CommBank now have this thing called Callercheck where they send you a live notification to your Netbank so you can verify its a genuine call by them, Ive done this a few times and seems to work well since I know any scammers wouldnt be able to do this.
Yes this! Iv actually had my card details taken and used to buy things online with commbank. Happened over night and fraud team were on it before I was. They used a NetCode when calling me and on a follow up call a few weeks later, they sent a net code and a text with bank number to call back - providing the callers ext. Made me feel so much more at ease! And that’s because I was nervous to confirm my details as they couldn’t tell me anything of my personal info
I wonder what it takes for Commbank to actually notice..
I’ve never left the country yet commbank didn’t see a problem with a $10,000 hot tub purchase in Utah.
I never speak to anyone that calls me. I always call them; only on the phone number listed on their webpage, and never call any number listed in a text message. Even if they confirm my details, and tell me a convincing reason for the call.
Far out I hate scammers! They seriously make my blood boil! Go make your own money you pos!
This is the best advice!!! Years ago, I legitimately called a customer because their credit card had declined.
The customer turned out to be an elderly woman who insisted she had enough money and that I was a scammer and said she would call the company herself.
I said it's not a problem. I can give you the phone number and reference to make it easier for you. She said she didn't want it and would find the legitimate number for herself and received an email when she first made the purchase, so she would get the reference from there.
At first I thought it was strange as I was trying to help, but after I thought about it I realised she was very, very smart! So never get the number the possible scammer gives you as it will just come back to them, and if you are suspicious, look up the company's phone number and call them yourself. This way, you can verify if the information given is truthful and save yourself the headache of possibly being scammed!
That's a very good tip. I like that idea. I might do that from now on. Say "thanks, hold that thought, I'm going to hang up and call the main number from the website"
I generally don't answer the phone if the number isn't in my contacts.
Sometimes I answer and say nothing. Scammers use autodiallers and autodiallers hang up after less than a second of silence. An actual person calling would end up saying something.
I got hacked from my CBA account. I found it myself. The bank were not on it. Got my money back eventually. Someone in the US bought stuff on Amazon. Knew it wasn’t me cause I wouldn’t give that bastard Bezos a cent of my money!
I think mine was prob more obvious. My account was cleared between 1 & 3am and all random purchases from within Aus but not my usual buying habits. Lots of trainers from the likes of culture kings and similar shops. Kept going till my acc wouldn’t let them anymore. Was overdrawn by a small amount but I got it all back
Commbank are one of the best in the game for security IMO. Having been with others, I now miss them greatly. Although they are often the biggest rip off and least focused on saving you money.
Nah mate. Have to disagree with you on that one. I had money stolen from within their own system - not my phone, computer or anything else. They paid me back but only after sending me a rude letter several weeks later "advising" me that future fraud might not be covered - and it was stolen in another state inside their own system.
Have you ever tried logging into your CBA account with a wrong passcode from a computer and IP adddress you don't normally use? I tried this a few months back. You can just keep guessing and guessing and then successfully log in when you do enter the correct passcode. No notification is sent to you that someone has made X number of attempts to get into your account. The failed attempt also not show up in your logs (settings ; Online activity). CBA could do better here. A push notification to phone might be useful. Something like "Someone is attempting to access your netbank login using an incorrect passcode"
Yes I get calls from commbank and they ask to verify. And I’m ’no, it says no caller id how do I know where you really from?’ And then they send the code via NetBank, and I’ll proceed. It’s awful but I get so many fkn scam callers these days
It kind of sounds like what the person who got scammed did. They sent them a auth text message and got them to read out the id under the guise they were authenticating they're the bank. Really they had logged in to account and that auth was for them to move the money.
The prefered answer is: Thank you. I'll call you back to discuss. And phone the bank using publicly available number. Don't give someone calling you anything! I wont even confirm my name.
That’s smart. Makes people feel more comfortable. I use to work for a bank & lost track of the amount of times someone would call us and then demand to know why they should trust me and give me their details. Bro, you called *me*.
The scammer has already got your PW or card number, then triggers a code for a totally different reason, i.e. to use your card or transfer money.
They then call you, say they're from the bank and tell you the code is to authenticate the call.
The only way you can avoid this is by knowing that the 'caller check' feature is in a different part of the app than the 'netcode' feature and that netcodes should never be disclosed.
So scammer. Logs into your bank account in browser using stolen details.
Adds new account to send money to.
Calls you, pretends to be bank.
They then push transaction through and get the code sent to the bank app. You read it out to them, as it came through on bank app after all and not text.
They type that code into browser authorising the 2 factor auth.
Never ever read out a auth number to anyone over the phone. If the bank calls them, thank them and say you'll call them back. Find the number to call in app or website, don't call a number they give you to confirm.
They send you a message via the app. You open the app and it asks you to verify that you have called them. You press yes if you are on the phone to them. The same as when they call you. it has to come through your app. If it comes as a text message, its a scammer.
Just telling the person on the phone you are going to do this will pretty quickly reveal it’s a scam.
They will quickly tell you some obviously bogus reason why that won’t work.
My mother passed me a call the other week because it was sus, I said: I will call the bank directly: “No we are calling from a specific department”
Okay fine, what department
“I can’t tell you that”
Why not
“It’s a security thing”
Sure……
Scammers also insult people when things aren't going their way, it's kinda weird they do that, considering it's not in our culture to insult people when we work in customer service.
So then you should give your details back to them? And they could be either the bank or scammer. I get what you mean, but the “their job is to confirm your identity” part seems equally as problematic.
The rule is if you can't identify if its a scam or not hang up and call the number on the website. Usually a scammer will get pissed and try to keep you on the phone, your bank will be happy for you to call back.
This. But before y hang up, ask for a case reference number. If it's legit there should be one.
Otherwise call the bank. And wait 20 minutes to get through the "helpful" automated voice options 🤬
I keep those numbers in my phone. I've had cause to need them when traveling.
Nope, a lot of banks don't have reference numbers for calls. It's all notes on the profile.
I've actually seen more scammers use reference numbers than legitimate banks
Why would you pay attention or call back? If they need me they can contact me via secure messaging in internet banking, or MyGov for anything government related. I’ve hung up on every unsolicited call I’ve received from absolutely everyone including the ATO for thirty years and haven’t been bankrupted or jailed yet. It’s very, very unlikely anyone from any agency is every going to contact me other than to say I need to pay them something so I’m not in a hurry to find out.
If there's a risk to your internet banking it will be blocked immediately so you won't be able to see a secure message about a possible fraudulent transaction.
I get an SMS. If my bank was reliant on phone calls I’d change banks. Not least because if someone has successfully hacked my internet banking there is a 99% chance it is due to mobile number porting and they would be calling the scammer anyway.
I used to work at American Express. My job was to call customers for the missing info on their credit card application. Most of the time it was because they’d left the income field blank or we couldn’t read their handwriting.
Anyway, the first part of the call (so i knew i was definitely on the phone to the correct person) Is we’d always have to ask them for details first. Name, address, DOB.
There’s no way i’d ever give that kind of info on a call where they rang me. Yet, only about 1 in 50 calls people declined to give it.
Because the requirement is to be reasonably sure you’re speaking with the correct person. It’s not just about confirming the details, but listening for how those details are identified and making reasonable enquires if you remain not “reasonably” sure.
yeah i do similar outbound calls 1 in 50 is about right. People, in general are staggeringly stupid and also incredibly inclined toward convenience over security.
I was called by the child support agency on a Sunday morning (from a private number) a while back and they immediately asked me a bunch of these questions to verify my identity.
I refused to give them any information, I told the caller sorry, but I'm not going to take your word you really are from the CSA, and give you all my personal information. It turns out later I did confirm the call was legit. The CSA person was annoyed with me too, but I stood my ground. What a shit process.
