Have you ever received a phone call from your bank’s fraud department?
A number appears on my phone that I don’t recognize, and, just this one time, I pick up, and I hear, “Hello, my name is June. I’m calling from the fraud department of <massive international bank>. Can I confirm who I’m talking with?”
So I respond, “Hi June, my name is Duncan Riach. What is this call about?”
And then June says, “I’m calling you today, Mr. Riach, to confirm some questionable transactions on your credit card, but first I need to confirm your identity. Please could you tell me your account number or social security number?”
What. The. Fuck.
Perhaps this doesn’t raise red flags for you. Perhaps this seems completely normal.
Here I have a person from a totally unknown number calling me asking for my most secret information. This is a phishing scam, right? No, this is the FRAUD DEPARTMENT of my bank calling me.
They’re just behaving exactly like a phishing scammer.
In a similar situation, I wonder how many people would go ahead and give the caller the requested confidential information to authenticate themselves with this unauthenticated stranger.
I honestly find it hard to believe that I have to write this article, especially now, after years of calling this out.
I have spent hours on the customer service lines of at least two different banks trying to explain to them why this is a problem. At one point, I thought that my bank had understood, only to find them, years later, still doing the same thing.
To me, this represents a mind-boggling level of incompetence.
It’s amazing to me that these companies can get away with this, day-after-day, year-after-year, in broad daylight. The responsible people are presumably highly trained and knowledgeable experts in an industry that demands the highest level of security and confidentiality.
I was finally prompted to write this article today, after receiving a similar call from my medical insurance provider.
So what’s the problem?
You might exclaim, “Why would you ever answer a call from an unrecognized number?! I never do that!”
Well, you might not, but presumably many people do, otherwise the banks and other organizations would not be doing this.
Perhaps more importantly, even if you store the bank’s phone number in your address book, it’s possible for a scammer to call or text you from a different number, but make it look like the call or text is coming from the trusted organization.
So you cannot even trust your caller ID.
It gets worse.
The banks — massive national and international banks — are also behaving like scammers using email.
Even if you never answer the phone when it appears to be your bank or when you don’t recognize the number, you have probably received an email that says something like, “There are some new statements for you. Click here and log in.”
Note that it’s possible for a scammer to modify the apparent source of an email so that it looks like it came from a legitimate source.
Logging into a website, is, of course, authenticating using a highly protected secret. If the link actually goes to an unauthorized website, then you would be giving your secret bank login credentials to a scammer.
These emails also often contain a warning similar to, “When you click on the link, make sure that web address is correct and that the connection is secure.”
If this were a phishing email, the scammer may or may not choose to copy this piece of text, but regardless, most people don’t know what a correct and secure web address looks like, or how to check it.
Even worse, if the bank’s website has a security flaw that enables something called cross-site scripting, it’s possible for a phishing email to contain a link that actually takes you to the bank’s real website, which is secured using a valid certificate, yet there can be some information in the web address that allows the hacker to capture your login credentials, or the authentication cookie from your browser, for later use.
In summary, banks and other organizations routinely call us, and email us, in the same way that a phishing scammer would. These organizations expect us to trust and respond to these unauthenticated communications.
In doing so, they are training us to trust and be tricked by phishing scammers in general.
Here’s what I do
When I get a call from an organization saying that they need to talk with me about something, I ask for the person’s name and department and then I tell them that I will call them back.
I then find a number for the organization that I trust, such as one on the back of a credit card, on a statement, or on the organization’s website. I call that number and ask to be put through to the person who called me.
I can then confidently authenticate myself, safe in the knowledge that I have already authenticated them.
I never click on a link in an email. Instead, I go to the website for the organization that apparently sent me the email. I then login to my account and look for notifications.
Alternatively, I call them.
The key here is to start by authenticating the entity that is contacting you. Don’t assume that you can trust them just because they are contacting you.
Vigilance is even more important with fraud departments, as it’s particularly easy to assume when we’re contacted by a “fraud department,” that they’re legitimate.
In an ironic twist, they might actually be a true fraud department (scammers), and not the anti-fraud department that you assume that they are.
All of this takes extra time, particularly when dealing with phone calls, but it’s worth taking the time to protect yourself, your assets, and your identity.
What the banks (and other organizations) should do
In discussions I’ve had with friends, many approaches have been suggested for how to deal with this problem. Some people say that it can be solved using public-key cryptography, while others think that distributed blockchain is the solution.
In fact, this problem can be solved without using any complex technology. A highly robust solution is available that requires just a little bit of internal education, a change of policy, and a simplification of procedures.
Here is my example of a robust anti-phishing security policy:
- We never call customers and ask them to authenticate themselves.
- We never send emails to customers that contain any kind of login link or phone number. We never ask customers to click on a link and login to their account or call a number and authenticate themselves.
- If we need to communicate with a customer about anything that requires them to authenticate themselves with us, we always do so either inside our secure web or mobile apps or in phone conversations where the customer has called us.
- If we need to communicate with a customer, we may phone, email, text, or notify them asking them to call us using a number that they know to be authentic (such as one printed on the back of their credit card or their statement), or to visit our website and login (using a web address that they have obtained from a trusted source), or to login to our mobile app.
- (Optional) We routinely and randomly call, email, text, and notify our customers and educate them as follows, “We recommend that you do not answer your phone if you do not recognize the number. We want you to know that we will never call you and ask you for private or confidential information. If this ever seems to happen, then please let us know immediately. We recommend that you never click on links in emails unless you are absolutely certain that they are safe. We will never send you an email containing a login link, or ask you to click on a link and login to your account. If this ever seems to happen to you, then please let us know immediately.”
The way things stand, banks and other organizations routinely act as if they are scammers. This is training all of us to trust this kind of behavior.
You can protect yourself, as I do, by ensuring that you authenticate these organizations before authenticating yourself with them, and before sharing any private or confidential information with them.
If you feel as strongly as I do about this, you can lobby your bank or other organizations to fix this. Please share this article with them, so that they can understand what they are doing wrong. As a bonus, they will also get a free template — the above policy — that fixes the problem.
If you work for an organization that is handling this incorrectly, or if you are an influential shareholder or board member of such an organization, then please advocate for getting this fixed in your organization.