> But he said he still feels like a chump for not observing the golden rule: If someone calls saying they’re from your bank, just hang up and call them back — ideally using a phone number that came from the bank’s Web site or from the back of your payment card. As it happened, Mitch only followed half of that advice.
Banks could normalize this behavior by having their customer service reps ask customers to do this at the beginning of every call.
"Hi, this is <csr> calling from <bank>. We'd like to talk to you about <subject>. To ensure to you that this is not a fraudulent call, please look up the phone number for this bank and call us back. Thank you."
> "Hi, this is <csr> calling from <bank>. We'd like to talk to you about <subject>. To ensure to you that this is not a fraudulent call, please look up the phone number for this bank and call us back. Thank you."
This would be great as long as your call back was recognized and immediately routed to the right person instead of being placed on infinite hold, as is usually the case when you call a bank's or credit card company's number.
I've had this happen. When the fraud department for my credit card company called and I said I wanted to call them back to verify, they gave me a code to enter after I called to go straight back to the agent. It was great.
I recall the same happening. Capital One, I believe.
I really, really thought it was fraud at first until they basically said "yep, go for it, use the number on the back of your card then give us this code".
>as long as your call back was recognized and immediately routed to the right person
It would be great if more companies had this functionality. It would also be useful in the situations where you get disconnected while talking with someone.
> It would also be useful in the situations where you get disconnected while talking with someone.
Most call centres want you off the phone as soon as possible, regardless of whether the problem is solved or not. Making it easy for you to call them isn't in their best interests.
Basically, I'd prefer if pbxes used by these companies providing support did the equivalent of storing short-term 'cookies' that remember you had just called rather than requiring remembering and reentering 'share urls'.
This is especially important now: I just had a credit card company send me a query about a fraud alert. After confirming that it was fraudulent, it tells me to call the 800 number but that now says that you should use the website for anything which isn't COVID-19 related due to very high call volume.
Yes, going to exactly the same person is not always required (depends on how good their customer notes are--in my experience there's quite a bit of variability there).
Going to the right department immediately instead of being placed on infinite hold like someone who just randomly called in is required for something like this to work.
When the police called me they did exactly this but added their extension. This way I could verify that the number belongs to my local police department but still called his number directly.
For CSR, they could use one time extensions so that the service rep doesn't get spammed at later times.
Good idea. Plus, they could trivially implement this, no? The main phone number's first prompt could be, "If you were told to call this number, please enter the 8-digit code you were given at the prompt."
It's just a matter of the company prioritizing that feature. If they think that improved handling of identity fraud will save them money, they will prioritize it.
Used to be the case with certain CC companies that after they put a note/status in my account, any call I made to the main line would immediately route me to their security/fraud department once I entered my abbreviated auth details (last 4 of card# + zip or somesuch).
I wish the regulators for financial institutions would mandate this. One of the reasons I left, years ago, the much-beloved-for-reasons-I-do-not-understand Pacific Northwest darling credit union BECU is because I got griped at by their customer service rep who called me to ostensibly tell me about fraud on my credit card. When the rep asked me "identity verification" questions, they got most upset when I replied that they should have this information and how do I know I'm actually talking to BECU.
"Sir, I'm just trying to help prevent fraud on your account and I need to know that it's actually you who answered the phone."
(Yes, there legitimately was fraud but I had no way to know it at the time. I closed the account about a month later after another issue.)
I recently missed a bill due to an error on behalf of my utility company. It ended up at a debt collector, who when calling me insisted i share my date of birth, address and full name before they'd tell me what the call was regarding. I refused, they got mad and acted as if I was trying to avoid paying the bill. I assumed the call was fraud.
I found it was in fact not fraud when my credit monitoring service informed me that someone reported I refused to pay a bill. One call to the utility company later, it was resolved...unfortunately i'm still trying to fix the credit report.
If anyone else runs into this, I've heard that you can say you'll pay only if they remove their claim from your credit report. Suposedly it's not legal for them to offer (I guess extorsion), but as far as I know, it's legal for you to ask.
It sounds like that option has passed for the parent comment, but you did just try disputing it right? Force them to come up with the proof.
