By Will Sturgeon, 11 January 2005 17:40
NEWS A number of UK banks have been criticised for a lack of consistency and an irresponsible approach to contacting customers already troubled by the threat of phishing.
Over the past year the number and the sophistication of phishing scams has increased dramatically, leading many consumers to be suspicious of almost any unsolicited contact purporting to be from their bank.
But many banks aren't helping matters it would seem, with some seemingly contacting customers out of the blue and requesting personal data.
One silicon.com reader, Paul Green, was concerned when he received unsolicited automated phone calls, purporting to be from his bank Egg, asking him to call a given number and divulge personal information, such as his date of birth, which is used to access his account.
Green assumed he was being targeted by a phishing scam and contacted the bank.
"I rang Egg to let them know what's been going on, only to find the call was from them," said Green. "Considering how many phishing scams have been going around this year it strikes me as a little odd that Egg is carelessly behaving like the scammers."
Green expressed concerns that if such forms of 'out of the blue' contact become commonplace it could pave the way for scammers to get all the necessary log-in details for unsuspecting bank customers in just a couple of short phone calls - possibly asking for seemingly random characters from their password each time before piecing it all together.
Egg says the calls are an "anti-fraud system" which automatically contacts customers to verify certain transactions if they look at all suspicious.
A spokeswoman for Egg said given the time-sensitive nature of any card fraud means it is sometimes vital to contact customers 'out of the blue' but she added that customers should always call the main bank number (08451 233 233) if they receive any communication via phone, email or post, purporting to be from the bank that they think is at all suspicious.
Ironically it is that 'out of the blue' nature of such unsolicited anti-fraud measures which have raised concerns about the calls themselves being part of a scam. In some respects the banks are caught in a no-win situation.
Banks are aware that customers would be the first to complain if their accounts were emptied by a series of unusual transactions, but so are they likely to complain if they think their bank is creating a climate of uncertainty which could be tempting to phishers.
Egg certainly isn't alone. Many banks appear to have wrestled with this 'damned if we do and damned if we don't' conundrum of contacting customers on an 'as and when' basis.
A spokesman for LloydsTSB said the bank will occasionally contact customers via text message, or automated phone message, if necessary and like Egg attributed this to anti-fraud measures in attempting to swiftly crack down on potentially fraudulent activity.
silicon.com has seen text messages received by LloydsTSB customers who claim the bank contacted them out of the blue via SMS following missed credit card payments.
However, the LloydsTSB spokesman said the bank would never request customers divulge anywhere near the level of personal information required to complete a phishing scam, following such a solicitation.
(Would the problem be eased if banks had passwords to identify themselves to us on the phone? Read our leader article on this issue.)
Comments
There are 8 comments. Join the discussion
1. Richard
Someone phoned me claiming to be from the Co-op Bank and immediately demanded answers to "security" questions.
It turned out that they were "cold calling" to sell me unwanted insurance!
I complained to the Co-op Bank, pointing out the phishing risk and the need to educate customers not to reveal their "security" information to callers.
The Co-op Bank could see nothing wrong with their phone call.
By chance, the next phone call claimed: "You have won a free trip to Florida, please confirm your details...."
2. Simon
I too have been contacted by my bank, and it's interesting that if I respond to their requests for 'security information' by asking them to identify themselves they go all defensive and it usually ends with them refusing to speak to me !
So it seems that if someone calls me and claims to be from the bank, I am expected to believe them without question - even though they could be calling from anywhere. But they won't even discuss the issue until I have proved to them who I am, even though they have called me at the phone number they have listed - which means that there is a fair chance that I am not some random stranger anywhere in the world !
And don't get me started on the emails that say "... we will never ask you for your personal details by email..." and then go on to say "...click on this link and log in for more details of <insert whatever promotion is going on>".
Just what sort of moron run these marketing campaigns ?
3. David Fletcher
A couple of years ago I had the same situation, returning home to find a message on the answering machine, asking me to call back, with a phone number which turned out to be a direct line to the desk of somebody at HSBC. I refused to give personal information on that number, terminated the call then used the number on the back of the credit card instead.
The answering machine message turned out to be perfectly legitimate, and HSBC was of course happy with my cautious attitude.
The best approach for a bank urgently needing to speak to a customer, would be to use any suitable means (email, SMS or phone) to leave a message, asking the customer to call the contact number on the back of the credit card.
4. Ian Kilpatrick
There's a lot of heat and not much light on this. It is a commercial decision to accept password phishing amongst online customers. It can be easily eradicated by the use of low cost tokens that generate a unique password for every transaction that a user needs to make, rendering password theft futile. This is the method used for secure online banking by many banks in Europe, Scandinavia and around the world. When the cost in either adverse press comment or reimbursing victims becomes too high, it is likely that UK banks will issue secure tokens and terminate phishing.
5. anonymous
There is a solution for customers who want to check the credentials of a caller allegedly from their bank: simply deliberately give the wrong response to the questions asked, the first time around. If the caller accepts your wrong response he or she is an imposter, but if they ask you the question again they are probably genuine.
6. anonymous
I was contacted by someone purporting to be from Halifax calling to activate my credit card. After fobbing him off, I called the bank and they advised they would never contact me directly unless I was overspending. He was very convincing though - luckily I'd read about it beforehand.
Another threat these days is your own unscrupulous work colleagues earwigging on phone calls with the bank, or when you buy something over the phone
7. kth
I have a simple method of dealing with phishing by email or telephone. If it's an email, I ignore it. If it's by telephone they normally hide the number, I use caller id to show all numbers, if it shows hidden or secret, tough, no-one home.
8. Susan Johnson
Here's an example of muddying the waters - Citibank's website explains about fraudulent email.
On Screen 1:
"Every Internet user should know about fraudulent (a.k.a. phishing, hoax or spoof) emails that appear to be from a well-known company but can put you at risk.
Although they can be difficult to spot, they generally ask you to click a link back to a spoof website and provide, update or confirm sensitive personal information. To bait you, they may allude to an urgent or threatening condition concerning your account.
Even if you don't provide what they ask for, simply clicking the link could subject you to background installations of key logging software or viruses."
Then on Screen 3 of this litter tutorial:
"What we do...
> Send you emails with links to features such as online tours and information or promotions about Citibank products and services. These links are for your convenience and you can always type our URL directly."
So on the one hand, they are alerting you that just by clicking on a link in a phishing e-mail you may be installing a trojan, but Citibank itself will send you marketing emails with links in them! Just how do they expect their customers to distinguish their "legitimate" marketing e-mails from phishing e-mails?
Susan