a security measure,” he said. “Because there’s another device logged into the banking app –which you say isn’t yours, so this is to disguise the new account details and stop them from being compromised too.” I mean, that sort of made sense to my exhausted brain. I was primed to believe I was talking to a legit representative of my bank, and I really didn’t enjoy the thought of going through all this palaver again if my ‘new’ account info was compromised.
The next step, he said, was to make a transfer to the new account to activate it, and to signal to the fraud systems that it was the right account. It was very important to enter the correct amount, as the fraud systems would only respond to a specific combination of numbers. “Okay,” I said, expecting it to be 76p or something trivial like that. He said: “Right; enter this number in.
9-3-5…” “Er, hang on,” I asked, “you want me to transfer nine hun-
Checklist:
dred-odd quid to this new account?” “Yes,” he said and started telling me all about the ‘fraud systems’ again.
Hell no – and I told him I’d be hanging up and calling the official fraud number because this didn’t sound legit at all. At which point Mr Scumbag hung up and I kicked myself hard for an hour, because in retrospect; there had been several warning signs that I’d just breezed right past without noticing.
He didn’t get any more of my money – but he did end up with my name, address, date of birth, bank account number, sort code, and he may already have had the card details which were fraudulently used on Facebook in the first place. Then ten minutes later, my actual bank got in touch via the app and confirmed that they’d come to the conclusion the Facebook transaction was indeed a fraud that had now been refunded. Lesson learnt: when my bank says someone will be in touch, they mean that I’ll get an in-app message three days later. They will not call me within 24 hours.
• Always check a customer support caller’s bona fides by phoning back to the official support number, even (especially) if you’ve been expecting their call.
• If you are expecting a call off the back of a fraud report you’ve made, ask the caller for the fraud reference number before disclosing anything.
• If what the caller is saying to you about security sounds a bit… weird – then it’s likely to be a scammer’s flimflam because either you’re not understanding the topic, or that company is doing security stupidly
• Caller ID can be spoofed for text messages, meaning that the sender name might not be accurate or legitimate.
This story was published in Unpack the payments landscape with Payments: Unpacked from Mike Chambers. Subscribe at: payments-unpacked. com. A special thanks to Rowenna Fielding for sharing her story. Rowenna writes about data protection, ePrivacy and data ethics – her blog is available at buymeacoffee.com/MissIGGeek.