When banks call to verify your details how do you know the call is legitimate?

I got a call from my bank claiming that they're discontinuing physical credit card statements and asking for my email to send statements via email. Then they proceeded to also ask for my date of birth and home address to "verify details" after making the unsolicited call. It felt off but the call came from within the bank. When I said I don't want to give the information over this call, they implied that I'll be inconveniencing myself and will have to go to a physical branch to verify my details and be able to receive credit card statements via email.

If the bank is actually initiating this, they shouldn’t be asking for personal info like DoB or home address over unsolicited calls. To the person receiving the call, it sounds like a phishing or social engineering attempt.

My assumption is that the bank's process is flawed and this wasn't a phishing attack. Can anyone recommend what best practices banks can follow to ensure safety for both customers and banks in such cases?

dv_dt · 10 months ago

For info exchanges like this, you should always insist on calling them back at a number listed on their card or website.

If they cannot do that then its a scam or you should change banks

blurr · 10 months ago

Yes, I asked the caller to give me a bank number to call back, to which she replied that they don't have a dedicated line for that purpose (???) and that I had to physically go to a bank to get it done. I'll be changing banks for sure :/

pwg · 10 months ago

> Yes, I asked the caller to give me a bank number to call back

Don't do this either. If the caller was a scammer, they can give you a number that would call them back, and now they have you "hooked" because you think you've called your bank, when you really called the scammer back.

Call them back on a number printed on your statements or a number you retrieve, independent of this caller, from the bank's website.

creamyhorror · 10 months ago

What country is this? It doesn't sound like a banking sector with mature security practices. Major banks in developed markets should have tightened their customer workflows by now.

GianFabien · 10 months ago

I treat all unsolicited calls asking for personal information as scams.

Scammers can spoof calling numbers to make it look like it came from your bank. Basically everything they say on the call should be treated as being fraudulent. The scripts have been tailored to use a variety psychological tricks to fool you.

Terr_ · 10 months ago

Yeah: Any legitimate institutions will have no problem giving you information (like an extension-code) that you can use to re-contact them back via official channels. (This does depend on not being tricked by going to a fake website with fake contact-info, of course.)

Anyone who threatens you with fines/arrest/whatever for ending the call early is a scammer.

trod123 · 10 months ago

This isn't necessarily true.

For example Equifax's TheWorkNumber won't do this (companies that don't do background references/verification of employment use this service), and their representatives and processes seem to follow similar practices employed by scammers.

TowerTall · 10 months ago

A bank will never call you regarding this. They will send you a letter asking you to call them. In my case when the bank want to get in contact with me they send me a message through their online banking app.

bcrl · 10 months ago

My bank now sends alerts and verification codes via SMS. SMS should be assumed to be completely compromised given that it runs over SS7. 2FA using SMS is worse than an uncompromised password. I am disappointed that more and more banks and websites forcibly allow password recovery using nothing but SMS, but it seems like I'm just tilting at windmills.

blurr · 10 months ago

It's quite possible that they do this for their online customers— it's a reputed bank here. I'm just using the bank's credit card and don't have a bank account with them, so I don't have access to their banking app.

JojoFatsani · 10 months ago

That seems strange. There should be a portal for the credit card somewhere.

Anyways. Remember, you are in charge. You can always say you need to hang up and call the branch. If the service issue is serious, it can be handled at the branch or via an officially published bank phone number.

Trust no inbound call.

7222aafdcf68cfe · 10 months ago

Banks do not do this. It sounds like a phishing attempt because it is.

Imagine the cost of calling every single client individually. If something like this would change, they would send a letter.

Don't forget that spoofing caller ID of telephone numbers is possible.

k310 · 10 months ago

Here's what's on the Patelco site. It's good advice. Since the contact numbers are theirs, just go to the home page of your bank and look for info on phishing and Financial Institution Spoofing.

Their contact info should be easy to find.

https://www.patelco.org/financial-wellness/fraud-center/fina...

Biggest take-away:

3. Don’t share your personal information when you didn’t initiate the conversation

Whether by text, email, or phone, WE will never call you for personal information like:

  • Your online banking password
  • One-time Passcodes for transactions, registrations, or logins
  • Your card PIN, security code, or full card number

We may call you to verify something, but we won’t ask you for the information above unless you initiate the conversation or request we contact you.

blurr · 10 months ago

Appreciate the insight, thanks!

pests · 10 months ago

The only time I saw this handled correctly, and I forget the company now, worked like this:

They would call you and then want to verify themselves to you. You would be asked to open the companies app. The app noticed you were in a support call and had a link at the top taking you to the support section of the app. The caller would then read you a code you would type in and it would let you know if the call was legit.

_ah · 10 months ago

This can be easily attacked with two scammers executing a MITM attack. One calls the bank to impersonate you and steal your money, the other calls you to get your app code.

wruza · 10 months ago

Correctly? Try explaining your grandparent that they should open the app and type in some codes while on call. This habit will expose them to a whole class of attacks.

The only proper way is to send push to that app with the information about the issue.

pests · 10 months ago

They would also offer to hang up and when the person finally found the official number and called back, that same code could be given back over the phone to reconnect to the original agent. Or they could go through whatever process they want.

tomcam · 10 months ago

Scam. No reputable bank will do this.

mig1 · 10 months ago

I had an incident with a debt collector once(UK), they call me saying I had some pending parking tickets to pay and asked for my address, DoB, etc to confirm it was me, I refused and asked them to tell me the details they had, they refused.

This kept going on for about a year, the legal limit they can chase a debt, so at that point they gave in and share the details and as it happens, it wasn’t me. Don’t even own a car, which I mentioned multiple times.

Anyways, I’d never share my details over the phone if I’m not fairly certain who’s in the other side. This company was legit but had very suspicious tactics.