Mobile phone fraud: 'They stole £22,500 using my banking app'

That’s a fair and reasonable position!

I suppose the top tips are:

  1. Never, ever, entertain an unsolicited phone call from “the bank”, “your bank”, “the police” or anybody other than an individual already known and trusted. Be aware that Caller ID can be spoofed so even if the number looks correct, it doesn’t mean it is the bank calling.

  2. Be suspicious of strangely worded or unsolicited letters. Many people assume that fraud does not happen through the post, but it can.

  3. If in doubt, always call the bank from a known phone number (printed on a card, statement or other official document) to discuss something strange with them before taking any action. Never be afraid to hang up on a suspicious call, as a real bank employee would not be offended if you wanted to call back through a known number.

  4. Be aware of the 159 anti-scam line. This is a good fallback if you feel suspicious of something and want to talk to someone trusted, for almost any bank.

  5. No bank will ever want you to install remote access software or ask you to move money to a “safe account”. This is a scam. Hang up immediately. Also make sure the line is fully disconnected.

  6. If they know some of your information, it doesn’t mean they are genuine. Scammers may have stolen personal data from various sources.

  7. If online banking, do so on a trusted personal device, with up-to-date software, on a trusted Wifi network protected with (at least) WPA2 or WPA3 security. If you absolutely must use public Wifi, use a VPN.

  8. Keep your phone as secure as possible, if mobile banking. Install all software updates, ensure you are using a trusted Wifi network or mobile data, and configure the phone to be as secure as you can. Make the auto-lock period short, only register your own biometrics to the device, and do not share passcodes or make them easily guessable. Configure settings such as notifications to only show contents when unlocked.

  9. Be aware of sharing too much on social media. Set your privacy settings so that personal data, such as your exact birthday, is only visible to “real” friends who you know and trust.

  10. Fraud can happen to anyone, at any time. There is no shame in being targeted. Be aware that fraud also happens where the victim is known to the perpetrator, so do not be naive to this.

4 Likes

Forget about banks - no legit transfer of money from anyone will ever need this. Never install any software on instruction from anybody who has called you, and think very carefully about doing it when advised to under any circumstances.

1 Like

That’s true!

That “top ten” was only quite literally off the top of my head, but that’s a better phrasing than the way I’ve put it.

Just been made aware on the Monzo community that Chase will let you opt out of confirmation of payee (so other people can’t check your details against sort code and account number combinations). I’d recommend doing this too. Confirmation of payee is inherently flawed and causes far more problems than it solves IMO.

1 Like

All banks allow you to opt-out of confirmation of payee, as far as I’m aware. It’s designed to protect politically-exposed persons, etc.

I do agree with you that confirmation of payee is a bit dangerous in that it can be used to “expose” your full real name. It uses some fuzzy matching to strike a balance between protecting your identity and allowing for matches, but this is not completely safe.

However, I haven’t personally switched it off as I have too many accounts and make too many regular transfers “to myself” - and banks really throw up obstacles if you attempt to send large amounts to accounts that don’t have a CoP match. I really don’t want to spend my life on the phone to fraud teams!

However, personally I protect myself by very rarely giving out any of my account details, so most people would have no idea what they were anyway.

2 Likes

I love Confirmation of Payee for the reason Seb outlined. Gives me confidence I haven’t miskeyed (although of course I do check still, I feel more confident after getting a tick).

The sort of fraud you describe would need to be done through a bank and be audited, right? One can’t simply spam an endpoint to find a matching account number for a name?

1 Like

I think what was being alluded to was some kind of data breach/hack where you had access to a dataset which included bank details and customer data, which Confirmation of Payee would inadvertently allow you to validate?

A niche concern, but a very real possibility.

I agree, it pretty much removes the need for “test transfers” really, which is good, and it does give added confidence. I do like having it, but it’s a slight risk.

It’s akin to having your telephone number able to be “checked” by directory services, instead of being completely ex-directory. A bit of a trade-off between security and convenience, as with everything.

For the record, I don’t have any of my numbers in a telephone directory and have registered them all with the Telephone Preference Service.

2 Likes

I assume that sooner or later I’m going to get an account number wrong so only send £1 each way to check that I’ve got it right. Seems that doing this then following up with a larger sum triggers the Lloyds fraud team so a long chat with them on Saturday to explain that the accounts on both sides of the transfer are really me.

i feel like that’s a pretty normal use case, i always make sure to send a token payment to see the money get from one end to the other

1 Like

It is, but it’s also right out of the fraudtser’s playbook so I’m not surprised it trips up a bank’s fraud detection algorithm.

1 Like

Yeah, an unexpected £1 turning up has been mentioned in one of the Monzo threads.

I don’t really know what you can do to avoid the fraud team if a very sensible thing like sending £1 is going to trip their alerts. However, since I just know that it would be the time that I went ahead and sent £1000 would be the time that I’d get the account number wrong, I think I’ll stick with the £1 and chat option.

I am still lucky this has not yet triggered the Lloyds and Chase fraud systems. My £1 test amounts usually go in late in the night past midnight and have not yet had issues.

1 Like

Good to know. I will try late night in future.

It may appear out of your normal usage behaviour and still trip them. Most of my manual purchases and transfers occur late night, so it could appear “normal” behaviour for me than you .

The Lloyds account is only days old so no behaviour for them to work with.

I have been quite surprised that I haven’t had any chats with Chase’s fraud people as I bounce money into the TSB accounts for me, the OH and both little guys each month for the bonuses.

I’ve just caught up with this thread and in almost all fraud the issue is the human not the tech.

Also, many of these people seem fairly blaise with moving large chunks of cash on the basis of fake bank officials, police etc

A fool and his money are soon parted.

Does that make me clever, frugal, or tight, I wonder :thinking::joy::joy:

I’d claim all three, if I were you. :blush: