back to article Slack bank practice creates opportunity for phone phishing scams

There is a scene during the underrated '70s conspiracy thriller Three Days of the Condor when Robert Redford's bookish spy is asked to verify his identity when calling into base. He resists, insisting that the person who took his call needs to verify their own identity before he gives anything away. Authentication ought to …


This topic is closed for new posts.
  1. Rajiv Dhir

    Always ask for a callback

    I always as a matter of policy ask for a callback reference. I then call the public number. If I found a bank not doing this I would close my account immediately. I have had no difficulty with this with HSBC and firstdirect no matter what the call was about.

    HSBC also ask a security question that is verifiable but not part of your normal security response for matters that are somewhere in between, eg getting further details for product applications that will later be verified by other means.

  2. Anonymous Coward
    Anonymous Coward


    E.on also cancelled my online account without telling me and then sent me a snotty reminder saying that if i didnt reregister i would lose the benefits of an online account. It looked just like a phishing email but turned out to be genuine.

  3. Joe Blogs

    Get it wrong

    Quite simply - when asked for security verification, get something wrong. If it's your bank they will tell you you have got something wrong, if it's a scammer they wont, but you will also have given them wrong information - a win-win situation.

    1. Sam Liddicott

      get it wrong id wrong

      What if the scammer is on the phone to your bank and is just passing on the questions and answers between you and the bank?

      The scammer will know right away if you give it wrong because the bank will tell him.

      It's a classic man-in-the-middle.

      1. Annihilator


        The coincidences of timing would be damn-near impossible to get right.

      2. David Eddleman

        @Sam Liddicott

        Doesn't work. If there is a man in the middle, there will be a noticeable pause after you give the details. A bank that's asking you the question (that's legitimate, mind you) will be looking at the question and answer at the same time, so the actual delay will be <2 seconds for the person to respond. Every company, be it bank or otherwise, that's asked me to verify details can give answers in a heartbeat or two.

  4. Anonymous Coward
    Anonymous Coward


    I closed an account with a well-known cooperative banking establishment for just this reason - they used to 'phone me up out of the blue and ask for two characters from the (then) 4-character numeric password. Do that twice and you're in, no messing at all.

    They see totally nonplussed when I kept refusing, and I don't think they ever did understand why I took my business elsewhere.

    firstdirect, on the other hand, is always happy to have you call back in on the public number.

    1. Anonymous Coward
      Anonymous Coward


      I have had accounts with Coop for fifteen years and they have never called me out of the blue and asked for part of my PIN.

      Also, I make a point of telling them that I will call them back, if they do call me out of the blue, and they say, sure the number is on the web site.

  5. Anonymous Coward
    Anonymous Coward

    I had PC World do this only last week

    Oddly enough PC World rang me last week to check an order I had made with them. They wanted more information about the order (an iPad 2).

    I challenged the person to confirm who he was, he said that nobody had ever asked to do that, but recognised that it was a valid thing to do. He provided numbers and other information, I rang back and it worked out OK.

    Now their subsequent customer service on delivery of the iPad was utter, utter shite and led to me cancelling an order that they had no chance of ever fulfilling (whilst taking my money in advance and taking a week to refund it) is another story altogether...

    So 10/10 on security and -10M for subsequent crap customer service

  6. John Tappin

    same from inland revenue

    They got quite shirty when I said I didn't know them from Adam and didnt want to provide DOB etc for them to check my identity - I told them I would call back.

    Other half has also had calls claiming to be from NatWest Bank but in this case a clear case of attempted fraud (the phone number used was listed on internet as source of many scams)

    I have also had similar issues in the past with a credit card company that always called other half while I was at work. After they called every day for a week and said that they could not accept assurances of what time i would be home from someone else I complained that they were engaged in nothing less than harrasment.

    Banks are not the only organisation that have forgotten that trust is a two way street I am afraid.

    I an not sure that common sense will not prevail on this one though.

    1. Willington

      @John Tappin

      "Other half has also had calls claiming to be from NatWest Bank but in this case a clear case of attempted fraud (the phone number used was listed on internet as source of many scams)"

      The Internet, in this case, is wrong. That is in fact Nat West. See my other post below.

    2. RichardB


      Aye, got one from them too. Seemed quite put out that I wanted to call them back on a published number.

