You receive a call on your phone. The caller says they're from your bank

The scammer is on the phone to you.
Their accomplice is on the phone to your bank, pretending to be you.
Your bank send you the notification.
You accept, and scammers proceed to drain your account.

Someone has just lost £18,000 because of this.
https://www.reddit.com/r/UKPersonalFinance/comments/1cih3kd/been_scammed_over_18000_through_my_chase_account/

It *is* a genuine notification. But it isn't confirming the bank is calling you.

Should the bank word that differently?

In a rush, would you read it thoroughly?

Most likely, in a panic about the fraud, you'd confirm it was a genuine notification (it is!) and accept it.

@Edent Id go with yes, its a scam, Why does it need your passcode if you are already logged in to their app.

@Extelec @Edent That's normal. It's to confirm that someone else hasn't just stolen your phone. The rest of the thread explains, but this *is* a legitimate notification, it's just being misused.

@CaptainJanegay @Extelec @Edent

It's a men in the middle attack. And quite obvious in my opinion.

Only proper reaction: I call you back, gimme a number and your name. Then phone via the front desk of your bank.

@iokiwi @glitzersachen @Extelec @Edent Yes. I'm also not so much interested in whether it's obvious to a working-age, relatively tech savvy adult who's paying attention.

I want to know if it's obvious to my last scam-related client, who was a woman in her 70s, run off her feet caring for her husband who had dementia, already worried about money, and who picked up the call - thinking it could be a family emergency - while she was cooking dinner & running late.

@CaptainJanegay @iokiwi @glitzersachen @Extelec @Edent I’m a working age, very tech savvy adult who is paying attention, and this absolutely might still get me if the timing of the notification was right.

@TheEjj @CaptainJanegay @iokiwi @glitzersachen @Extelec @Edent the notification absolutely should've said "did you call us" rather than "are you on the phone with us". Even that's easy to miss but one would nees to be very paranoid to suspect this one.

@CaptainJanegay

My mistake --- I wanted to answer to the OP, not not yours or satisfy *your* interest. My heartfelt apologies.

@[email protected] @Extelec @Edent

@iokiwi @glitzersachen @CaptainJanegay @Extelec @Edent Yes, the reaction is correct, but it is far from obvious to most people. Or even people who know better, if you catch them at the right moment.

@glitzersachen @CaptainJanegay @Extelec @Edent it’s obvious to us that have to deal with fraud every day. Not so obvious to someone who is concerned about losing their life savings in the moment.

@glitzersachen @CaptainJanegay @Extelec @Edent I don't think it's that obvious at all. It's a real notification from the bank. They still shouldn't be calling you like that but people do that.

Making them let you call them is the right decision, though. With the said, calling the front of the bank probably won't work for Chase. Not unless your bank account has a couple more zeros in it than mine does and if that's the case you probably have your own concierge line or something like that.

@glitzersachen @CaptainJanegay @Extelec @Edent
Did you mean an extension and a name? If you're calling a fake number from the bank, how does this help you?

Edit: I think he meant he'd ask for a name and *badge* number and then call a published phone number (the front desk) and ask to be connected to that person. This is the correct answer but most banks make this difficult in practice.

@Doomed_Daniel @Extelec @Edent Yes, but in most cases they won't know your password, so they won't be able to confirm via the notification

@CaptainJanegay I disagree and I would say it is not normal at all, in fact some banks will tell you outright that they will never ask for these types of codes and that it is a common scam.

@hapidjus @CaptainJanegay

Right, but in this scenario you're seeing this notification because your bank *does* use these notifications to authenticate you when you call them. It's just being framed by the person on the phone in the reverse, as authenticating them to you.

