Index ¦ Archives ¦ Atom

Calls from the bank

I bank with one of the big four banks in Australia I recently got a call, and it started off

"Hi I'm Taylor1 I'm calling from {bank_name} and I'd like to talk to you about a letter you received from the bank recently"

I hadn't seen any letter but I've migrated all my bills to paperless and I on only check my snail mail once every week or two. I said so and the call continued.

"I apologizes for this but I need to let you know this call is being recorded for quality assurance purposes, and as I am accessing your profile I will need to verify your account, I'll need your full name including middle name, current address and date of birth."

At this point Taylor had provided me with no details to prove the call has come from the bank. The call had come from an odd number2 and they were asking for personal information.

So I asked Taylor if I could call back to verify the call was from the bank and also asked for Taylor's last name. Taylor seemed genuinely surprised and almost a little offended that I didn't just trust that this mysterious call was from my bank. Taylor then told me that employees were not allowed to give out their last name for privacy reasons but suggested that I call back on the same number that I had in my caller ID. That number is not publicly available anywhere on the bank website. In fact when I Googled the number I found other people asking about the same number on the bank's forums with a moderator saying "I am unable to confirm whether this is a {bank_name} phone number;"

So I called the bank using the number on their contact us page and I was expecting to hear them say, "Yes it's a scam, it's been doing the rounds and we are doing our best to stop it but comes from outside Australia and it's hard to shutdown." Instead I spoke to Sandy3 who actually laughed and also seemed very surprised that I'd though someone cold calling me and calming to be from a bank with about a 20% market share4 might not be genuine.

As it turned out the call was genuine and they were trying to sell me a an "upgrade" on my mortgage.

I saw Tory Hunt write about this almost two years ago. I thought banks were getting on top of this sort of thing, and I thought my bank had a pretty good security team. I met a few people who claimed to be part of their security teem at Ruxcon and they seemed pretty switched on.

I guess this is the sort of thing a marketing manager might setup without really thinking about the security implications but it's almost training people to just accept cold calls and give out information. I'm amazed they don't get more people calling back to verify but it seemed like I was an anomaly.

  1. I've changed the name. 

  2. I'm aware that caller ID spoofing is not that hard but it still, it was a number I didn't recognize. 

  3. Again I've changed the name. 

  4. I've looked for a reliable source on banks market share and they all seem to differ a bit but it's generally about 20% to each of the big for banks and the remaining 20% split between all the small credit unions and little one branch banks. That combined with the fact that many people use more than one bank, I think if you called random Australian phone numbers you would have better than a 1 in 5 chance of finding someone who uses this bank. 

Posted on: Thu 22 September 2016

Category: Posts – Tags: Banks, Social Engineering, Privacy

Creative Commons License
Content on this site is licensed under a Creative Commons Attribution 4.0 International License.
Built using Pelican. Based on a theme by Giulio Fidente on github.