      Eventually found the number they gave me deep inside an internal looking document that was available on their website.

      These organisations should implement 2 things - 1stly always print their numbers as a single string, and secondly put up a lookup box on their website to verify numbers that are client facing, or flag numbers that are known tricksters.

      They also need to do something sensible with their ATMs... but that is a different subject!

      1. vic 4

        Calling their published number

        Wouldn't be too bad if it wasn't a 0845 number. Surprised the banks to try to encourage this as they'll make some money back on a call they initiate.

  7. Steve Jeffery

    Complete routine

    I get this ALL the time, and I always refuse to give details to someone who calls me.

    Most annoyingly I recently had this on a SALES CALL from BT! Yes... They wanted to upsell me... And they called me... And they needed to ask me to confirm my details first. Um... YOU CALLED ME!

    1. Anonymous Coward
      Thumb Up

      Re BT

      Yes, I had this exact same nonsense from them. I explained that they had called me using the number they had on file for me. It took a while and i did get quite cross (but polite) but I did manage to get them confirm some things to me first, before I would confirm anything for them.

  8. matt 83

    Me too

    I've had companies phone me up out of the blue looking for money and couldn't understand why I wouldn't hand over my card number to them then and there.

    Meter readers also seem to think that some crappy ID card and a hand held computer are enough to prove who they are.

    1. Tom 38
      Thumb Down

      As an ex-meter reader

      On the back of the crappy ID card is contact details for the operator you are working for, who will then verify your identity for the old biddy who thinks you want to open up her gas meter for some nefarious reason. Being a temp, I didn't have a uniform at all, but got almost zero grief regardless - only 1 in 50 would ask to verify identity.

      That was a pretty sweet summer job actually, meter reading is piss easy, you got paid decent mileage allowance to drive to work, all work routes automatically added to your computer overnight, with all collected data transferred at the same time. Never had to talk to a boss, and was finished by 3pm every day.

      1. Anonymous Coward

        As Dodgy Meter Reader

        I'd put a number on the back of the card that calls a colleague who would of course verify me.

      2. jonathanb Silver badge

        Only problem

        Is you don't want to take the contact number from the back of the "meter reader's" ID card. That is always going to be an accomplice. The number should be printed on the back of the bill and on the energy co's website.

        1. Mark 65


          "The number should be printed on the back of the bill and on the energy co's website."

          Which brings you neatly onto the next issue which is that nowadays companies tend to farm out their meter reading to 3rd parties and so wouldn't be able to confirm anything. I doubt they'd even have the competence to be able to give you the number of the 3rd party.

      3. Annihilator
        Paris Hilton

        @Tom 38

        "On the back of the crappy ID card is contact details for the operator you are working for, who will then verify your identity for the old biddy who thinks you want to open up her gas meter for some nefarious reason"

        Or, the number of your mate Bob who will pretend to be British Gas and say you're legit?

  9. Kevin Johnston


    I have taken this to the logical extreme and ask callers for two characters from their PIN. If they don't hang up instantly I have prepared a 23 page document to request a PIN which I will send if any of these organisations are daft enough to go there. I have caused a credit card company for which I hold a card to abandon their security processes whenever they want to talk to me and we now follow a simplified process which ends with them asking me to phone them.

    I fully agree that they should have to follow at least as stringent controls that they force on their customers since they clearly feel these are reasonable.

  10. Velv


    A friend recently had her laptop infected by Malware. Asking "had she used her credit card online", she told me she'd used it on the phone.

    Obviously not what I was looking for, but curiosity got the better of me, and it transpires that her catalogue company uses an automated system to collect her payment. Their system phones her, tells her her payment is due, and asks her to key in her card details to pay it. No, not just an autodialer - a fully automated IVR to collect payments.

    FFS !!!!!!!!!!

    (she doesn't use it any more)

    What chance of the public got of not being scammed when companies use things like this?

    1. DrXym

      Depends how it's implemented

      If you buy a kettle from Kay's catalogue, one would assume that a callback service would provide you with enough context to recognize it was asking for payment. I suppose it could go further by quoting a reference back to you that you filled in your order in the first place.

  11. Vic

    HSBC did it to me

    HSBC rang me up and insisted I answer their security questions.

    I told them there was no way I was going to do that.