@hapidjus It is normal to be asked, by your banking app, to re-enter your passcode to confirm certain actions you can take within the app

@CaptainJanegay Nobody was asking for a passcode here though, and there is a grammar mistake in "on the phone to us". I will agree that if *I* am the one who manually opened the app and tried to do something, then confirming the authentication is normal in some instances, yes. And I will admit the screenshot is indeed misleading either way, I can still see many people falling for it. I think the entire flow of having the app ask for permission for something done over the phone is flawed.

@hapidjus @CaptainJanegay
It's not grammatically incorrect in British English.

In fact the verb is the clue.

"..with us" = We called you.

"...to us". = You called us.

@Ric @Edent right! most scam shit I have seen doesnt even spell words correctly. but this one is on another plane of existence.

@Edent I think I’d be taken in by that. My thought was: why do they need to check they’re on the phone to me if *they* called *me*? But on balance I’d decided it was just poor wording or an ill thought through system (both of which I still think, in fact!) so I wouldn’t have challenged it.

@simonwood @Edent one might assume even if they believed the bank was calling them, that they still need to confirm they got you and not someone else.

@flabberghaster @Edent I have had my actual bank call me, and then ask me (via security questions) to verify that I am actually me. I feel that was *training* customers to divulge information insecurely, as I had no way of knowing that they were who they were, and they wouldn’t have provided it if I’d gone along with their request.

@simonwood @Edent yeah, same. I had told my bank I intended to travel internationally and then when I got there my card stopped working and they called me saying there was suspected fraud on my card. I knew it was legit because I called back on the number on my card, but I think it's bad practice to initiate calls.

@flabberghaster @simonwood @Edent

Indeed. They should, probably, do it like the good banks send mails: plaintext notification, no link at all, just an info - there is an important message in your Internet banking inbox, go there and fetch it.

So even the call may be initiated in a way - hello, this is your bank, we need to talk to you immediately because of "reason without details" (e.g. there was a suspicious transaction we want to xcheck with you), please contact our telebanking number to proceed.

@herrman_sk @flabberghaster @simonwood @Edent Since I never answer the phone, that's what my bank does. Simple message requires me to initiate the proceeding.

@simonwood @Edent
I regularly have a little dance with people who phone me asking me to prove who I am before they will continue. I try to get them to confirm something that only the true caller would know but sometimes just have to give up and end the call.

@AlisonW : that's usually fine, but may not help during a "live" AitM (Attacker in the Middle) conversation - that is, if you don't notice the extra delays (or the attacker uses social engineering to somehow justify those delays to both sides - which may not be hard; a recording of a crying baby heard by Chase and construction noises sent to you may fool both sides - "sorry, I did not understand you because ...").

Step 1:
[Allison]
     ^
     | "I'm a Chase employee"
     |
[AitM]
     |
     | "I'm Allison"
     v
[Chase]

Step 2:
[Allison]
     |
     | "What's my date of birth?"
     v
[AitM]
     |
     | "What's my date of birth?"
     v
[Chase]

Step 3 (I changed the order):
[Chase]
     |
     | "Feb 29, 2000"
     v
[AitM]
     |
     | "Feb 29, 2000"
     v
[Allison]

@simonwood @Edent

@simonwood @Edent The bank do need to confirm that: they only know that they called your number, but they can't be sure that you picked up - maybe someone else has access to your phone, or it's been lost or stolen, or you changed your number and forgot to tell them.

Unfortunately this only makes this attack more persuasive.

Telling them you'll hang up and call back on the main number is a good option, and the bank employee should always be happy for you to do so.

Buuut this is Chase...

@CaptainJanegay @Edent Maybe someone else has access to your phone, so they’re going to send a push notification to your phone to verify it's really you?

@simonwood @Edent Well, it asks for your password as well, which would significantly increase their confidence - although ofc this notification is not actually used to verify your identity in that situation.

But my point is that it's entirely believable that the bank would need *some* kind of verification when they call you, and a lot of people won't pick up on inconsistencies like this, especially when they've just been told someone has fraudulently taken £300 out of their account

@CaptainJanegay @Edent Very true.

