When banks call to verify your details how do you know the call is legitimate?

15 pointsblurr1y ago37 comments

I got a call from my bank claiming that they're discontinuing physical credit card statements and asking for my email to send statements via email. Then they proceeded to also ask for my date of birth and home address to "verify details" after making the unsolicited call. It felt off but the call came from within the bank. When I said I don't want to give the information over this call, they implied that I'll be inconveniencing myself and will have to go to a physical branch to verify my details and be able to receive credit card statements via email.

If the bank is actually initiating this, they shouldn’t be asking for personal info like DoB or home address over unsolicited calls. To the person receiving the call, it sounds like a phishing or social engineering attempt.

My assumption is that the bank's process is flawed and this wasn't a phishing attack. Can anyone recommend what best practices banks can follow to ensure safety for both customers and banks in such cases?

37 comments

dv_dt1y ago

For info exchanges like this, you should always insist on calling them back at a number listed on their card or website.

If they cannot do that then its a scam or you should change banks

blurrOP1y ago

Yes, I asked the caller to give me a bank number to call back, to which she replied that they don't have a dedicated line for that purpose (???) and that I had to physically go to a bank to get it done. I'll be changing banks for sure :/

pwg1y ago

> Yes, I asked the caller to give me a bank number to call back

Don't do this either. If the caller was a scammer, they can give you a number that would call them back, and now they have you "hooked" because you think you've called your bank, when you really called the scammer back.

Call them back on a number printed on your statements or a number you retrieve, independent of this caller, from the bank's website.

2 more replies

creamyhorror1y ago

What country is this? It doesn't sound like a banking sector with mature security practices. Major banks in developed markets should have tightened their customer workflows by now.

GianFabien1y ago

I treat all unsolicited calls asking for personal information as scams.

Scammers can spoof calling numbers to make it look like it came from your bank. Basically everything they say on the call should be treated as being fraudulent. The scripts have been tailored to use a variety psychological tricks to fool you.

Terr_1y ago

Yeah: Any legitimate institutions will have no problem giving you information (like an extension-code) that you can use to re-contact them back via official channels. (This does depend on not being tricked by going to a fake website with fake contact-info, of course.)

Anyone who threatens you with fines/arrest/whatever for ending the call early is a scammer.

trod1231y ago

This isn't necessarily true.

For example Equifax's TheWorkNumber won't do this (companies that don't do background references/verification of employment use this service), and their representatives and processes seem to follow similar practices employed by scammers.

TowerTall1y ago

A bank will never call you regarding this. They will send you a letter asking you to call them. In my case when the bank want to get in contact with me they send me a message through their online banking app.

bcrl1y ago

My bank now sends alerts and verification codes via SMS. SMS should be assumed to be completely compromised given that it runs over SS7. 2FA using SMS is worse than an uncompromised password. I am disappointed that more and more banks and websites forcibly allow password recovery using nothing but SMS, but it seems like I'm just tilting at windmills.

blurrOP1y ago

It's quite possible that they do this for their online customers— it's a reputed bank here. I'm just using the bank's credit card and don't have a bank account with them, so I don't have access to their banking app.

JojoFatsani1y ago

That seems strange. There should be a portal for the credit card somewhere.

Anyways. Remember, you are in charge. You can always say you need to hang up and call the branch. If the service issue is serious, it can be handled at the branch or via an officially published bank phone number.

Trust no inbound call.

2 more replies

7222aafdcf68cfe1y ago

Banks do not do this. It sounds like a phishing attempt because it is.

Imagine the cost of calling every single client individually. If something like this would change, they would send a letter.

Don't forget that spoofing caller ID of telephone numbers is possible.

k3101y ago

Here's what's on the Patelco site. It's good advice. Since the contact numbers are theirs, just go to the home page of your bank and look for info on phishing and Financial Institution Spoofing.

Their contact info should be easy to find.

https://www.patelco.org/financial-wellness/fraud-center/fina...

Biggest take-away:

3. Don’t share your personal information when you didn’t initiate the conversation

Whether by text, email, or phone, WE will never call you for personal information like:

  • Your online banking password
  • One-time Passcodes for transactions, registrations, or logins
  • Your card PIN, security code, or full card number

We may call you to verify something, but we won’t ask you for the information above unless you initiate the conversation or request we contact you.

blurrOP1y ago

Appreciate the insight, thanks!

pests1y ago

The only time I saw this handled correctly, and I forget the company now, worked like this:

They would call you and then want to verify themselves to you. You would be asked to open the companies app. The app noticed you were in a support call and had a link at the top taking you to the support section of the app. The caller would then read you a code you would type in and it would let you know if the call was legit.

_ah1y ago

This can be easily attacked with two scammers executing a MITM attack. One calls the bank to impersonate you and steal your money, the other calls you to get your app code.

wruza1y ago

Correctly? Try explaining your grandparent that they should open the app and type in some codes while on call. This habit will expose them to a whole class of attacks.

The only proper way is to send push to that app with the information about the issue.

pests1y ago

They would also offer to hang up and when the person finally found the official number and called back, that same code could be given back over the phone to reconnect to the original agent. Or they could go through whatever process they want.

tomcam1y ago

Scam. No reputable bank will do this.

mig11y ago

I had an incident with a debt collector once(UK), they call me saying I had some pending parking tickets to pay and asked for my address, DoB, etc to confirm it was me, I refused and asked them to tell me the details they had, they refused.

This kept going on for about a year, the legal limit they can chase a debt, so at that point they gave in and share the details and as it happens, it wasn’t me. Don’t even own a car, which I mentioned multiple times.

