I was recently a target of a UK online bank phishing scam (not Monzo). They were highly sophisticated. They knew details of recent transactions, including bank transaction numbers that don’t show in any qif export or anything. They had a plausible reason to call (based on said visibility). They had researched my name and everything about me and my family that is online. They faked caller ID. Their ‘patter’ was so advanced that I do not know this extra layer of protection would have helped much. Luckily I didn’t finish the steps and lost no money.
It is clear the bank has had a severe exfiltration event. There are other reports that online. IMHO the law should make banks report breaches to the ICO and a record of the nature and size of the breach be public.
Through the process I learned that in the UK you can call 159 to directly contact your bank fraud dept (most banks) https://stopscamsuk.org.uk/159
The phisher was very determined. They called back in 15 minutes claiming to be from the bank fraud dept returning my call. Then 2 weeks later they called back claiming to be from Action Fraud.
However prepared you think you are for such an attack, my advice is to have utmost caution for every single call from anyone claiming to be anyone.
I also have a Monzo account. Even if they called me
I wouldn’t use this. Hang up. Call them. Don’t let them call you.
On landlines IIRC there is some feature that allows them to stay on the line after you hang up. So when you try to call the bank, you get the scammers again.
Now that is insane. Totally sounds like one of those things that paranoid old people believe about newfangled technology, but nope, just extremely weird protocol design.
Its not really weird if you look at it in context.
People who are not Gen-Z whipper-snappers will recall the era.
Before cell phones, before DECT home phones, before wireless cordless home phones you had fixed phones.
You had a master socket and then, optionally, one or more secondary sockets (depending where you lived, you were either permitted to install these secondary sockets yourself, or you had to call in the telco to do it).
Anyway, so what would happen is that your friend from school would call you up. Inevitably your parent would answer the phone because they were, for example, in the kitchen cooking your dinner.
There would then be a shout across the house "Bobby its Johnny ... AGAIN !".
The call-transfer process would involve your parent hanging up and you picking up the nearest secondary handset.
Hence the exchange needed to keep the A-end of the call live whilst you completed the B-end "transfer".
The same generation of people will also recall the ability to abuse the mechanism to quietly spy on someone else using the phone. :)
UK analogue strowger exchanges did not permit the called party to clear down the line - that was the job of the calling party. A legacy function of being 'patched through'.
"Called Subscriber Held", a feature that was carried into early digital exchanges because people expected it to work in the manner you describe, even though afaik it was designed for the other purpose of keeping the line open whilst operators patched it through, trunk lines picked up the tone, etc.
My grandpa was a something like chief engineer for the West Coast of Scotland phone network. I have so many questions I wish I could ask him these days.
... although they can hear each other through the devices in their hands. More likely the person in the kitchen just put the handset down on the table and continued cooking.
It's still weird and unnecessary. This happened everywhere, but people just picked up the phone before the other person in the house would hang up. You mention it yourself because of the ability to spy.
Remember it used to be a switched physical circuit. In the early days the switching was done by people, later it was automated. But you still had a circuit from phone to phone.
When one side hung up, the circuit is still live. Eventually it timed out and the switch disconnected it, but it took a while (don't remember how long). So you could hang up a phone, walk to a different room and pick up another phone and the same call circuit was still live (as long as the other side didn't also hang up meanwhile).
It's worth noting that many landline phones now allow you to enter a number that you're intending to call, then pressing the call button at which point the number is automatically dialed.
If the dial tone is heard at all, it is for a very brief period, and might be entirely missed. This would make the scam you're describing even more readily achieved.
... the autodial feature may well be waiting for dialtone in order to dial. I've not looked into this and you're probably best off testing this yourself on your own equipment.
This was, IIRC, a regional thing based on how the internal network was set up And all the legacy stuff. Half the country experienced this and the other half didn't so it always causes fun stories like this And expected gotchas from those who are learning it for the first time.
This also exists (existed?) for mobile numbers, and was used by newspapers to 'hack' certain celebrities' voicemail. Including some cases where they deleted existing messages when the mailbox was full, so they could get more.
I thought they just called their phones when they weren't in and used the default voicemail PIN (which most people don't change) to access their messages.
> Even if they called me I wouldn’t use this. Hang up. Call them. Don’t let them call you.
This has become increasingly difficult in my experience. Where calling the local branch I have the actual relationship is just dumped into the IVR. They make it very hard to speak to an actual human being bank employee.
All I can get is callbacks for some places. This is newish. You can call, wait in the queue for 20+ minutes, get routed to voicemail, and leave an option for a callback. That’s it. And the CSRs won’t reveal any semi-secret info to confirm who they are, they just want info to confirm your identity. It is frustrating because “calling them first” for anything billing related has been my go-to for a decade.
The (US) banks I've experienced will give you an "incident number"[1], you can call the number on e.g. your credit card or bank's website and say you have an incident number and you'll be connected to a rep who can pull up the details.
[1]: or something like that, I forget the exact words
My card has an international number which is US +1-(AreaCode)-XXX-XXXX. It used to bypass the IVR and send you directly to the top of the queue to a CSR. Because who has time to putz around the IVR when you're paying .25-.50/min to make an international call. Sadly, because some customers figured it out, it just routes you into the queue.
I have experienced an increase in just flat out hang ups as well. If the automated system doesn't understand you, it'll just say "it looks like we're having a problem, goodbye". It's infuriating.
