Forum menu
"Always, always hang up and call the bank (or whatever) back. And do it on a different phone, and don’t use the number they have given you, or that shows up on your phone. Check it elsewhere first."
Is this only a problem on the older 12V phone system?
More to the point, is this a problem on the new DV (ie via your smarthub and over the internet)?
And that’s how they get you, because you think you’re too smart to fall for any scams.
I think a lot of successful scams also rely on coincidence. I nearly fell for a HBOS Business Banking scam a while ago, the coincidence was that I was at that time being set up as a second signatory for HBOS Business account for a charity. The scammers didn't know this, but I was expecting communication from HBOS. Pretty sure it was a complete coincidence. Its enough for you to just relax your guard.
This is why you see so many Royal Mail missed delivery scams around Christmas, as everyone is expecting Royal Mail deliveries.
I think a lot of successful scams also rely on coincidence.
You're right.
In my case I had had a few annoying niggles with this new bank account. The support was poor and frustrating.
I was starting to think I had made a poor choice and was considering closing it and going somewhere else.
When the call came in, I was just starting to think that their system was poor and basically flawed.
I even said so to the caller.
I work in IT, and consider myself pretty tech-savy. I work for an IT security company and I regularly receive training to specifically look out for these types of scams. Despite this I was almost caught out last year too - either I'm gullible, or the scammers are getting very good (no need to comment 😀 )
These are my notes from it in case it helps anyone, there are similarities to the OP's experience;
If you're interested, or in case it helps you in a similar situation, the full details are below;
- Mobile rang about 6:45pm, bloke says he's Derek Robins from Halifax Card Fraud team
- He asks if I'm <my full name>, I confirm that I am
- He tells me my Halifax card has been blocked as they've detected suspicious transactions
--- At this point I'm suspicious and almost say I'll call the bank directly, but he hasn't asked for any details yet so I let him carry on
- I then receive a text from 0345 944 4555 saying my Mastercard ending in wxyz has been temporarily blocked
--- There's then another text from that number confirming his name and giving me a case reference number
- He asks if I've made any large purchases from Scan Computers or Apple, or whether I've used my card in Southampton recently, I confirm that I haven't
--- I then get another text from 0345 confirming that all mentioned transactions have been marked as fraudulent
- I can't fully recall the next part, but I'm 99% certain I didn't give him any details that he didn't already have (although I prob confirmed bits he wasn't certain about)
- He told me I'd get another text letting me know that I'd need to confirm recent activity, I did but this one came from a different number that my phone auto-resolved to "Halifax", but I didn't have to do anything with it
- He said there'd be another text asking me to confirm (Yes or No) a purchase from Scan Computers, but I mustn't respond to it. This came from a 3rd number (07401 260953), I didn't respond, but there was a quick follow up text implying I had confirmed it. When I mentioned that he said it was normal (alarm bells were starting to tinkle)
- He then said I'd get another text with a 6 digit code (this also came through on the "Halifax" number), he needed me to give him that so he could block all further transactions. This made no sense, surely the bank can block whatever they want. This was the first point that he'd asked me to give him any info he didn't already have (alarm bells were ringing louder)
- I asked him to clarify why he needed that number, he gave some waffle that was reasonably convincing but at that point I said I was going to hang up and call the bank directly
- He was perfectly calm and professional about it (as he had been all the way through), he made a slight attempt to get me to give him the number but wasn't pushy.
- I was prob on the phone to him for 10mins in total
- I then rang Halifax banking, they confirmed the card wasn't blocked, and that there'd been a refused purchase from Scan Computers, but weren't able to help much further. The gave me the number for their fraud team.
- Rang fraud team, who were absolutely amazing. Properly professional, no time on hold, knew what they were talking about, dealt with everything with minimal fuss, didn't try to rush me off the phone, offered tips and advice for future. 10 out of 10!
- Told me;
--- The 0345 number is a genuine Halifax number, but not the fraud dept, so he was spoofing it in some way
--- They only give out their first names to avoid becoming targets themselves, so the surname is a red flag
--- The Private number would have been the scammers own, but the 07401 is a Halifax thing
--- Not quite sure what the 6 digit number was (presumably 2FA of some kind) but if I'd given him it would have opened a world of pain
- My card is now blocked, new one on its way
^That is very sophisticated.
It must take some time and effort to set that up.
I wonder if they have a way of selecting targets or is it just opportune and random?
I mean if you go through all that effort and you hack someone with £150 in their account, it's hardly worth it is it?
Also, if you had been scammed, then would it of been Halifax's fault, as their phone system had been compromised?
Also, if you had been scammed, then would it of been Halifax’s fault, as their phone system had been compromised?