Presently in dispute, no outcome yet. I didn’t actually know it was going to hit my record as i paid through the service provider and no one threatened that. As someone that’s never not paid a bill, i guess i just needed to learn this lesson.
Did they mail you anything in writing? Not that a letter is worth anything by itself, but if it's asking you for a debt you recognise and asks to call a number that does indeed map back to a debt collection agency (on Google, etc) it's probably legit.
I am not sure whether it's even legal for them to mark you as refusing to pay without making a formal payment demand by mail.
Hospitals are even worse. They would periodically call me with random information about appointments or prescriptions and whatnot and would always start off by asking me my birth date and PII to identify myself to them! They're the ones calling me!
I told them as much and after a few years they finally started sending me secure emails asking me to call them. Certainly I wouldn't trust "call back at..." messages claiming to be from a medical provider, even though they're indistinguishable from the real thing because that's the same thing the doctor's office does. It's bizarre considering how security conscious they have to be.
I got a credit card fraud alert sms text once that asked me to call a number that was different than the phone number on my credit card. I called the card number instead and the alert was legit but they still should have used an easily verified phone number.
A favourite trick in the UK is for scammers to stay on the line when you hang up, and play simulated noises for a dial tone and connection, then pretend to be your bank when you call the number on your card.
A trick I learned to deal with this very thing was just to attempt to call the local time/weather number after getting my dial tone back.
That said, with far-side supervision, I suspect that the call would actually time out after something like 20-30 seconds of either party hanging up. I'd just make it a habit to go put the kettle on and make some tea before placing another call.
If the call doesn't time out, well, it's time to ask BT some hard questions as to why they're allowing that sort of nuisance on their telephone network. AT&T managed to get rid of it here just fine.
> A favourite trick in the UK is for scammers to stay on the line when you hang up, and play simulated noises for a dial tone and connection, then pretend to be your bank when you call the number on your card.
Sure, but that only works for landlines. Is this still a common thing in the UK?
Most broadband "landlines" are not a real BT landline but instead one simulated by your broadband router (it's SIP on the other end). With SIP, once either you hang up or the other side hangs up the session is terminated and there is no way to recover it.
As far as I'm aware BT still have normal landlines to most areas - the phones are separate from the router, they don't go through it first and even support old pulse dial phones.
The United Kingdom phone system has what is called "far-end supervision" where the circuit-switched landline system will only disconnect the call from the receiving caller if the phone where the call originated hangs up.
This trick only works if the receiving caller is on a landline. It will not work on mobile phones.
It should disconnect eventually. And the timeframe for "eventually" has been changed in recent years.
Originally there was a grace period because of pulse dialling. Each "pulse" is actually a hangup - so the system had to tolerate that hangup != disconnect. But the grace period was far too long, and eventually end-users adopted it as a feature - if you wanted to take this on your bedroom phone instead of your hallway phone, you could hang up the phone, go up stairs, and pick up the bedroom phone.
So now we have two problems. One is that the bug has been adopted as a feature. The other is that precisely because of 999/e911 systems, the phone system is incredibly backwards compatible. Most exchanges still support pulse-dialling - it's never dropped intentionally (some exchanges don't, because they're too modernized. But it's not a conscious "lets turn this off now" thing.)
There has been a move in recent years to reduce the grace period, precisely because of this abuse. But until it's dropped short enough to be a non-issue, my advice for anyone who thinks a call is suspect, is to call the talking clock (123 in the UK). It is a paid service, but I don't like bothering the operator for such things. But if you call 123, and reach your bank, you know summat's up.
> my advice for anyone who thinks a call is suspect, is to call the talking clock (123 in the UK). [...] But if you call 123, and reach your bank, you know summat's up.
No no no no no.
Hang up and use another phone. End of. Any advice that you call another number first or whatnot is bad advice. If such advice got widespread, what would scammers do?
Obviously, they would have a DTMF decoder on the other end and they would patch the call through to the number you called. These are sophisticated people who send fake security officers to people's houses to "pick up the compromised card". Call forwarding is trivial.
Good that the UK is moving away from this "feature".
(I still remember that to take a call on another phone, you could just leave the receiver up on the phone you too the call on, provided you're not too lazy to hang it up later).