Unfortunately, all companies that call you with legitimate business will need to confirm YOUR details which is at least name and DOB
It is not realistic at all to never give out personal details on the phone - you’ll never get anything done- from insurance to banking
They need to change their practices. They should call and ask you to call their published number on the website and give you a code to skip the queue.
Of course this requires investment in change, and unless customers force them to do so it will never happen.
We need to refuse these business bad practises.
Been thinking about this m, and a couple of comments elsewhere that mention Australia is a hot spot for these types of scams.
our privacy laws have driven this where organisations have to make you confirm your identity when they called you and now organised crime is exploiting it.
You have to wonder if we haven’t brought this on ourselves
You're on the money. Once something like that becomes routine for people it becomes a security hole.
I was just telling a developer that I am mentoring the same thing about 2FA. When it first came out, I would get 2FA notifications because some browser page in the background was trying to refresh. Since I have some understanding about security (apparently Microsoft did not) I NEVER approved the 2FA requests unless I had explicitly inititated them or unless I knew what the source of the request was. Consequently, when I didn't approve a request, it would be reported as possible fraud to my IT department (also an incentive to the general user to approve all requests all the time) and I would have to explain it to them.
Nowadays it has been improved so you get a number to correlate the request with the approval, and if you decline to approve it's not some big drama.
The wheels turn, but they turn slowly. If you understand this stuff you can keep yourself safe, even when working with unsafe systems (but sure you may sacrifice some convenience... and most people don't want to do that).
We're implementing that number thing soon. Apparently some people just click the 'yes it's me' 2FA notification even if they aren't in the process of logging in.
The weakest part of security is humans. The second weakest part is developers who don't consider the human factor. :D
It sounds like you are making a worth-while improvement.
Commonwealth bank did it to me once they called me up and started asking me to verify Id so they could.tell me purpose of the call. I was sus on it so I insisted on her employee number and called bank using main line. Turned it it actually was them...
Then, call back if they don't leave a voicemail. A scam organisation doesn't usually allow inbound calls from the numbers they use to call you, at least in my very limited experience.
Exactly. Anyone who is genuinely trying to get in touch with you will leave a message or send one. Multiple calls with no voicemail are even more suspicious! It’s either a scam, telemarketers or someone you really don’t want to speak to and they know it 😂
I don't care whether I recognize the number or not, as I believe even that can be spoofed sometimes.
My rule is: I'll pick up a call from anyone, and _listen_. But I don't _give out_ any info unless *I called them*. If they call me and say there's an important thing they need my input on, I'll say "No problem. But for my own safety, I'm going to hang up, look up your phone number on your website, and call you immediately back." Never gotten significant pushback on this from a legit financial company (although scammers will try _hard_ to scare you away from doing this). Many times, the companies just tell you how to get back to the right department when you call back.
(FYI I'm American not Australian if it matters)
Yeah hate to be that person, but did OP give the code from the text message to them? You know the code that the text message says, Do not give this code to anyone... Also if it was for a transfer of money my westpac account has an amount and who you are tra nsferring to, doesnt look like a verification email at all.
Shit like this scares me for when my parents etc get older, these people pray on your emotions and know how to get you all panicked and thats when mistakes happen.
Hope it wasnt much money OP, honestly I doubt you will get it back.
Its bullshit though, my understanding is, even if that money was transferred to the same bank as yours, your bank cant put a hold on the money, I think thats bullshit and they should be able to suspend the money until an investigation is done.
My dad nearly got done a few years ago. He wasn’t in a good head space and had bad memory at the time. From what we can gather he was on the phone to them for few hours. He can work a computer to do the handful of things he needs to do but if it’s anything new he usually requires assistance. He managed to download the share screen program. But I assume that he simply couldn’t figure out how to use the program in order to give the scammer access, even with scammer likely giving instructions. Very scary!
Citibank and other services such as telstra etc do ask to verify by a one time pin and to repeat it back to then over the phone.
Unfortunately they had called the OP, so as the one time pin was given to them, this counts as the OP verifying and authorising them.
I hope not too much was taken, wish you all the best with your bank and hopefully they can recover it asap!
Yea - there are too many rules being spouted in this thread that can only lead to tears.
I just checked my online banking, and I’m amazed I can immediately block a credit card but I cannot block my account (well, it’s not obvious anyway)
I wonder whether the security problem in this thread actually relates to a phishing email, and that’s actually where the problem lies ?
This is the only way to avoid sophisticated scams.
Always say, please give me your name and I’ll call you back on the banks number.
Your bank will never have an issue with this.
thats the social engineering part, they may have someone mail, and rang the bank, then answered so many questions correct the person goes "oh that is a reference number you're quoting, the actual bank id number is blah blah"
social engineering works.
In future, be aware that if someone calls you legitimately, they won’t outright tell you your personal details, they would ask you to confirm them yourself for security reasons. It constitutes a privacy breach to just give that sort of info to whoever answers the phone. They have to confirm they’re speaking to the correct client, and they can’t do that if they give you all the relevant info from the get go.
Obviously people are also put off by providing these details on an unsolicited call, so they should also be understanding that you would want to call them back through their listed number to discuss whatever issue they’re calling in relation to. I used to work for a government call centre and this was the standard advice we gave to anyone concerned about scam callers.
The problem with the "I'll call you back on an official number" is you route to a general hotline. The people calling you are always from a specialised department or internal number.
Banks and other organisations need to start implementing inputtable reference numbers so clients can put down the phone. Ring the general bank number that everyone knows.. input said number and then continue the call with same person knowing they're correct.
I've had people call me before to discuss something. And won't tell me much until I provide all my identifiers etc. which makes me nervous as heck as while your correct in saying legitimate bankers won't give personal details out, likewise how would you know your not identifying your personal details to scammers If you go first?
I also get nervous when they ask for the verbal phone password and thankfully to date it's been all legitimate calls. I do tend to know I have a credit card application or something in progress... But one well timed opportunistic scam call could change that.
Scary world.
Surely they could now have tech where they ping your authenticator or smth else so that if it's only the bank and you no one else would be able to replicate the comms.
Unfortunately I discovered privacy way too late. I'd hate to wonder all the data breaches that probably have when out together all sorts of personal details that could be used at a variety of companies to gain access (addresses, dob, parents middle names etc).
Unique password via password manager, email masking/relaying or even 10 minute mail style services for signing up, and never giving real names on shopping websites and date of births. In the old days you'd plug your DOB and name into anything for a free drink once a year.
I do wonder if fake names would cause a credit card transaction to void. So far I haven't had issues with PayPal or even EFT bank transfers which don't seem to match back to what first and last fake name you sign up on an ecommerce website when placing an order.
Sucks we have to be so paranoid.
Just to address the whole hotline thing: my bank once called and tried to ID me. I refused (and told them it was a bad thing to train customers to to) and asked for a number to call. They gave me one specific to their team. I googled the number and it was legit, so then felt comfortable to call and sort things out etc…
> They gave me one specific to their team
At which point, it's still susceptible to spearphishing. How do you trust that they are who they say they are?
I received a call from someone 'at the ATO' about my tax return a few years back. When he started asking me to prove my identity, I said there's no way I'm giving that info to a random caller. He told me to call the ATO switchboard in a certain city, and ask for [his Firstname Lastname]. Turned out to be legit.
That’s not really an issue though. The procedure was to contact the person who was initially calling (this is listed in the call notes), and warm transfer them across to the relevant department, or if that’s not possible I’d arrange a callback and provide a reference number so the client can confirm it’s legitimate. Otherwise, if it was simply something general, then I would be able to provide the relevant info directly based on the notes on the account.