    Matey then proceeded to tell me that he couldn't speak to me unless I did.

    So I told him that was his problem.

    It all smelt like a phishing scam, but it actually did turn out to be HSBC. And I no longer have an account with them.


  12. Richard C.

    Not just banks

    "RevK" of AAISP had a very similar issue with Sky earlier this week - the mp3 recording of it is quite funny: . Sky called him up, asked for him by name and then asked him to confirm his name and his phone number(!) It went downhill rapidly from there...

    1. Jamie Kitson


      Sounds like a knob to me.

  13. Anonymous Coward
    Anonymous Coward


    I known NatWest, VirginMedia, VirginCC (MBNA Backed), and RBS do these type of calls.

    They usually get quite irritated when I ask them how I can trust someone who has called me. I am fairly sure that NatWest moved to a system to STOP doing this nationally, but because of harsh sales requirements on branches they sometimes call up.

    If you ever get a call like this, then ask them what it's for (99% of the time it's a sales call), and if they tell you it's something important then you can phone back via published numbers.

    1. greygeek

      it gets worse . . .

      I had one of these calls a while ago - think it was a credit card company. We reached an impasse where i refused to accept he was who he said he was until he proved it.

      So, in a fit of inventiveness I'm sure he was proud of, he proved it by telling me my last transaction details and current balance. I was so shocked I carried on with the call!

  14. yeahyeahno

    Lloyds TSB

    Lloyds TSB called me a few times, and mostly their staff argue, insisting I prove who I am, but I refuse until they've proved who they are. Occasionally they say well you can ring us on xxxx number and talk about it, but they never give a reference number or anyway for me to tie their call into anything when I call them.

    Personally I think everyone should just refuse to play their game until they wake up to the fact that as you say, trust is a two way street.

    1. Annihilator


      They often think that handing out a phone number so that you can call them back proves their identity, which it doesn't. I've had many an argument with them, saying that I've got no way of verifying the number they're asking me to call back on is actually a genuine number belonging to the company. Often it's a private (ish) number that isn't mentioned as a customer facing number.

  15. Richard Fletcher

    Data Protection

    I worked for a bank, and it was my job, in part, to ring customers to tell them that their equity release loans, or remortgages, had completed. Meaning they may have thousands of pounds in the bank, to buy an extension or a nice holiday, for example.

    One thing I was told, was that I was not allowed to make it clear that there was even a relationship between the bank and the person I was talking to until I could confirm their identity, as this would fall foul of data protection laws.

    I couldn't say "I'm calling from the HSBC Mortgage centre", which would have tipped them off, and I couldn't say "I have your postcode" or "Can you tell me details of a recent transaction".

    HSBC do use the last question when they ring me as a customer. I don't think the Data Protection laws have changed, but perhaps this demonstrates some of the complexities involved.

    1. Dave Bell

      This sounds barking mad

      But oh so plausible.

      I've had experience of organisations having silly implementations of data protection, typically involving a form arriving by which they got permission to tell anyone at all everything they had on record about you, with no clue what the original purpose was. Clearly they can't give every possible future necessity in their DPA registration.

      The trouble is, not even being allowed to say who you are (in your example) makes you sound rather like one of those pestilential nuisance call centres. Yet who would expect the DPA to prevent a business clearly identifying themselves when calling a customer?

      As far as I can tell, the DPA doesn't stop anyone from identifying themselves. It's the possible inferences made by whoever answers the 'phone, if they're not the customer.

      I think I was about eight years old the first time I answered a business phone call. I'm told I was very clear, did a good job, but I suspect that if I'd had a call like that, you would never have spoken to my father at all.

    2. Annihilator
      Thumb Up


      Actually yes, that's true and often overlooked. I'd completely forgotten, but had to do the same rigmarole when I worked in a branch many years ago. I could only say "I'm calling from his/her bank".

    3. Anonymous Coward
      Anonymous Coward

      "Data Protection Laws"

      I always assumed that was a euphemism for "I'm going to dick you around (for fun and profit)"

      Every time I get "Because of Data Protection Laws" as an answer, I respond "I think that's a lie" or "I don't believe that to be true". Never had anyone deny it.