Only some phone systems in the western part of the US had far-end supervision, so far as I am aware. (This is why movies and TV shows from in and around Hollywood show conversations where the caller hangs up and the callee hears a dial-tone. The phone systems in most of California had only far-end supervision. Tom Scott has a good video on this[0].)
Most of the US uses either near-end, where the recipient hanging up will end the call, or both-end supervision, on POTS/landline systems.
0 - https://www.youtube.com/watch?v=bUIiUXvnkUQ - This video was filmed at the excellent Museum of Telecommunications in Seattle, located in a CenturyLink switching office. When travel is available again, I encourage all phone geeks to come here and check it out.
It only works in the UK where the phone call only ends after both sides hang up. The idea is you can hang up go to a different room and resume the conversation. The results are this fraud is possible.
Definitely used to be the case in Canada. The caller had to hang up: if the receiver hung up it took a (something like 20 second) timeout before the call would terminate. We did used to use that to move to another extension in our house.
Note to kids: we used to have our phones anchored to the wall with these coiled ropes so you couldn't walk away with them To counter that, we had multiple phones in various rooms of the house. They also made the phones so big the wouldn't fit in your pocket as another way to prevent stealing them. They didn't have screens because the vacuum tubes drew too much current and they would get too hot when pressed to your ear.
In Sweden both sides had to hang up, not sure how it is now. My mother used it for kids prank calling. She just left it open until the parents came home and wanted to call, then she explained that their kid had been prank calling us.
Most seniors I know have a mobile phone. How else would they be able to show off pictures of their grandkids? Also, that's how hearing aids work these days.
In the UK landlines almost always start with 01 or 02 so it's easy to identify who is using a landline. You can also go through the phone book (which only lists landlines) looking for "elderly" names. People who don't bother / know how to opt out of the phone book are probably easier targets as well.
Not both parties, the caller. And there's a timeout which these days is set to about 2 seconds. Here's the BT Openreach (the last mile provider and thus de facto the supplier of landline telephone service to almost all of the UK) write-up for when it was reduced to 10 seconds in 2014.
That would be preferable. I had a call from my bank once that went like this.
> CS: Hello, this is X from Y Bank. Is this Z?
> ME: Yes, this is Z.
> CS: Z, can you confirm your last 4 digits of your social security number so I can confirm who I am speaking to?
> ME: Uh... How do I know you're the bank? I can't just tell any person who calls that information.
> CS: Z, we are from your bank, Y Bank. Please provide the last 4 digits of your social.
> ME: There has to be another way to do this, right?
> CS: Please hold... (puts me on hold for 30 seconds)
> CS: Hi Z, I'm back. Can you look up our phone number on Google and give us a call back and ask for me by name, X?
> ME: Sounds good.
It was them. I got quickly reconnected to the same woman. I'm still concerned that the norm should be something closer to what you commented, even if it adds friction and will probably result in lazier people not calling back for something important. It's better to normalize this than allow for the alternative, which is to normalize people telling random strangers their sensitive, personal information.
Any time this topic comes up, I immediately worry about my parents and grandparents falling for this sort of thing if real scammers are out there trying. I realize the last four digits of my social security number are not as great as the whole thing, but as far as I know, it's enough to be dangerous.
In Sweden the whole personal number is public information. Anyone can just call the tax department and get it without any questions asked. Still some use it as proof that you are you...
Just yesterday there was an article on HN about a guy who was called by someone from the NSA who gave him detailed instructions on how to get back to him through publically availible information like 411
Used to offer this when working on fraud in <a Big Corp>, but have to give them my name so main number switchboard can route call. Very few people did, but those that did appreciated it. Only costs you a few minutes while they find the old time printed phone book, look up <a Big Corp> and call back.
What about if that puts you into an hour long phone queue where the person who you eventually get through to has trouble helping you with what the initial call was about?
A few years ago I got a call from Revenue Canada and around the same time it was extremely popular for scammers to pose as Revenue Canada agents. So immediately I just assumed it was a scam and got extremely annoyed and angry at the person... turns out it was a real Revenue Canada agent and I had somehow forgot to submit my taxes a few years back...