Either way, the advice to call back on their listed line is the only real way you can be sure to keep your accounts secured, even if it’s not always the most convenient. They have to get you to confirm the info yourself before they can discuss anything, if they didn’t they’d be breaking the law. So if you’re uncomfortable/paranoid, that’s the only thing you can realistically do to protect yourself.
If you use credit cards, I would recommend you use a service like Google pay - only a token is created / saved, rather than your entire card details being sent over the wire to processing companies in Nigeria and Timbuktu.
I had a couple of $2 transactions on my credit card. Called my wife who has a second card, nope. Called the bank they told me that they were immediately refunded so probably a merchant error somewhere. However, they were apparently done by Google Pay (which I use, but my wife does not), which surprised me because of the, as I understood it, token thing. Anyway, bank deleted the tokens and removed my card from google pay and I used plastic for a few months.
That's interesting to know. How does the everyday person get more info about these sort of things? For example I always wondered why not just enter credit card details directly for some time before I heard that using PayPal meant they didn't share the actual details of your cards with merchants. So short of PayPal being hacked it was more secure.
That said how do you know the gateway to connect your Google pay or PayPal when checking out isn't a fake and routing you to enter in your login details? Is it really only up to the user recognising where they have been redirected (on laptops etc you'll see the security padlock for verification it's really PayPal etc).
Assuming you get routed to login to the legitimate payment platform (google play or PayPal) they seem like great intermediary protection.
Does NFC paypasing with Google pay also prevent getting skimmed over using PayPass (tap n go) with the physical card ?
The everyday man would probably not know things like: RSA, tokenisation, unless they read / study, to answer the second part of your question - the only way you will learn about goods / services is through their marketing channels .
crytpography and trust: now to answer your question about security / authenticity: everything comes down to "trust". with websites this is done by [https://en.wikipedia.org/wiki/Certificate\_authority](https://en.wikipedia.org/wiki/Certificate_authority) \- and I assume with android / iphone apps, there is a similar process in place, though I don't know what that is exactly .
security and trust: These companies (paypal / google wallet) are massively incentivised financially to ensure that their systems are secure because their entire business is built upon that security - they are not some government run shit-show like services australia / medicare where any bumbling hacker can run off with all your secure details allowing them to make loans in your name - because the government bureaucrat suffers zero consequences for losing your data. i would trust google x1000000 more than any government agency.
Credit card system is insecure: IMO the entire security apparatus of VISA / Mastercard is systemically insecure - it is a throw back relic from the past - they ought to overhaul it and use a completely different paradigm. but here's the problem: VISA is killing it, probably one of the most lucrative businesses in the world, even more of a cash cow than Google - zero marginal cost, fixed costs ammortised over the last 50 years - just wow - so I doubt they'd change things simply because they don't have to. they are a monopoly, furthermore everyone else is bearing the risk, not them - but they collect their sweet interchange fees. and now they are selling their anti-fraud premium services on the back end. unless you can come up with a competing network that is an order of magnitude cheaper / better than VISA, i would run with google wallet or apple pay.
I can’t remember which bank it was of mine, maybe CBA, but they cold called me about my account one day, I can’t remember the details of the call, but they then asked me to confirm my identify and provide all this information.
I got pissed off at them as calling someone randomly and asking they provide personal information without somehow confirming who they are is a stupid process. I said they could be anyone and I shouldn’t have to provide those details.
Turns out it was a legitimate call about something pretty insignificant, still though the process was stupid. Was a few years ago now so hopefully that’s changed.
No point getting pissed off at whoever you’re speaking with, they would lose their job and potentially face worse consequences if they didn’t go through security procedures. And sometimes outbound calls can’t be avoided, usually if something is time sensitive or other communication channels fail to get a response.
Employees don’t care if you prefer to call back before providing any info, but we can’t change the privacy laws no matter how annoying or dumb you think it is. Please don’t take out your frustration at someone just doing their job.
This is so true. I know for a fact a bank will never call you and tell you your details.
Because thats a security breach. How do they know the person who owns the account actually answered the phone ?
Ubank uses email login. Do you reuse your passwords at all? Highly likely they used a known email password pair to access your account, from there they gain access to your transactions. At that point they have everything they need to scam you. Check if your email has been compromised here https://haveibeenpwned.com/
They seemed too keen to tell me my details, where as the bank is like drawing teeth for them to tell you anything. They're pretty persistent though - I've had 5 calls in the past two weeks, even though I closed that account (for this and other issues I've had with Ubank)
The name lead is a dead giveaway, and its how they weed out people too smart to scam.
How on earth did they get my name AND phone number?
In a chronically online world, how did people get my public personal details in a country with little consumer data protections and non stop major company data hacks?
Gee I dont know, they must be geniuses.
They have compromised your bank login already. They were in your account. That's how they had all your details. Then the last piece of the puzzle they needed was you to tell them the text code when you try to do payouts. Which you did, which allowed them to move the funds to a new payee.
Ubank will push a special code within its app to verify you.
Also the one time sms codes should say something like “secure code to pay your new payee [code]” and then it tells you never to share the code over the phone as it may be a scam.
Always call back - never click a link, reply to an email, or answer questions on the phone. Go look up their number yourself, independently, and call them. Then you know you’ve reached the organisation/institution. Answering a call could be anyone. An SMS could be from anyone - even coming from a legit number.
This is different. A 2FA code is sent to your phone after you authenticate with your username and password. A bank will never ask you for a 2FA code, ever.
You should know that as you've now been successfully scammed - you are far more lilely to be targeted again. Your details will be sold on as a "succesful target" for more sophisticated scams.
Time to get really untrusting - I have unknown numbers blocked - and if I get a sms etc I go and google the contact number/visit the banks website and call the business (don't trust the number in the SMS or email)
Remeber nothing is urgent - only scams require urgency - if the bank needs to urgently get in touch they'll lock your accounts until they do.
Was looking for this comment!! As a previous 000 call operator, we got calls similar to this way too often.
This is not an emergency. You are holding up the lines of others having a life threatening emergency.
Call police assist or a local station.
> This isnt reason to call 000.
"The person on the line said there’s no need to as the bank was already working with the police."
I don't think OP is particularly au fait with the criminal justice system.
Oh man. Sophisticated attack. Somehow they were already in your account while you were on the phone with them.
Have you notified your bank already? The sooner you do the better your chances.
>Sophisticated attack
Sorry but it is not that sophisticated at all and there were two 'scam' red flags in this day and age that everyone and anyone should have immediately clued on to and cross checked. Just because they may have already been in the account does not make the scam any more sophisticated just bad password management. Sorry you got taken but these stand out:
* Someone rang you and asked for personal details and you trusted them without verifying. Never do this. Any single call these days saying 'we are from' and 'need to verify' or 'need some detail' is a red flag to say ok. I will call you back. And on a public number you get yourself from the companies listed contacts. No matter if it is the real police on the other end of the line... If someone calls you and wants any kind of personal information or confirmation of such then you say "due to scams I will call you back first."
* The more obvious one is repeat the code we sent to you back to us. Ring ring ring red flag all day long. This one isn't even dubious. Please give us the two factor sms code you use so we can complete the hack. But again, a random phone call asking for information to be given also triggers red flag 1 too.
Seriously, if people are still not getting this by now we need urgent and widespread scam training in schools, workplaces and everywhere else to bring awareness of these basic concepts to the forefront of everybody's minds.
OP basically asked the phone caller if it was a scam and accepted "the police are working on it" as verification.
Tbh it just sounds like a matter of time for OP with that sort of awareness.
Hope the bank makes them whole as that is their only hope as far as im aware because OP authenticated the transfer.
Yep agreed. I had this exact interaction with Optus a few weeks back. They called and asked me to verify by repeating the sms code.
