One thing that I've frequently heard is that in any type of fraud call you should always hang up right at the beginning and call the bank back.
Seems like no matter how sophisticated the attackers, this defense will always foil anything along the same lines of what happened to you. The only way I can see this countermeasure failing is if the scammers can somehow manage to intercept inbound calls to the bank's customer service number.
I agree. The same goes for email obviously. But some financial institutions are actively luring customers into doing the wrong thing.
Paypal really stands out on this one. They are regularly sending me emails with a link to their login page to view my recent transactions (regardless of whether or not there are any transactions). This is clearly negligent.
Okay, so it's not just me. I've never clicked on what are apparently real paypal emails, because I have legitimately always assumed they were phishing e-mails that made it past my spam filter.
They're real. They're really real paypal e-mails. Wow.
I believe them to be genuine, but if you need incontrovertible proof, Paypal has you covered! :-)
All messages contain the following "clarification":
"How do I know this is not a Spoof email?
Spoof or 'phishing' emails tend to have generic greetings such as "Dear PayPal member". Emails from PayPal will always contain your full name."
So unless the bad guys can get their hands on a database full of names and email addresses, we're safe. And Paypal can honestly claim that "the security of our customers is very important to us!".
It is a pretty good idea, but only sufficient if you don't have much money. For large balances it might be worth someone's time to bribe your local telco worker or subvert your SS7/Diameter routing so that your calls route via an intermediary (i.e. make your phone a roaming number, route it's calls to an attacker controlled exchange in e.g. India). It is even simpler to listen in to your legitimate call and hear your phone banking password and secret Q&As.
Calling via a landline or via an operator assisted call would make such tricks much more difficult.
There seems to be broad consensus amongst the commenters that this is the most reliable defense against this kind of attack. Makes sense. If they are able to intercept my outbound calls, it's probably an entirely different level of sophistication and targeting.
I read about a landline attack that would keep the line open when you put the receiver down, play a dial tone, and then wait until you’d entered a number before putting you back on with the scammer
Analogue telephones are creating (or at least in modern times simulating) a circuit, which doesn't close until the caller hangs up.
But almost everybody today has a digital phone, any kind of mobile telephone or desk VoIP phone is digital, "hanging up" ends the call because the telephone itself decided to do that, everything is just packets. So this trick won't be effective against most people today.
Likewise "dialling" today is an out-of-band digital step rather than a bunch of pulses or tones sent in-band that an attacker can just ignore.
> I read about a landline attack that would keep the line open when you put the receiver down
I experienced this once, but not as a scam, I think there must have been some kind of fault at the exchange... the other end was a mobile phone and they didn't end the call, just putting the phone back in their pocket - the landline wouldn't disconnect, whatever signal was send, even disconnecting the phone entirely and plunging it back in. I didn't understand how exactly, but it made it pretty clear the (landline) telephone is not in control of the connection.
IMHO this should be the law for financial and medical institutions tc. They should not be allowed to call and ask the receiver to provide verification information.
You're set, then. But the reason a law would be beneficial is it would condition everyone's parents and people who aren't as awesome as you to stop trusting callers and start calling a known-good number.
One thing that I've frequently heard is that in any type of fraud call you should always hang up right at the beginning and call the bank back.
Seems like no matter how sophisticated the attackers, this defense will always foil anything along the same lines of what happened to you. The only way I can see this countermeasure failing is if the scammers can somehow manage to intercept inbound calls to the bank's customer service number.