      Fact is, if you are conducting legitimate business with me, you would be able to tell me some basic details about our supposed business, rather than quoting the DPA at me chapter and verse as if I give a damn. If you genuinely can't answer my questions because of "Data Protection" then you are obviously not worth talking to in the first place and I resent the fact that you thought I would entertain your nuisance calls.

  16. LJRich


    Recently bought a new car and when somebody called me claiming to be from the company I'd just bought it from I asked them to verify themselves. They proceeded to tell me plenty of information about the car I had just bought from them. Reassuring!

    Once I pointed out that anybody who had walked past the house recently could give me the same information she became frustrated and said she would send me the information through the post and hung up.

    I feel safer.

    @Kevin Johnston: You have a lot of time on your hands don't you.

  17. RevK

    Sky are as bad

    Call recording

  18. Anonymous Coward

    Transexual fun

    As a ftm transexual (yup I lead a fun life) I was told point blank on the phone with HSBC that I was not the person who owned the account (obviously I am) due to my voice. I had to do extra security stuff and they put a 'note' on my account.

    Can't help but think I just made my account less secure

    1. Equitas
      Paris Hilton

      You don't need to be

      transsexual to be on the receiving end of that confusion. Actually, it's quite common for those born female to have voice pitch within the male range which has interesting results in telephone conversations. Females so equipped can have endless fun with cold-callers.

      Paris, because she's unambiguously female.

  19. M7S

    Almost on the same topic

    Local councils are introducing pay-by-phone parking where you have to either telephone or sms your cc details, registration and some other information such as a location code from the sign by the bay to a non-geographic number with an automated response system. As there's no way to do "SSL over GSM" this is ripe for fraud, after all what visitor will know if a well crafted sign is authentic or not? All you need is a couple of pre-set replies on the mobile phone set to harvest these and the money will come rolling in.

    Leaving aside the issue of having to read out your CC details in a public place (you cant exactly make a private call from inside a motorcycle, for whom the scheme also applies) if someone sniffs all the SMS from prominent parking locations now that GSM encryption is apparently cracked, they'll gather a good haul of CC numbers, expiry and the "last three digits from the back of the card".

    There's absolutely no security possible in either transmission mechanism but it will be treated by the banks as the customer's liability if the details are misused as there will be no evidence of any "hack" of the system.

  20. Jamie Kitson


    I was impressed by my mum who, when answering the phone to a machine claiming to be my bank and asking for my date of birth, deliberately put in the wrong date to see if it was a scam.

  21. Willington

    Nat West

    Nat West don't get it either. I recently asked an operator who had phoned me to provide me with a couple of specific characters from my security string to prove his identity and he promptly hung up. I phoned Nat West to tell them of a potential phishing scam and they told me that their credit department had been trying to contact me. Bloody amateurs.

    I also had some debt collection agency contact me by letter asking me to phone them which I did. The operator then asked me to confirm my name and address which I did because it was already on the letter they had sent me. They then asked for my date of birth and couldn't understand why I refused to give it to them. They refused to talk to me which, to be honest, is absolutely the best result I could have asked for. We are now at an impasse. If they can't prove to me who they are (considering it is a company who I have never had any dealings with so they can't) and I won't prove to them who I am (because I think they are phishing) and they won't talk to me unless I do then there's sod all they can do to recover any money that they feel I may owe them except take me to court for it and I've already explained to them that this is what I would prefer them to do (they seem hesitant to do this for some reason as did the three other debt collection agencies that tried to recover this alleged debt).

    For the record, I don't owe them anything, it relates to a situation with 3 and their absolutely godawful "customer services" that they should have rectified 5 years ago but didn't, but it's a novel situation and one which I'm more than happy to experiment with.

    1. Mister_C

      3 calling in the repo men?

      My wife has had fun with 3 and repo men. We ended up getting ofcom involved and sorting it all out. Then six months later another debt collector sent her a letter... Be prepared for at least another year of crap.

  22. peter collard

    Interesting solution found by one bank

    Having challenged my bank in the past, and refused to give them any info until they can authenticate I note they now have found an interesting solution by offering 3 values and asking you to pick the correct one. This serves as a lightweight arbitration protocol for their internet transaction fraud detection.

    The fact that one of the values is correct gives you a degree of confidence, and your confirmation of the right one gives them the same.