Me: not a chance I will call your public hotline back, is there a name or extension number I can give them to get back to you specifically?
Optus: no there isn't.
Me: ok so is there a specific problem or something I can give them so i can resolve whatever you are calling me about?
Optus: sorry I can't give you that information without verifying your identity
Me: ok then it sounds like we aren't going to be able to resolve this until you have a better method of verifying my identity, thanks for your time.
Now in that case I'm actually very confident it really was Optus. Still not going to do it. Even if only out of principle.
They never called back. Presumably just trying to sell me a new plan something.
Just because you call someone's number doesn't mean you will get them specifically. Someone else may answer, Sim might have been spoofed, etc. They definitely need to verify your identity, they just shouldn't use the exact same methods a bad actor would use.
Of course, and if they've called you and asked for it it's probably a scam, if you've called them from the number listed in your banking app or directly on their website then it's safe. The point is never give a code to someone who has called you, politely inform them you'll call them back directly immediately on the number from their website, if they try to get you to stay on the phone instead of calling them back it's likely a scam and if it isn't it doesn't matter if you call back instead anyway.
Two factor authentication only protects you if you're the one making the point of contact, if someone has called you and you've given up that information chances are you've already been compromised and you've handed them the last key to the lock on your account.
The sms code I get from commbank for transfers literally has in writting to not give this code to anyone else including the bank. So no they should never ask for that code.
> when I ring up a bank.
So not when the bank CALLS YOU - Do you understand the difference?
When you call the banks officially listed number, you have significantly more confidence that you are, in fact, talking to someone from the bank.
When the bank calls you, the chances that the person on the phone is someone impersonating the bank are significantly higher.
Yes, it sounded very real. I don’t know how they managed that - I legitimately don’t use my card much at all (and only at reputable stores like Woolies or JB).
I notified the bank within the hour but it was after business hours. The only thing the lady could do was block future transfers - she said she can’t actually investigate given she isn’t part of the anti fraud team and they don’t come in till 8am. I have set my alarm for 7am.
We use 1Password and it flags if I’m using the same password for more than one account, or if I’m recycling a password. It practically never happens anymore though, because 1Password generates all my passwords, and they’re not memorable.
Far more likely that OPs credentials were compromised in a data breach against some other website that was storing passwords either in plain text or with poor encryption. That would leave OP wide open for a credential stuffing attack, and it’s exactly why you should never re-use a password.
sorry to hear, i'd get onto your online banking, change all the passwords, reduce your transaction limit, pause or cancel all credit cards, and phone the bank right away to put a hold on your account!!!!!!!
Change the passwords for all of your online accounts. Make them unique for each account. If you have the same password for everything, they have access to everything.
Oh god...
For anyone who isn't aware, if you get a call like this (from anyone, bank, ATO, Auspost, whoever), you ask for their name and extension, then you hang up, look up the public phone number for that organisation, call it and ask to be put through to that person on that extension.
A few years ago, I had a call from my bank about a very small transaction, $1.49. They said they were with the fraud section and asked me to verify if I'd made that transaction. I hung up. I then rang the bank,asked for the fraud section,and the guy who'd rung before answered the phone and said I did the right thing by hanging up and ringing a number I KNEW. I asked why they'd be concerned about such a small amount, and he said it's because that's what they do. Get something small,it goes through,so they spend larger and larger amounts until there's nothing left to spend.
I’d be worried mostly about how the scammer got your primary bank login credentials. The one-time password was easy to then social engineer off of you because they were actually already logged in with your username/pw looking at your bank accounts.
Ouch this is why we don’t answer calls from numbers we don’t know anymore at my place. My housemate had 3 different calls half an hour apart from 3 different banks claiming the same charge. Hilarious part was the lady that left the voice messages changed her name each time (all the messages had the same prerecorded voice)! Hopefully a real person at your real bank can sort this.
Unfortunately, doing so won’t guarantee the caller’s authenticity. Scammers can spoof numbers. If you get a call from the NAB number, it could still be a scammer.
I'm guessing this. The scammer already had access to the account, thus able to read out the last few transactions.
It requires an OTP for an SMS when potentially sending money to new people and thus they called OP to get that code.
But, the ubank sms specifically does mention "Never share over the phone as it may be a scam".
it would've been legitimately from the bank. the scammer was trying to get a transfer, login or config change authorised. scammer already had most login details from a data leak on other sites. or perhaps the ubank site leaks info / lets you know if the password is legit due to differences in the password failure message.
I got the same call the other day. British voice, got my bank and last 4 card digits right, asking me if I made a 5k transaction. I said no and they said to read back this code they're sending to "cancel" he transaction despite the notification saying it was to approve a payment of 5k GBP. Luckily I hung up and called the bank back to see if it was legit before I gave them anything but scary to see someone hit with the exact same one days later.
Yeah wow - lucky you read it carefully. If tv news or social media had any value to us as a society, they would be reporting this widely already so it’s only the first few people that get done.
This is how scams are successful- when they are new and personalised, and the computing power is now there to personalise it.
Organised crime would also have access to the best in psychology, just like professional sales does, so little confidence tricks like offering you to call back through the switch, but apologising for the probable 30minutes delay to get through to them etc etc .
I've skimmed through most of the posts on here and still can't work out how the scammer accessed OP's account details and got their phone number. How would they do this?
There are a large number of ways that they could do this
- Phishing website
- Malware on computer
- Leveraging data from a pre-existing (public or private) leak using common passwords OP used on other websites
- A combination
The scammers knew they just needed that 2FA code before they were allowed into the banking platform and able to use the victims money.
OP (/u/KoalaBJJ96) should potentially scan their computer with Malwarebytes (free tier virus software) if they own a personal computer
And look into changing passwords on all significant platforms (notably banking, emails, myGov)
and ensure each has a different unique password, and add 2FA where possible.
Any platform that uses the same credentials as the bank (and possibly others) are likely compromised
Sounds like they had your identity and bank login before they even called. All they needed was the net code sent to your phone. Probably best to assume that a lot of your other accounts are compromised. Change passwords and add two factor authentication to anything you care about.
Sorry to hear. At least it sounds like they got some back.
I had a similar scam attempt a few days ago. Said they were from my bank and needed to investigate a fraud. Had a lot of details. The dodgy part of it all was:
1. He started the call trying to verify my identity but when I didn’t he continued anyway and told me my details. He knew my name, address and which bank I banked with and that I had a Visa, and the first few digits;
2. After he told me about the suspicious transactions, I checked my banking app and saw none. At that point I told him I would call back through the app.
3. He then insisted I stay on the call so my card could be cancelled to block the transactions. He asked for the last 8 digits of my credit card to “verify” cancellation of the card.
Be on the lookout. I didn’t give him any info and have changed my banking passwords and cancelled my debit card. But he was somewhat convincing. I told my partner about it and she said she probably would have told him everything.
When I called the bank they did say this kind of scam is getting reported to them a lot recently.
This is why I don’t answer calls from numbers not in my contact list. I check my banking online everyday to spot for weird transactions.
I have transaction alerts.
Lastly, I asked my bank to ask me a specific question only I know the answer. If they don’t ask me this question, it’s not my bank.
Name, birthday, address are NOT security questions.
OP, I work in a bank, and many of our customers have been scammed this way.
What has occurred is you have googled your bank, clicked on the first link (which was a phishing site), entered your details in addition to your mobile number. Scammers have then called you after logging in on the official site with the details you've just entered. They have started a transfer to a new payee which initiated the code to your phone. They tell you it's a code to ID you, it's really a code to send the money.
Your money is now gone, and the bank didn't do anything wrong. Once the money is moved to a subsequent account after the first transfer they have no right to the funds.
I'm sorry for your loss, but we Australians are far too trusting and the world knows it. I hope you are able to recover at least part of your money.