Could the breach be at an Open Banking service that lets you view and aggregate your bank details such as Emma, Money Dashboard, TrueLayer? Some marketing/voucher companies are also using this sort of integration now such as Airtime Rewards.
This is possible. I had the account linked to a very well known and popular service that is owned by another bank. I don’t want to use names. But “bank transaction ids” were known I do not know if this is part of the spec. My theory was some export from bank 1 for openbanking was breached or in bank 2’s import was breached. But the news items are about bank 1. Also, they knew details like the date of account opening which was different to date of first transaction. I was not using openbanking in many places but I have now turned it off everywhere.
No paper bank statement. No email bank statement. Only qif/csv export. iPhone app only (not web). Fairly sure it was either an inside job and/or openbanking API implementation.
The best advice for dealing with this kind of fraud is knowing that there are exactly three things that can happen in a conversation with the fraud department.
1. "Did you make these purchases?"
2. "Yes" -> "Thanks, bye."
3. "No" -> "Thanks, we're disabling your card, and sending a new one to your address. If your address has changed, please pick it up at the branch."
Any deviation from this is a scammer posing as the fraud department. Any attempt to gather any information from you, besides 'Did you make these purchases?' is a scam.
They know who you are, if they didn't, they wouldn't be calling you.
> IMHO the law should make banks report breaches to the ICO and a record of the nature and size of the breach be public.
The law already is that they should report breaches to the ICO, at a minimum you should report this to the ICO and if you can you should name the bank, possibly right here in this thread so that others have a chance to find out. It's a throwaway so why not use it?
This is the golden advice. Never, ever speak to anyone about anything important if they contacted you. Call, text, email, whatever. End it and you contact them.
It doesn’t matter if it’s the bank, power company or telco. Even if HR called me or the CEO. Hang up, call them back. It adds 5 seconds to ensure all is good
Some make it almost impossible to get past their IVR, which always claims to be able to help you with any issues you might have (as long as the issue is wanting to know your balance and last three transactions).
I did. Ironically, it was almost impossible to get to a human representative to close the account: At one point, the IVR would literally end the call after authenticating me due to "problems with your account" (presumably my pending/stuck account closure request).
Not to large corporations. Have you called one lately?
It's a minimum of five minutes of bartering, begging and pleading with the IVR to let you speak to a human, and even then a successful outcome is anything but guaranteed.
Usually doing what the IVR asks is the slowest path. Confusing it by mumbling nonsense so it thinks it can’t understand or ramming never-ending DTMF tones up its input buffer until it chokes works well. For certain companies and certain departments (usually where my ongoing satisfaction is a concern for the company), I’ve sometimes found yelling repeated expletives at the hold music gets me connected faster. I have nothing to substantiate it, but my conspiracy theory is that there’s a customer rage meter that can be gamed (remember “calls may be recorded for quality assurance“). By contrast, when my call is a pure cost center (e.g. product warranty claims), I’ve found there’s a mandatory hold time to encourage you to hang up.
These are by far the hardest kinds of fraud for banks to deal with right now. They’re so convincing that even when the bank detects them, the customer still demands the transactions go ahead because they’re so bought into the fraudsters. We need this kind of authentication to become normal for everyone for any transaction.
I got a call from Amex fraud prevention and the voicemail explicitly told me to “Call X or the number on the back of your card” which I really appreciated.
Honestly, I’m not sure it matters. They’ve all had such incidents. I read somewhere that about 30% of your fees and mortgage interest go toward fraud mitigation,monitoring, and restitution.
I always live by these rules
- call them back, don’t talk to them
- ask why you need to do anything. It’s exceedingly rare a bank would call you to do something legit there and then. “I will do it later” will help. In fact that’s how I caught the phisher as I noted the aggravation in 1% of his voice.
- use credit cards, not debit cards, for purchases. They have far more protection.
- use all the 2FA and password complexity you can
- never use real info for challenge questions. Never use maiden name of mother etc. you can put “14 green fish” as the answer to the question if you like.
- make sure they are FSCS regulated, and try not to exceed that limit.
- understand FSCS does not cover you most phishing attempts, since the bank will claim they tried to warn you and were not negligent
- use private tabs for bank interactions
Through this experience I have learned not to trust “what we know about you” information they share. Do not underestimate HUMINT. A bank snitch could give up something as seemingly innocent (to them) as your “join date” and it be a lynchpin piece of info for a scammer.
This may all seem obvious to an HM reader. But it’s worth refreshing and reiterating.
It’s not coincidental. I had a story to tell and didn’t want to use my main account. Monzo is OK and I have a 2nd business account with them. I find it expensive personally, at £5pm, since other banks offer free service and per transaction costs that total less for me. After the phishing attempt I moved to NatWest, of all places.
It is clear the bank has had a severe exfiltration event. There are other reports that online. IMHO the law should make banks report breaches to the ICO and a record of the nature and size of the breach be public.
Through the process I learned that in the UK you can call 159 to directly contact your bank fraud dept (most banks) https://stopscamsuk.org.uk/159
I also learnt about the police’s Action Fraud hotline to report cybercrime. https://www.actionfraud.police.uk/what-is-action-fraud
The phisher was very determined. They called back in 15 minutes claiming to be from the bank fraud dept returning my call. Then 2 weeks later they called back claiming to be from Action Fraud.
However prepared you think you are for such an attack, my advice is to have utmost caution for every single call from anyone claiming to be anyone.
I also have a Monzo account. Even if they called me I wouldn’t use this. Hang up. Call them. Don’t let them call you.