It's not been compromised - the scammer isn't "in" their phone system, they're spoofing it.
https://www.ofcom.org.uk/phones-telecoms-and-internet/advice-for-consumers/scams/phone-spoof-scam
Not quite sure what the 6 digit number was (presumably 2FA of some kind)
Almost certainly
Yes, but it's not a 2FA that I have set up. Presumably it's something Halifax send to get confirmation that you're who you say you are, but how it's triggered isn't clear to me. I'm often asked to open my banking app to confirm a large purchase, I guess there may be an "I don't have my app available" option which sends a text instead.
I think a lot of successful scams also rely on coincidence.
Yeah, and it's particularly dangerous.
I got caught out by a phishing test at work. We'd had an internal email warning us to expect a login request from a third party for a new system. We then got a link emailed, I didn't really read it properly as I was talking with someone and so clicked through, onto a phishing landing page.
Personally I think it was a dirty stunt to pull, it's essentially entrapment. But the mantra I tell everyone else is always "was I expecting this?" and in this case, yes, I was expecting something like it so that didn't work.
There are a couple of points to take away from it though. A moment's inattention on a real scam email that coincidentally ties into some other aspect of your life and, well, boom. I get them all the time for things like "your iTunes account has been suspended" - I don't have an iTunes account so it's clearly a scam, but a heck of a lot of people do and a percentage of them are likely to be having issues with their account at a given moment.
I get them all the time for things like “your iTunes account has been suspended” – I don’t have an iTunes account so it’s clearly a scam, but a heck of a lot of people do and a percentage of them are likely to be having issues with their account at a given moment.
Yep, I've had them for "your Santander account..." and a couple of others.
Older folk are particularly vulnerable to this sort of thing as everything has transitioned so quickly to apps and online.
I got caught out by a phishing test at work. We’d had an internal email warning us to expect a login request from a third party for a new system. We then got a link emailed, I didn’t really read it properly as I was talking with someone and so clicked through, onto a phishing landing page.
We had the Phishing test at work. Problem is I quite often open them just to see what URL comes up as the scam site never has the correct URL or has something close to it but generally has some small add-on to make it look close.
Anyway I opened the test email to check the sender email and then got the email saying I could have compromise us. I agree though, It's entrapment.
I was kind of scammed last year (a couple of years).
In my defence I'd taken call after about 4 hours sleep after just got back from holiday. I confirmed a few things, they asked if I had other accounts, and kind of left it at that. I started to get a bit concerned and cagey near the end, and ends the call. Called my bank, no it wasn't them and they gave me a ticking off ("everyone thinks they're savvy, SIR").
Nothing really came out of it which was a bit weird.
“everyone thinks they’re savvy, SIR”
Everyone is savvy right up until they aren't. Like I said on the previous page, these are professional scammers, not some 12-year old in his bedroom.
A moment’s inattention on a real scam email that coincidentally ties into some other aspect of your life and, well, boom. I get them all the time for things like “your iTunes account has been suspended” – I don’t have an iTunes account so it’s clearly a scam, but a heck of a lot of people do and a percentage of them are likely to be having issues with their account at a given moment.
And one of the big problems with this is banks and companies are still sending out official emails with links in to log into accounts, they are training their customers to respond to phishing emails.
Oh yeah. I've had legit calls from the bank, "can you confirm your identity?" You rang me, dickhead, I know who I am. Who the hell are you?
To be fair they were quick not to argue when I refused and asked me to call them back on the number on my card. Though that really rather should have been what they asked me to do in the first place.
I asked if there was some way they could put a note on my account with a password they could give to me as way of legitimising an unexpected call and got "computer says no."
I don't know but I rather suspect that if we knew what most banks' infrastructure looks like we'd very concerned. I was discussing this elsewhere on the Internet earlier today. "You must choose a password using characters from these groups" - why? You're artificially restricting my password entropy for reasons that shouldn't really have existed 20 years ago. I have lists of compromised passwords running to billions and whilst I (obviously!) haven't read them all I don't recall ever seeing the copyright symbol, letters with diacritics... Foreign language wordlists exist of course, but no hacker in their right mind is going to be using them to attack a .co.uk account.
And one of the big problems with this is banks and companies are still sending out official emails with links in to log into accounts, they are training their customers to respond to phishing emails.
I've some from network rail asking me to click a link to authenticate my log in. I'm a registered user on some of their software but it's an unsolicited email asking me click a link that otherwise screams phishing. It's a minefield.
Afternoon for older folks being left behind the rapid switch to digital is leaving many many more behind than just the old. A lot of the safety critical paperwork on the railway is now digital. Great for the office but for many on site it's a nightmare that they can't suscout. A lot of the guys are there because they can't hack 'office work' (I paraphrase).
I got caught out a couple of years ago, phone rang, 0800 number - I quickly googled it and saw my bank listed under that number. Of course I now know there are number-spoofing apps for that.
Asked a bunch of questions, knew some dets about me and my account. Questioning went on a while and then call came to an end, without getting anything out of me, maybe the scammer lost their bottle or was a trainee.
Only realised next time I spoke to my bank and I mentioned the call I had from their fraud department. Every call is on their system so the guy instantly knew it was attempted fraud