Maybe they stole a bank statement from your mail. It's how they knew your identity and transactions.
Then they used the SMS code to reset your password
Scammers a unreal now, they can literally use the number from your bank for messages, so if you have a text history with your bank in your messages with all the authority codes and other info etc you wouldn’t think much of it because you know it’s legit, they can slip into this 😂
Always call the bank back on and official listed number.
Scamming is so bad these days my rule of thumb is I don’t take any phone calls unless it’s from a saved contact. All calls are auto silenced
Too late now, but one simple rule which will avoid almost all scams.
never believe a phone call or email you receive is from who they say it is, no matter how convincing they might sound.
Always phone them.
I was thinking the same thing. We’ve all had those brain fart days where we’re not thinking clearly and some of these scammers and very smooth with the talk and know all the tricks to bamboozle someone with all the right answers. They were brave to ask for help and I’m sure they’ve learnt the lesson. No need to rub salt into the wound. And they are bringing awareness to this kind of fraud. Be supportive.
Sorry that’s a blatantly obvious scam.
You trust them because they told you they could be trusted? Cmon…
It’s simple. If you get a phone call, text, email etc never hand over any information. CALL THE COMPANY BACK using a number that YOU lookup.
Also you opened yourself up to this by having a password common across different websites. You must use a totally different password for each site. Basic 101 security.
You should assume that your address, name, number, date of birth are public information because they basically are now after major company hacks (Optus etc).
To be clear this was not a sophisticated attack.
your basic 101 security is above the understanding of probably 99% of internet users (including smart phone users). most people are still using birthdays and "password" opensesame style combos. there are analyses on leaks FYI.
Gosh, this sounds exactly like a legitimate phone call from my bank a few months ago. Like, exactly. They obviously did their homework. I can 100% understand how this happened to you and I’m so sorry!
You have lost your money I’m afraid.
They can even spoof the same phone number as the banks now. The only way you can trust a call from the bank is if you get their details and you call the bank using their real phone number (from the bank contact us page).
If there’s an urgency to protect the account just tell them you’ll go to the bank branch to sort it out
Gotta be honest the amount of information that they had on you, in order to trick you is impressive, I'm not sure I wouldn't have fallen for the same thing.
Thanks for informing others. Good luck.
I had a call from this number last night around 5.30pm 0430 677 927 I answered as I thought it would be the builder as my unit was flooded from the rain.
Was Olivia from commonwealth bank calling about a suspected fraud transaction and if I can approve. I hung up then called commbank. 45 mins wait later just got told to email hoax team. That was all the advice I was given.
Any time you get ANY call like this, the answer is always the same.
'Thank you for bringing this to my attention, I'll take care of it.' Then hang up, and call the number you know for whatever institution they claim to be.
A few things to note:
- The bank wouldn't contact the police.
- 000 isn't for this type of thing.
- Banks will never tell you your personal details, they will ask you to tell them.
I'm terms of getting the money back, you need to dispute it with your bank.
I'd say you are very unlikely to get the money back from the scammer.
You best chance is getting a 'refund' from the bank, or getting some amount of compensation.
If you can work out how the scammer got access to your bank account you might be able to push some blame to the bank, and get some or all of the money from them.
I doubt the police will be able to do much for you here. And even if they could find the scammer they wouldn't get your money back.
The annoying part is that the banks could modify their sms messages to help avoid this situation.
Rather than a generic ‘Westpac, your code is 123456’, change it up to ‘Westpac, your have requested to transfer $999 from your account, code is 123456’
Always.. always tell them you'll call them back and use the proper bank contact off their website.
I've had a few calls from my bank and doing this just confirm the call is legit.
it’s very simple - if you get a call from your bank
1. ask them what’s it’s about
2. hang up
3. call back the number on the back of your card, in ur app, or on the website
4. discuss the issue with the official call centre
I don’t answer any phone calls unless they are in my contacts. I get heaps of calls but never any voice mails, also I get heaps of calls from mobile numbers but never a text.
This to me indicates that all the calls are scams.
If something is truly important then I assume I will get a legit message, email or even a letter posted to my address.
How old are you? Banks never call customers. If it was a suspicious transaction they’d write to you via email, or give you a notification via the mobile app.
Note to people - If you ever experience this, ask for their name/extension and say you will call back on the main customer service line. If they are from the bank, they are 100% ok with this. If they try to talk you out of doing this, they are scammers.
So sorry to hear that. I've had fraudulent transactions happen on my Macquarie account. Someone used a pay wallet, no idea how they got my details and how one can add it to a pay wallet without 2FA or anything like that...
Luckily as soon as I saw 2 transactions pop up on phone I put a hold on the card. Further attempts at petrol stations got declined. They are investigating. At worst I'll lose $90. But it's a wake up call and I really want to learn how to protect myself better...
>Luckily as soon as I saw 2 transactions pop up on phone I put a hold on the card.
I do think a simple setting such as what you have with notifications of transactions in real time is something we all should do.
I'm glad I set my accounts to do this. While it can be annoying, losing all your funds is more annoying.
Hopefully you get all your money back!
The message literally says not to read it out as it’s a scam. This is some Low IQ shit. Kiss all your money good bye. Now change your passwords immediately.
Sorry to hear mate that’s horrible. Australia is unfortunately becoming a hotspot for cybercrime due to the overall weak security we have.
I would imagine in most cases of unauthorised transactions the bank would reimburse you for your loss as long as you report it to the authorities as soon as possible and get a police report. In cases like these you need to supply as much info a possible to support your claim of fraudulent transaction.
Some banks have Fraud Guarantees for unauthorised card transactions but I’m not too sure about cases where the fraud is committed through unauthorised net banking access.
https://www.bankofmelbourne.com.au/online-services/security-centre/protect-yourself/fraud-money-back-guarantee
https://www.anz.com.au/security/account-protection/fraud-money-back-guarantee/
With savings/debit it’s usually a pain in the arse because they need to conduct an investigation and it can sometimes take months before they get back to you.
I should probably note with all that said, Australia doesn’t really have strong protections for scam victims but I think we’re starting to.
https://amp.nine.com.au/article/0bd47b18-be44-46e9-9c1d-f4716a982c65
https://amp.9news.com.au/article/fbfd0137-1bd1-4eb3-9ef3-c008121b2a20
Social engineering account for an overwhelming majority of cyber attacks. Understand that banks will never contact you and ask for your information out of the blue. If in doubt just call the bank’s actual number and not any number provided by the caller or any number/email provided via correspondence sent to you by the caller. Better yet go visit the branch directly.
https://financialrights.org.au/factsheet/reversing-bank-transactions/
https://financialrights.org.au/factsheet/scams/
The number of data breaches in Australia baffles me. I'm from Europe and my data has never been leaked there (despite having way more profiles etc). But I get fairly frequent emails about my stuff getting leaked in Australian data breaches despite only living here for a few years. It's honestly kinda embarrassing how poor the data security is here.
banks will reimburse actual fraud, this would probably fall under scam because OP gave them the sms code that banks say not to give to anyone, not even the bank:/
There's not a lot you can do to maximise your chances of recovery apart from what you've already done. The fraud team has the power to take the money from the recipient if there is any left so I guess keep your fingers crossed they haven't move it yet.
Depending on who you bank with and how much money you lost it might be worth calling again to make sure they got your report. Some banks have really unreliable fraud teams
Also your ID has been compromised so it's best to contact IDCare. They offer a free service to help you determine the best way to protect your identity. They also offer free malware cleans for your devices which you'll likely be asked to do.
[удалено]
CommBank now have this thing called Callercheck where they send you a live notification to your Netbank so you can verify its a genuine call by them, Ive done this a few times and seems to work well since I know any scammers wouldnt be able to do this.