    This is obviously too lightweight for actual transactions, but they are just confirming that you are happy with a recent transaction.

  23. Phil Endecott

    Call back doesn't fix the problem

    Yes, you can call them back on their public number. But that doesn't fix the problem - it is just "security theatre" unless you ALWAYS have to call them back on the public number. I just say, "please don't ever call me again; if you have something important to tell me, please write a letter".

    There's also the aspect that they say all over the place that genuine bank staff will never ask you for your personal code number. Except that when they phone you, that's exactly what they do. Of course their argument is that the number they will never ask you for is your "personal identification number", whereas the number that they will ask you for is your "personal security code". Or is it the other way around? And does the other bank call them the same thing? It is clearly totally broken.

    Actually Dilbert covered this last week:

  24. Anonymous Coward

    problems with callback ...

    1) why should you pay, when it was your bank that wanted to call you ?

    2) you will get put in a queue which will take 30 minutes to answer, Well it did, when BT tried this with me, Then the person who answered had no idea why they called me in the first place.

    1. Elmer Phud

      Call centres

      They wouldn't know as the person who had been assigned the job by the system would have marked the job as 'contacted' or similar and the job disappears to reappear on another screen with no notes on it. Notes take time and time is money and money is 'numbers of calls made'.

      Saying that, I've got to ring BT myself - I've almost remembered the entire number sequence for gettng through and ignoring all the options.

  25. Daniel Bower

    Lloyds TSB are awful for this

    Lloyds TSB royally wind me up TBH. When I paid in an insurance cheque I got a phone call from my 'account manager', who without checking my identity gave me my name and account number and then told me how much I had just paid in.

    They did it again when i got a new job with a higher salary and asked was I expecting this money to go in. Yes I bloody was and no I didn't want them calling me up and telling me with no security checks one way or the other.

    If it happens again I will be having words...

  26. Anonymous Coward
    Anonymous Coward

    "if I call your office, do I get you?"

    It was actually the ISP of a webshop I did work for, who asked me that. My answer was that no, I wasn't at the office, but if they'd call the owner (who had asked me to act on his behalf) on his mobile (and they did have that number already, didn't they?) as he also wasn't at the office, he'd verify the story and give them my number and I'd be reachable there.

    My experience with banks, OTOH, isn't quite as good. Like a certain one that had a "webchat" where you'd be connected to someone with only a first name who'd ask for date of birth and such. That "chat" thing ran on a third party site, and no ssl in sight. Subtle.

    But it gets worse. Nearly everybody who needs to do authorization actually asks for authentification or worse, /identification/ as if that'd prove anything--requiring "governemnt ID" and often as not taking a convenient copy or scan (that might get lost somewhere too, it's happened) that contains enough information to impersonate.

    This is a problem of mindset as much with verifier as with the verifee --failure to ask for counter-verification--, as failure to understand just how this whole thing works or even what the goals must be. Moreover, this is how the government structures the field through providing only identity documents.

    It oughtn't be too hard to provide cryptographically secure carriers of /authorization/ instead, then add zero-knowledge proof sauce for added privacy protection. That way, the government would actually help provide a level field for this sort of thing. But they don't, for they don't understand it either; the whole thing grew out of administrating the birth-and-death registry, not from a desire to facilitate anything in a secure and privacy-protecting manner.

    This is quite possibly the largest, deepest rooted, worst understood, unsolved problem of our time.

  27. Dibbles

    Some banks are better than others

    I've had this same problem with an American credit card company, but others are better. Interestingly, some banks insist on this kind of verification online - a picture and/ or passphrase you've previously chosen is shown to you as you log in, to show that this site is genuine, rather than some kind of phishing or malware spoof.

  28. Anonymous Coward

    Natwest Credit Card Call

    I received a call from an unknown number one Saturday morning. The chap on the phone said he was calling about my Natwest Credit Card and that he needed to ask me some security questions. I explained that he had called me on the number registered to my account and that I had no way to know who he was. He outright ARGUED back with me and when I made it clear I would not reveal security information to a stranger on the phone, he said; "if you're going to be a dick about it, call the number on the back of your credit card" and then he hung up, no reference, no apology for call his customer an arse. It was Natwest, and I never did get round to complaining that their business practises seemed to contradict the security advice they had on their website (or the fact that they had been so rude to me). I have closed that card account now and I am very happy with the way my new credit card company confirm who they are in the manner for their automated security quesioning.

    1. Anonymous Coward

      Funny, similar to what happened to me ...

      I write as the anonymous individual who started the story, and in my call from E.ON, after I had challenged them, and pointed out that the 1st line of my address was public knowledge (from all the marketing **** I get) and that telling me I paid my fixed DD could have been a lucky guess (>50% people pay this way ?) the guy said (quietly) w******r, and hung up.

      Unlike, you I *did* complain. I was put through to a manager within 2 minutes of that call, and rattled them silly by telling them what call recording equipment they had, and how quickly he could pull the log of the call up (my company recently had a beauty parade of call recording systems, and one citedf E.ON as a reference). They were very creepy apologetic. It was a bit worrying though they didn't understand the criminal nature of the incident.

      Funniest thing was I am leaving E.ON, and that call was supposed to be a retention call ...

  29. TonyHoyle

    Halifax went one better

    They'd have a robot call you up at all hours, ask for your security details then hang up. If you refused they'd stop your card.

    I no longer bank with them.

  30. cupperty

    Ask *them* your security questions ...

    First Direct are pretty good. Under these circumstances they are usually pretty happy for me to ask them some of *my* security questions first. Doesn't guarantee safety of course but ...

  31. Anonymous Coward
    Anonymous Coward

    Bank Security

    Having a new Debit Card was asked a security question "Mothers Maiden Name".

    Having a hobby of Genealogy I told them I could find the maiden name of a mother of most people old enough to have a credit/debit/account within minutes.

    Having been "thrown" by my response, their response was maybe I should use "Mothers Maiden Name Not Secure" as a response, which would be accepted by the bank. How dammed stupid.

    However to use the card I have 2 levels of security which means I need to have my phone roaming to pick up the transaction code for any "on-line" or new transaction. No phone - no credit/debit. If you do not have a handphone you are screwed.

    1. Nick Pettefar

      Re: Bank Security (AC@6th May 2011 09:28 GMT)

      > Having been "thrown" by my response, their response was maybe I should use "Mothers Maiden Name Not Secure" as a response, which would be accepted by the bank. How damned stupid.

      You don't have to give your mother's maiden name for this question. Use something else - so long as you remember what it was. That way no-one but you and the bank will know what is the answer! Sigh.

      1. Anonymous Coward
        Anonymous Coward

        How good do you think my memory is?

        I think I'll just start using Hen3ry

  32. asharris

    Verifying Bank Security

    My approach to this was to give the bank/credit care companies a password that they must use when they call me. I always refuse to provide any information until I have positive confirmation that the caller is who they say they are (using the password).

    At first the banks simply didn't understand the concern and would often ask me for that password until I explained (again) that the password was to confirm THEIR identity. This approach has worked very well for me.

    1. Anonymous Coward

      not really

      an employee could easily carry a few passwords out of the centre, and give them to his mates.

  33. Malcolm Boura 2

    It is not just banks. Can I claim a prize for the worst example?

    My wife ran a sub-postoffice until the last round of cuts. Security really matters when you have the pensions for a week in the safe. It is bad enough when a sawn off shot gun is the other side of the security screen (which happened) so there is no question of allowing an unauthenticated stranger in.

    We received a letter from the electricity company (I forget which) to say that an engineer would call to change the meter.

    It was a photocopy of the letterhead.

    The phone numbers had been blacked out with felt pen.

    It was not our address. It was "Postmaster General, Next street over".

    Scrawled on the bottom was words to the effect "any questions about this appointment call our engineer" and a mobile phone number.

    In the printed text it said "If you are concerned about the identity of our operative please phone the number on his id card".

    We contacted post office security who contacted the company. The company was much more concerned about the poor impression of using photocopied stationary than they were about the security.

    We later worked out that the intended address was the telephone exchange. Their records must have been decades out of date. That probably explained why they turned up with a 3 phase meter for our single phase supply. The engineer found he had a single phase meter in his van so he installed that.

    The good news was that the meter was faulty and recorded no electricity for the next 6 months which was the companies problem, not ours. If no electricity was recorded then none had to be paid for.

    The other good news was that the company went bust not long afterwards.

This topic is closed for new posts.