I had my first proper scam/fraud phone call last week, and it one level it was really very impressive.
My mobile rang, and the conversation went like this:
Them: “Hello is that James?”
Me: “Can I ask who’s calling?”
Them: “This is Starling Bank fraud department – we’ve noticed some unusual activity on your card ending xxxx” [I think they said my actual card number]
Me: “Ok”
Them: “Yes – we can see a number of purchases made in Newcastle and the usual activity for your card is in Harrogate. There is also some unusual usage on your virtual card ending yyyy” [Not sure if this was a real number or not]
Me: “Just give me a moment – I want to check in my app because that will tell me if you are really Starling”
Them: “Oh – it won’t say in the app because we think your account’s been compromised, and we don’t want to let them know that we’re calling you”
Them: (continues) “As you’re in the app you’ll see I’ve sent a security confirmation notification through to confirm it’s us.”
[There was indeed a notification asking me to approve a request]
Me: “Please bear with me, I’m still checking the app”
Them: (continues) “I’ve also just sent you a confirmation code by text, so if you can read that back to me to confirm this is the bank”
[A text message arrives from Starling with an OTP]
[I find the part in the app I was looking for, which says “we will never ask you to approve a notification or give us a code” and “we have spoken on the phone”]
Me: “My app is telling me it is not Starling on the phone, and that they will never ask for codes, so I am now going to report this conversation to the bank and the police”
[line goes dead]
At this point I dialled 159 and was put through to the real Starling, who confirmed it was a scam, confirmed no money had been stolen, cancelled my card, and advised to reject all the notifications in the app (which I’d already done). It was nice to see the app tell me I was on the phone to Starling during that phone call!
The notification was either an Open Access banking thing, or a pre-approval of my bank card for future transactions (I rejected it before I’d taken full note). It wasn’t quite the normal “approve purchase” notification.
I will concede I wasn’t really as calm as it might sound like I was – but my first thought was that every time I open the banking app it says “We will never phone you. We’ll never ask you to accept phone notifications, share codes, etc” (except for the special customer service code in he app, so they can verify that it’s me). So I refused to be pressured or rushed, and made sure I found the bit in the app where it tells you if the bank is ringing you.
I don’t believe this was a specifically targeted attack on me (although it’s true that nothing they knew about me isn’t in the public domain, except perhaps my phone number) – however my phone number, bank, name, home postcode, and card number are stored in countless databases online, and we’ve not been short of cyberattacks and data insecurity in this country of late. You can get all but my phone number from just the card details.
But that said the patter was extremely smooth, the gentlemen was very well spoken, and they clearly had got hold of my card details from somewhere, and they sold a pretty convincing story including knowing about virtual cards. The only real slip was them claiming it wouldn’t show in the app that they were ringing me.
So I write this as a public service really – this is what an attempted scam sounds like. Pretty convincing.
Starling were exemplary – handled my slightly panicked call very calmly and reassuringly. Cancelled my card instantly, and the replacement arrived a few days later. Explained all the options to me, and followed it all up in writing.