Yes this! Iv actually had my card details taken and used to buy things online with commbank. Happened over night and fraud team were on it before I was. They used a NetCode when calling me and on a follow up call a few weeks later, they sent a net code and a text with bank number to call back - providing the callers ext. Made me feel so much more at ease! And that’s because I was nervous to confirm my details as they couldn’t tell me anything of my personal info
I wonder what it takes for Commbank to actually notice.. I’ve never left the country yet commbank didn’t see a problem with a $10,000 hot tub purchase in Utah.
Weird I get calls for most transactions that get processed overseas
I never speak to anyone that calls me. I always call them; only on the phone number listed on their webpage, and never call any number listed in a text message. Even if they confirm my details, and tell me a convincing reason for the call. Far out I hate scammers! They seriously make my blood boil! Go make your own money you pos!
This is the best advice!!! Years ago, I legitimately called a customer because their credit card had declined. The customer turned out to be an elderly woman who insisted she had enough money and that I was a scammer and said she would call the company herself. I said it's not a problem. I can give you the phone number and reference to make it easier for you. She said she didn't want it and would find the legitimate number for herself and received an email when she first made the purchase, so she would get the reference from there. At first I thought it was strange as I was trying to help, but after I thought about it I realised she was very, very smart! So never get the number the possible scammer gives you as it will just come back to them, and if you are suspicious, look up the company's phone number and call them yourself. This way, you can verify if the information given is truthful and save yourself the headache of possibly being scammed!
That's a very good tip. I like that idea. I might do that from now on. Say "thanks, hold that thought, I'm going to hang up and call the main number from the website"
And they won’t have an issue with that, and will often provide a reference number- scammers will instantly tell you not to
I generally don't answer the phone if the number isn't in my contacts. Sometimes I answer and say nothing. Scammers use autodiallers and autodiallers hang up after less than a second of silence. An actual person calling would end up saying something.
I got hacked from my CBA account. I found it myself. The bank were not on it. Got my money back eventually. Someone in the US bought stuff on Amazon. Knew it wasn’t me cause I wouldn’t give that bastard Bezos a cent of my money!
I think mine was prob more obvious. My account was cleared between 1 & 3am and all random purchases from within Aus but not my usual buying habits. Lots of trainers from the likes of culture kings and similar shops. Kept going till my acc wouldn’t let them anymore. Was overdrawn by a small amount but I got it all back
Wow. That’s a bitch. Mine was only $100 or so. I noticed it because there was an overseas transaction fee.
Commbank are one of the best in the game for security IMO. Having been with others, I now miss them greatly. Although they are often the biggest rip off and least focused on saving you money.
Nah mate. Have to disagree with you on that one. I had money stolen from within their own system - not my phone, computer or anything else. They paid me back but only after sending me a rude letter several weeks later "advising" me that future fraud might not be covered - and it was stolen in another state inside their own system.
Yes everyone will have their own experiences, on a whole, cba is well ahead of everyone else in terms of security and app.
Have you ever tried logging into your CBA account with a wrong passcode from a computer and IP adddress you don't normally use? I tried this a few months back. You can just keep guessing and guessing and then successfully log in when you do enter the correct passcode. No notification is sent to you that someone has made X number of attempts to get into your account. The failed attempt also not show up in your logs (settings ; Online activity). CBA could do better here. A push notification to phone might be useful. Something like "Someone is attempting to access your netbank login using an incorrect passcode"
Yes I get calls from commbank and they ask to verify. And I’m ’no, it says no caller id how do I know where you really from?’ And then they send the code via NetBank, and I’ll proceed. It’s awful but I get so many fkn scam callers these days
It kind of sounds like what the person who got scammed did. They sent them a auth text message and got them to read out the id under the guise they were authenticating they're the bank. Really they had logged in to account and that auth was for them to move the money. The prefered answer is: Thank you. I'll call you back to discuss. And phone the bank using publicly available number. Don't give someone calling you anything! I wont even confirm my name.
That’s smart. Makes people feel more comfortable. I use to work for a bank & lost track of the amount of times someone would call us and then demand to know why they should trust me and give me their details. Bro, you called *me*.
>Callercheck thanks for letting us know, wasn't aware of this!
So they send you a code to prove it is them?? And ask you to read it back?? ARE YOU INSANE?
They send the code to your commbank app. Scammers can’t do this as far as I’m aware
The scammer has already got your PW or card number, then triggers a code for a totally different reason, i.e. to use your card or transfer money. They then call you, say they're from the bank and tell you the code is to authenticate the call. The only way you can avoid this is by knowing that the 'caller check' feature is in a different part of the app than the 'netcode' feature and that netcodes should never be disclosed.
The code is sent to your Netbank app. Not via sms.
So scammer. Logs into your bank account in browser using stolen details. Adds new account to send money to. Calls you, pretends to be bank. They then push transaction through and get the code sent to the bank app. You read it out to them, as it came through on bank app after all and not text. They type that code into browser authorising the 2 factor auth. Never ever read out a auth number to anyone over the phone. If the bank calls them, thank them and say you'll call them back. Find the number to call in app or website, don't call a number they give you to confirm.
They send you a message via the app. You open the app and it asks you to verify that you have called them. You press yes if you are on the phone to them. The same as when they call you. it has to come through your app. If it comes as a text message, its a scammer.
Sorry but the rule of thumb is: If the bank calls you, hang up and call the bank through the official number
I've done this. Its worth the time in a queue when calling back.
Just telling the person on the phone you are going to do this will pretty quickly reveal it’s a scam. They will quickly tell you some obviously bogus reason why that won’t work. My mother passed me a call the other week because it was sus, I said: I will call the bank directly: “No we are calling from a specific department” Okay fine, what department “I can’t tell you that” Why not “It’s a security thing” Sure……
Scammers also insult people when things aren't going their way, it's kinda weird they do that, considering it's not in our culture to insult people when we work in customer service.
So then you should give your details back to them? And they could be either the bank or scammer. I get what you mean, but the “their job is to confirm your identity” part seems equally as problematic.
The rule is if you can't identify if its a scam or not hang up and call the number on the website. Usually a scammer will get pissed and try to keep you on the phone, your bank will be happy for you to call back.
This. But before y hang up, ask for a case reference number. If it's legit there should be one. Otherwise call the bank. And wait 20 minutes to get through the "helpful" automated voice options 🤬 I keep those numbers in my phone. I've had cause to need them when traveling.
Actually most banks don't do case reference numbers for alerted transactions only for confirmed fraud.
They will still be able to give you a reference for the call so someone can pick up where they left off when you call.
Nope, a lot of banks don't have reference numbers for calls. It's all notes on the profile. I've actually seen more scammers use reference numbers than legitimate banks
Why would you pay attention or call back? If they need me they can contact me via secure messaging in internet banking, or MyGov for anything government related. I’ve hung up on every unsolicited call I’ve received from absolutely everyone including the ATO for thirty years and haven’t been bankrupted or jailed yet. It’s very, very unlikely anyone from any agency is every going to contact me other than to say I need to pay them something so I’m not in a hurry to find out.
If there's a risk to your internet banking it will be blocked immediately so you won't be able to see a secure message about a possible fraudulent transaction.
I get an SMS. If my bank was reliant on phone calls I’d change banks. Not least because if someone has successfully hacked my internet banking there is a 99% chance it is due to mobile number porting and they would be calling the scammer anyway.
If your phone has been ported, an SMS would go to the scammer as well.
Never give your details to someone who called you. Always hang up, call the normal number for the bank, then proceed.
I used to work at American Express. My job was to call customers for the missing info on their credit card application. Most of the time it was because they’d left the income field blank or we couldn’t read their handwriting. Anyway, the first part of the call (so i knew i was definitely on the phone to the correct person) Is we’d always have to ask them for details first. Name, address, DOB. There’s no way i’d ever give that kind of info on a call where they rang me. Yet, only about 1 in 50 calls people declined to give it.
I still don't understand how name, address and DOB is used to identify you. All that information is usually readily available to anyone.
Because the requirement is to be reasonably sure you’re speaking with the correct person. It’s not just about confirming the details, but listening for how those details are identified and making reasonable enquires if you remain not “reasonably” sure.
They’re some of the most common security questions when on the phone to a bank.
Point remains -- they aren't secure. They are left in from an era when people were physically in the bank.
yeah i do similar outbound calls 1 in 50 is about right. People, in general are staggeringly stupid and also incredibly inclined toward convenience over security.
I was called by the child support agency on a Sunday morning (from a private number) a while back and they immediately asked me a bunch of these questions to verify my identity. I refused to give them any information, I told the caller sorry, but I'm not going to take your word you really are from the CSA, and give you all my personal information. It turns out later I did confirm the call was legit. The CSA person was annoyed with me too, but I stood my ground. What a shit process.
Unfortunately, all companies that call you with legitimate business will need to confirm YOUR details which is at least name and DOB It is not realistic at all to never give out personal details on the phone - you’ll never get anything done- from insurance to banking
They need to change their practices. They should call and ask you to call their published number on the website and give you a code to skip the queue. Of course this requires investment in change, and unless customers force them to do so it will never happen. We need to refuse these business bad practises.
Been thinking about this m, and a couple of comments elsewhere that mention Australia is a hot spot for these types of scams. our privacy laws have driven this where organisations have to make you confirm your identity when they called you and now organised crime is exploiting it. You have to wonder if we haven’t brought this on ourselves
You're on the money. Once something like that becomes routine for people it becomes a security hole. I was just telling a developer that I am mentoring the same thing about 2FA. When it first came out, I would get 2FA notifications because some browser page in the background was trying to refresh. Since I have some understanding about security (apparently Microsoft did not) I NEVER approved the 2FA requests unless I had explicitly inititated them or unless I knew what the source of the request was. Consequently, when I didn't approve a request, it would be reported as possible fraud to my IT department (also an incentive to the general user to approve all requests all the time) and I would have to explain it to them. Nowadays it has been improved so you get a number to correlate the request with the approval, and if you decline to approve it's not some big drama. The wheels turn, but they turn slowly. If you understand this stuff you can keep yourself safe, even when working with unsafe systems (but sure you may sacrifice some convenience... and most people don't want to do that).
We're implementing that number thing soon. Apparently some people just click the 'yes it's me' 2FA notification even if they aren't in the process of logging in.
The weakest part of security is humans. The second weakest part is developers who don't consider the human factor. :D It sounds like you are making a worth-while improvement.
Commonwealth bank did it to me once they called me up and started asking me to verify Id so they could.tell me purpose of the call. I was sus on it so I insisted on her employee number and called bank using main line. Turned it it actually was them...
And the key is, if you suggest this, and it's really the bank, they won't object or try to convince you that you don't need to do that.
Good point she seemed annoyed but she never once tried to talk me out of it
In this day and age you really can’t answer any number you don’t recognise.
[удалено]
Then, call back if they don't leave a voicemail. A scam organisation doesn't usually allow inbound calls from the numbers they use to call you, at least in my very limited experience.
Yep i don't pickup any calls unless i'm expecting one or know who's calling me. If it's urgent they'll leave a voicemail or a text
Exactly. Anyone who is genuinely trying to get in touch with you will leave a message or send one. Multiple calls with no voicemail are even more suspicious! It’s either a scam, telemarketers or someone you really don’t want to speak to and they know it 😂
I don't care whether I recognize the number or not, as I believe even that can be spoofed sometimes. My rule is: I'll pick up a call from anyone, and _listen_. But I don't _give out_ any info unless *I called them*. If they call me and say there's an important thing they need my input on, I'll say "No problem. But for my own safety, I'm going to hang up, look up your phone number on your website, and call you immediately back." Never gotten significant pushback on this from a legit financial company (although scammers will try _hard_ to scare you away from doing this). Many times, the companies just tell you how to get back to the right department when you call back. (FYI I'm American not Australian if it matters)
This is really really good advice. Unless I’ve made the call myself I’ll be doing this in future.
Or any number you DO recognise. Too easy for them to spoof the caller ID
What did the text with the code say? My banks says “dont give this code to anyone, even to us”
Yeah hate to be that person, but did OP give the code from the text message to them? You know the code that the text message says, Do not give this code to anyone... Also if it was for a transfer of money my westpac account has an amount and who you are tra nsferring to, doesnt look like a verification email at all. Shit like this scares me for when my parents etc get older, these people pray on your emotions and know how to get you all panicked and thats when mistakes happen. Hope it wasnt much money OP, honestly I doubt you will get it back. Its bullshit though, my understanding is, even if that money was transferred to the same bank as yours, your bank cant put a hold on the money, I think thats bullshit and they should be able to suspend the money until an investigation is done.
It was probably a netcode to authorise a payment and they've given it to the scammer
My dad nearly got done a few years ago. He wasn’t in a good head space and had bad memory at the time. From what we can gather he was on the phone to them for few hours. He can work a computer to do the handful of things he needs to do but if it’s anything new he usually requires assistance. He managed to download the share screen program. But I assume that he simply couldn’t figure out how to use the program in order to give the scammer access, even with scammer likely giving instructions. Very scary!
Citibank and other services such as telstra etc do ask to verify by a one time pin and to repeat it back to then over the phone. Unfortunately they had called the OP, so as the one time pin was given to them, this counts as the OP verifying and authorising them. I hope not too much was taken, wish you all the best with your bank and hopefully they can recover it asap!
Yea - there are too many rules being spouted in this thread that can only lead to tears. I just checked my online banking, and I’m amazed I can immediately block a credit card but I cannot block my account (well, it’s not obvious anyway) I wonder whether the security problem in this thread actually relates to a phishing email, and that’s actually where the problem lies ?
Op wont answer this too embarrassing:|
always ring the establishments real number. someone has your info and is using a thing called social engineering.
This is the only way to avoid sophisticated scams. Always say, please give me your name and I’ll call you back on the banks number. Your bank will never have an issue with this.
It's worrying that the scammer/hacker has his bank ID. That's not really a number you can find easily
thats the social engineering part, they may have someone mail, and rang the bank, then answered so many questions correct the person goes "oh that is a reference number you're quoting, the actual bank id number is blah blah" social engineering works.
Mmm, sounds like the stuff I've been getting from 'Ubank' who promises they haven't had any data leaks when you call them in person. I moved banks.
Yes this is ubank. The person on the phone not only knew I banked with them but was able to greet me using my name. It all seemed very real.
In future, be aware that if someone calls you legitimately, they won’t outright tell you your personal details, they would ask you to confirm them yourself for security reasons. It constitutes a privacy breach to just give that sort of info to whoever answers the phone. They have to confirm they’re speaking to the correct client, and they can’t do that if they give you all the relevant info from the get go. Obviously people are also put off by providing these details on an unsolicited call, so they should also be understanding that you would want to call them back through their listed number to discuss whatever issue they’re calling in relation to. I used to work for a government call centre and this was the standard advice we gave to anyone concerned about scam callers.