Ha ha same here but I got a call from an FBI agent. I had lost money to someone and 2-3 years later he got caught in some other sting and they wanted me to be another witness since they found my name in his books. For me somehow the connection clicked as soon as the agent mentioned the name of the company (but not when he said I am calling from the FBI). I even got login to I think an FBI website to keep updated on the status. Unfortunately after communication every few months, they decided to not pursue the case, after maybe 2-3 years of elapsed time.
Or, you know, send a letter or e-mail. Not that e-mails are secure per definition, but services like gmail spend a lot of time and effort on detecting and blocking spam and scams.
Why not use reverse verbal passwords (i.e. have the bank give you a secret phrase)? That should eliminate a large amount of issues without the need for a call back.
That can still be gamed by any malicious SEO wizard. People will trust the top Google hit for "bank of america phone number" before they bother with finding it on the website.
Suspicious activity. Suddenly using your card in the UK, when you're in the US. "Swipes" several hundred miles from your normal ___location, but also occurring in your normal ___location on the same day.
Ah, I never use my real card on the net, maybe that's why. I used to get a virtual card unique for every purchase but that has been discontinued now. Got a separate card for online usage that I only put money on when I want to buy something. Also needs to be opened up for Internet usage and many places require an electronic signature with the bank id app. Hoping this will be mandatory soon.
But numbers can change (lapses of mergers), is website would be best as card info can become stale over time —and enterprising outfits could scoop up that number.
They could, but I just tried calling the numbers on the back of two cards from merged/acquired banks and they both forwarded to the acquiring bank. Yes it's a small sample size, but I suspect that there's enough money on the line and enough legacy contracts and systems that banks keep their communication channels active for some time.
> But numbers can change (lapses of mergers), is website would be best as card info can become stale over time —and enterprising outfits could scoop up that number.
How long are bank cards valid? I'd say they expire within 5 years? Also, if there is a merger, wouldn't they send you a new card with updated branding?
Credit cards typically expire after some number of years, and mergers will typically include those phone numbers. If for some reason the acquiring company decides it wants to sunset its acquired phone numbers, it just needs to do so after the expiration date for the last card issued with that number still printed.
I wouldn't call it worse. Google maps entries seem to receive less scrutiny than search results, but I also suspect that nobody use as a phonebook. Most people would use google search, or the back of their card.
How is a random fraudster going to suddenly get the top Google result for "Bank of America phone number"?
I'm sure it's possible, but it strikes me as a pretty large hurdle. And even if they manage to pull it off, they also need no one from the bank to notice and report it.
One gets a call from the bank, they give you a number to ring, you type the number in to Google search, the results come back listing that number and the bank's name -- identity confirmed!?!
The fraudsters just need _a_ website listed by Google.
My insurer called me out of the blue: I said I'd call back. Their number was not listed on any of the companies websites. I called the company, and said what has happened, took them about 10 minutes to confirm they'd called me and that the phone number I was called on was valid.
As it happened someone was trying to commit insurance fraud, saying we'd crashed in to them; but that's by-the-by (ie not relevant to the main story).
You don't need your site to be #1, especially if you can manipulate one that is already high-ranking-- just astroturf GetHuman with fraudulent numbers.
But I admit-- having just done a search for every institution I could think of, it seems Google AMP has done a lot to promote legitimate numbers. It used to be sites like GetHuman competing with or outranking the actual company website for contact information.
Should be solvable by making sure there's an easy, reliable, uniform way to get this info within the call.
> "Hello. Please find the callback number on boa.com/contact. Please enter code XYZ to be connected directly to the agent regarding this matter. Thank you & goodbye."
It's not perfect & you'll still have some percentage of fraud that goes through, but I'd be interested to see the impact this has on fraud rates.
* EDIT: Callback number via the card as the other commentor noted probably works too.
For people that can't afford a new phone every year with a contract. You can buy cheap button-phones and get a phone card that cost you money every time you call but is free while you don't call.
Banks could normalize this behavior by having their customer service reps ask customers to do this at the beginning of every call.
"Hi, this is <csr> calling from <bank>. We'd like to talk to you about <subject>. To ensure to you that this is not a fraudulent call, please look up the phone number for this bank and call us back. Thank you."