Anyways, I’d never share my details over the phone if I’m not fairly certain who’s in the other side. This company was legit but had very suspicious tactics.

sschueller1y ago

Bank won't make the effort to call people. They would send out a letter that they will change it and if you don't want it changed you have x days to contact them.

carlosjobim1y ago

> Can anyone recommend what best practices banks can follow to ensure safety for both customers and banks in such cases?

You should never entertain any telephone interaction with your bank or any other organization, unless it was you who called them first. Just hang up. You can call them on their officially listed phone number when it suits you, or visit in person.

tacostakohashi1y ago

Tell them you don't have a computer or an email address. Say you prefer receiving mailed statements, and have no interest in saving them less than a dollar each month, but they're free to close the account if that's important to them.

euroderf1y ago

My bank's phone app (in Finland) has a feature to authenticate a call from the bank.

(I've only actually used it once - a couple of years ago - so I'm sorry, I can't recall how it worked or what exactly the authentication procedure was.)

mlisowsk1y ago

My bank is sending letters and messages telling us they will never call to "verify details" and any such call is a phishing attempt.

watwut1y ago

I stop the call in similar situation and call the bank to verify.

nobodywillobsrv1y ago

Banks will never do this.

You should always verify with an app or by calling back.

Even the apps you might want to randomize the service worker in case of insider criminal

akulbe1y ago

You call them. Full stop.

You have no other good mechanism to verify they are who they say they are, unless you initiate the communication.

willcipriano1y ago

I don't pick up the phone for unknown numbers so I wonder what the plan would've been for someone like me.

killingtime741y ago

They ask you to call them back. They ask you to go to the website to lookup the number yourself.

happymellon1y ago

Calls I have received from banks have never been from Unknown Numbers.

willcipriano1y ago

I mean not in my contacts.

j / k navigate · click thread line to collapse

37 comments

dv_dt1y ago

For info exchanges like this, you should always insist on calling them back at a number listed on their card or website.

If they cannot do that then its a scam or you should change banks

blurrOP1y ago

pwg1y ago

> Yes, I asked the caller to give me a bank number to call back

Call them back on a number printed on your statements or a number you retrieve, independent of this caller, from the bank's website.

2 more replies

creamyhorror1y ago

What country is this? It doesn't sound like a banking sector with mature security practices. Major banks in developed markets should have tightened their customer workflows by now.

GianFabien1y ago

I treat all unsolicited calls asking for personal information as scams.

Terr_1y ago

Anyone who threatens you with fines/arrest/whatever for ending the call early is a scammer.

trod1231y ago

This isn't necessarily true.

TowerTall1y ago

bcrl1y ago

blurrOP1y ago

JojoFatsani1y ago

That seems strange. There should be a portal for the credit card somewhere.

Trust no inbound call.

2 more replies

7222aafdcf68cfe1y ago

Banks do not do this. It sounds like a phishing attempt because it is.

Imagine the cost of calling every single client individually. If something like this would change, they would send a letter.

Don't forget that spoofing caller ID of telephone numbers is possible.

k3101y ago

Here's what's on the Patelco site. It's good advice. Since the contact numbers are theirs, just go to the home page of your bank and look for info on phishing and Financial Institution Spoofing.

Their contact info should be easy to find.

https://www.patelco.org/financial-wellness/fraud-center/fina...

Biggest take-away:

3. Don’t share your personal information when you didn’t initiate the conversation

Whether by text, email, or phone, WE will never call you for personal information like:

  • Your online banking password
  • One-time Passcodes for transactions, registrations, or logins
  • Your card PIN, security code, or full card number

We may call you to verify something, but we won’t ask you for the information above unless you initiate the conversation or request we contact you.

blurrOP1y ago

Appreciate the insight, thanks!

pests1y ago

The only time I saw this handled correctly, and I forget the company now, worked like this:

_ah1y ago

This can be easily attacked with two scammers executing a MITM attack. One calls the bank to impersonate you and steal your money, the other calls you to get your app code.

wruza1y ago

Correctly? Try explaining your grandparent that they should open the app and type in some codes while on call. This habit will expose them to a whole class of attacks.

The only proper way is to send push to that app with the information about the issue.

pests1y ago

tomcam1y ago

Scam. No reputable bank will do this.

mig11y ago

Anyways, I’d never share my details over the phone if I’m not fairly certain who’s in the other side. This company was legit but had very suspicious tactics.

sschueller1y ago

Bank won't make the effort to call people. They would send out a letter that they will change it and if you don't want it changed you have x days to contact them.

carlosjobim1y ago

> Can anyone recommend what best practices banks can follow to ensure safety for both customers and banks in such cases?

tacostakohashi1y ago

euroderf1y ago

My bank's phone app (in Finland) has a feature to authenticate a call from the bank.

(I've only actually used it once - a couple of years ago - so I'm sorry, I can't recall how it worked or what exactly the authentication procedure was.)

mlisowsk1y ago

My bank is sending letters and messages telling us they will never call to "verify details" and any such call is a phishing attempt.

watwut1y ago

I stop the call in similar situation and call the bank to verify.

nobodywillobsrv1y ago

Banks will never do this.

You should always verify with an app or by calling back.

Even the apps you might want to randomize the service worker in case of insider criminal

akulbe1y ago

You call them. Full stop.

You have no other good mechanism to verify they are who they say they are, unless you initiate the communication.

willcipriano1y ago

I don't pick up the phone for unknown numbers so I wonder what the plan would've been for someone like me.

killingtime741y ago

They ask you to call them back. They ask you to go to the website to lookup the number yourself.

happymellon1y ago

Calls I have received from banks have never been from Unknown Numbers.

willcipriano1y ago

I mean not in my contacts.

j / k navigate · click thread line to collapse