profile picture

instantiator.dev

tech, volunteers, public safety, collective intelligence, articles, tools, code and ideas

© Lewis Westbury 2024

A rather so-phish-ticated scam

article

A few days ago we had a call from one of the most sophisticated phishing attacks I’ve experienced…

A rather so-phish-ticated scam

The call was from a male voice, claiming to be from the Monzo fraud team. The phone number matched the helpline number from the back of our cards, and he asked us to use that to confirm he was really calling from the bank.

Banking scams illustrated by machine learning at wombo.art

There was also an unexpected transaction pending approval on the card he was calling about, and he explained that we could freeze the card and cancel the transaction if it wasn’t us. If you received that advice, you’d likely feel like you could trust the caller, as we did…

🚩🚩🚩 Red flags 🚩🚩🚩

  • Anyone who says they’ll “increase your security” and can’t explain how it works is scamming you.
  • Our caller had a lot to say, over a muffled line. It’s deliberately overwhelming.
  • Your bank can afford a clear line. They’re made of money.
  • Your bank should never call you anyway.

Then he asked us to unfreeze the card, so he could send a notification to us to attach the card to Apple Pay, which would “increase our security” and stop it from happening again… 🚨 Alarm bells! 🔔🔔🔔

Our scammer had a lot to say over a very muffled line, and I suspect this was also by design - it would make a lot of people gloss over very quickly, and just accept that all the “techno jargon” they couldn’t hear and couldn’t understand was probably “bank-speak”.

Incredibly, he really was able to send a notification to the phone. That notification opened a screen asking us to add the card to Apple Pay.

Putting a notification on a phone you’ve no contact with is tantamount to magic in my book, and I’m a technologist with a keen interest in push notifications. I have to assume the Monzo app facilitates its delivery - which makes the whole thing even cleverer.

He almost certainly had a dodgy Apple Pay account he wanted us to attach our card to. We challenged him on it, and he hung up.

Here’s the thing though - he already knew a name, address and card details. He’d put a bad transaction on the card to talk to us about, and he had a mechanism for trying to gain control of our cards. It was a remarkably sophisticated scam.

It’s very exposing to find out how much personal information is floating around. I can imagine plenty of vulnerable people fall for these sorts of calls: He knew so much, and was clearly capable of doing things people might assume only banks can do.

Somewhat disappointingly, in order to fully replace the card we had to give Monzo our address (even though it’s already known to them, and clearly visible in the app). At least we were able to use a medium we trusted - the chat facility in the banking app.

The biggest lesson?

It’s always ok to say no to anyone calling from your bank. Don’t worry about being rude. You can refuse if they ask you for things they should already know, and especially if they ask you to do things.