Asking for verification is ok, but it amazes me they don’t work on customer expectations - what you will be asked for when the bank calls - and also customers’ fraud literacy - how we can and should verify them!

@CaptainJanegay @simonwood @Edent We get landline calls in the UK from “your bank’s security department”. Recent ones have spoofed the local area code.
Main “alarm bell” with that is that our bank, or indeed any other, doesn’t have a branch/office in the three towns covered by the area code.

@CaptainJanegay @simonwood @Edent

It is being used to verify your identity though. The scammer has presented it to you as if it's verifying their identity to you, but it's actually verifying your identity to the bank.

The notification could be improved with something like "if you have just called the bank, enter your passcode to continue. If instead someone claiming to be from the bank has called you, they are trying to defraud you and you should immediately hang up and call the bank."

@CaptainJanegay @simonwood @Edent

They could I guess also have an option to push out a notification to go with their outbound calls, "The bank is calling you. You seeing notification confirms that the caller really is from the bank. Please enter your passcode to confirm to the caller from the bank that you really are you."

@dragonfrog @simonwood @Edent Yes, you're right - I mean that in the fake scenario the scammer is presenting you, where the bank has called you, the bank does not use this notification to verify you. They only use it if you call the bank. But there's really very little opportunity for most customers to figure that out.

@Edent There’s probably lots of good reasons not to, but I wonder if they could change the notification to show which number they *think* you’re calling from. Presumably their system knows, it’s just a question of whether it could be hooked into the notification sending infra.

@philip @Edent I would bet a lot of people would see a different number and just assume their IT department messed up, since there’s rarely a shortage of prior support for that. That goes double if the scammer successfully gets the person into a panic state first.

@acdha @Edent Fair, there’ll never be perfect technical solutions to these human problems, just trying to imagine what we might do better.

Could the banking app use the phone’s phone API to check whether the call is being made on that device, and then at least show something like “You are talking to us on THIS PHONE” vs “You are talking to us ON A DIFFERENT PHONE THAN THIS ONE”?

Again, not perfect, but maybe that would help some number fewer people get scammed.

@philip @acdha @Edent They could add a box with details about the call. "We are talking to you on the number (XXX)XXX-XXXX. You placed the call to us at X:XX. If any of this is incorrect, please tap 'No, it's not me.'" In this case "No" should change to something like "I have concerns"

@notsoloud @philip @acdha @Edent That's why I suggested including whether the call was in- or out-bound. The point is to give someone a clue so they can have an a-ha moment and go 'wait, something's wrong.'

@notsoloud @MisterMoo @philip @acdha @Edent

Right, but "you called us" is hopefully hard to get past someone who did not in fact call the bank, but rather just received a call from them.

@MisterMoo, assuming that each X represents exactly one digit, I'd find that phone no. extremely suspicious as it's too short; and the only 3-digit area code which I can think of is 020.

@lp0_on_fire @MisterMoo that is a US format phone number which can never start with 1 or 0. 020 in the UK is a London number.

@darrenmoffat @lp0_on_fire It was just an example. Presumably it can be modified for telephone numbers across the world.

@philip @Edent yes - it’s a brutally hard problem because banks have to assume some customers will have lost phones/ID, be confused, etc. and the fraud industry is large enough to have decent IT, training, etc.

I think expecting the phone companies to do more is the future. I’d bet a lot of people would use an international/VoIP block and they could setup a system where you can’t reset passwords, transfer, change your address, etc. except by starting the call in their app.

@derickr nothing is faked in app. It is a genuine notification from your bank.

@Edent @derickr the level of knowledge of this incident suggests the target has already been stalked and their finances already monitored (its way too much resources/effort to put into attempting to scam someone who is skint and only has a few quid in the bank. really wouldn't put it past insiders in the bank/call centres being involved)

@Edent there used to be a time where they told customers at every possibility: our employees will never ask for your password etc.
I think they still do.
Wtf happened.