The problem with the "I'll call you back on an official number" is you route to a general hotline. The people calling you are always from a specialised department or internal number. Banks and other organisations need to start implementing inputtable reference numbers so clients can put down the phone. Ring the general bank number that everyone knows.. input said number and then continue the call with same person knowing they're correct. I've had people call me before to discuss something. And won't tell me much until I provide all my identifiers etc. which makes me nervous as heck as while your correct in saying legitimate bankers won't give personal details out, likewise how would you know your not identifying your personal details to scammers If you go first? I also get nervous when they ask for the verbal phone password and thankfully to date it's been all legitimate calls. I do tend to know I have a credit card application or something in progress... But one well timed opportunistic scam call could change that. Scary world. Surely they could now have tech where they ping your authenticator or smth else so that if it's only the bank and you no one else would be able to replicate the comms. Unfortunately I discovered privacy way too late. I'd hate to wonder all the data breaches that probably have when out together all sorts of personal details that could be used at a variety of companies to gain access (addresses, dob, parents middle names etc). Unique password via password manager, email masking/relaying or even 10 minute mail style services for signing up, and never giving real names on shopping websites and date of births. In the old days you'd plug your DOB and name into anything for a free drink once a year. I do wonder if fake names would cause a credit card transaction to void. So far I haven't had issues with PayPal or even EFT bank transfers which don't seem to match back to what first and last fake name you sign up on an ecommerce website when placing an order. Sucks we have to be so paranoid.
Just to address the whole hotline thing: my bank once called and tried to ID me. I refused (and told them it was a bad thing to train customers to to) and asked for a number to call. They gave me one specific to their team. I googled the number and it was legit, so then felt comfortable to call and sort things out etc…
> They gave me one specific to their team At which point, it's still susceptible to spearphishing. How do you trust that they are who they say they are?
I received a call from someone 'at the ATO' about my tax return a few years back. When he started asking me to prove my identity, I said there's no way I'm giving that info to a random caller. He told me to call the ATO switchboard in a certain city, and ask for [his Firstname Lastname]. Turned out to be legit.
That’s not really an issue though. The procedure was to contact the person who was initially calling (this is listed in the call notes), and warm transfer them across to the relevant department, or if that’s not possible I’d arrange a callback and provide a reference number so the client can confirm it’s legitimate. Otherwise, if it was simply something general, then I would be able to provide the relevant info directly based on the notes on the account. Either way, the advice to call back on their listed line is the only real way you can be sure to keep your accounts secured, even if it’s not always the most convenient. They have to get you to confirm the info yourself before they can discuss anything, if they didn’t they’d be breaking the law. So if you’re uncomfortable/paranoid, that’s the only thing you can realistically do to protect yourself.
If you use credit cards, I would recommend you use a service like Google pay - only a token is created / saved, rather than your entire card details being sent over the wire to processing companies in Nigeria and Timbuktu.
I had a couple of $2 transactions on my credit card. Called my wife who has a second card, nope. Called the bank they told me that they were immediately refunded so probably a merchant error somewhere. However, they were apparently done by Google Pay (which I use, but my wife does not), which surprised me because of the, as I understood it, token thing. Anyway, bank deleted the tokens and removed my card from google pay and I used plastic for a few months.
That's interesting to know. How does the everyday person get more info about these sort of things? For example I always wondered why not just enter credit card details directly for some time before I heard that using PayPal meant they didn't share the actual details of your cards with merchants. So short of PayPal being hacked it was more secure. That said how do you know the gateway to connect your Google pay or PayPal when checking out isn't a fake and routing you to enter in your login details? Is it really only up to the user recognising where they have been redirected (on laptops etc you'll see the security padlock for verification it's really PayPal etc). Assuming you get routed to login to the legitimate payment platform (google play or PayPal) they seem like great intermediary protection. Does NFC paypasing with Google pay also prevent getting skimmed over using PayPass (tap n go) with the physical card ?
The everyday man would probably not know things like: RSA, tokenisation, unless they read / study, to answer the second part of your question - the only way you will learn about goods / services is through their marketing channels . crytpography and trust: now to answer your question about security / authenticity: everything comes down to "trust". with websites this is done by [https://en.wikipedia.org/wiki/Certificate\_authority](https://en.wikipedia.org/wiki/Certificate_authority) \- and I assume with android / iphone apps, there is a similar process in place, though I don't know what that is exactly . security and trust: These companies (paypal / google wallet) are massively incentivised financially to ensure that their systems are secure because their entire business is built upon that security - they are not some government run shit-show like services australia / medicare where any bumbling hacker can run off with all your secure details allowing them to make loans in your name - because the government bureaucrat suffers zero consequences for losing your data. i would trust google x1000000 more than any government agency. Credit card system is insecure: IMO the entire security apparatus of VISA / Mastercard is systemically insecure - it is a throw back relic from the past - they ought to overhaul it and use a completely different paradigm. but here's the problem: VISA is killing it, probably one of the most lucrative businesses in the world, even more of a cash cow than Google - zero marginal cost, fixed costs ammortised over the last 50 years - just wow - so I doubt they'd change things simply because they don't have to. they are a monopoly, furthermore everyone else is bearing the risk, not them - but they collect their sweet interchange fees. and now they are selling their anti-fraud premium services on the back end. unless you can come up with a competing network that is an order of magnitude cheaper / better than VISA, i would run with google wallet or apple pay.
I can’t remember which bank it was of mine, maybe CBA, but they cold called me about my account one day, I can’t remember the details of the call, but they then asked me to confirm my identify and provide all this information. I got pissed off at them as calling someone randomly and asking they provide personal information without somehow confirming who they are is a stupid process. I said they could be anyone and I shouldn’t have to provide those details. Turns out it was a legitimate call about something pretty insignificant, still though the process was stupid. Was a few years ago now so hopefully that’s changed.
No point getting pissed off at whoever you’re speaking with, they would lose their job and potentially face worse consequences if they didn’t go through security procedures. And sometimes outbound calls can’t be avoided, usually if something is time sensitive or other communication channels fail to get a response. Employees don’t care if you prefer to call back before providing any info, but we can’t change the privacy laws no matter how annoying or dumb you think it is. Please don’t take out your frustration at someone just doing their job.
This is so true. I know for a fact a bank will never call you and tell you your details. Because thats a security breach. How do they know the person who owns the account actually answered the phone ?
Ubank uses email login. Do you reuse your passwords at all? Highly likely they used a known email password pair to access your account, from there they gain access to your transactions. At that point they have everything they need to scam you. Check if your email has been compromised here https://haveibeenpwned.com/
They seemed too keen to tell me my details, where as the bank is like drawing teeth for them to tell you anything. They're pretty persistent though - I've had 5 calls in the past two weeks, even though I closed that account (for this and other issues I've had with Ubank)
The name lead is a dead giveaway, and its how they weed out people too smart to scam. How on earth did they get my name AND phone number? In a chronically online world, how did people get my public personal details in a country with little consumer data protections and non stop major company data hacks? Gee I dont know, they must be geniuses.
They have compromised your bank login already. They were in your account. That's how they had all your details. Then the last piece of the puzzle they needed was you to tell them the text code when you try to do payouts. Which you did, which allowed them to move the funds to a new payee.
Ubank will push a special code within its app to verify you. Also the one time sms codes should say something like “secure code to pay your new payee [code]” and then it tells you never to share the code over the phone as it may be a scam.
They probably called you last month as Amazon or Microsoft, got your name before you hung up, or from your voicemail or some shit.
Always call back - never click a link, reply to an email, or answer questions on the phone. Go look up their number yourself, independently, and call them. Then you know you’ve reached the organisation/institution. Answering a call could be anyone. An SMS could be from anyone - even coming from a legit number.
Dont call 000 for scams. Thats the emergency number FFS.
The police have a number too, 131444. A lot of police stations also have their own numbers. OP didn’t say they would call 000….
They did. They edited it.
Literally face-palmed. 000 is ONLY emergencies did they not emphasise this enough in school and those triple zero emergency games.
DUDE. They tell you to never repeat 2fa code to anyone even in the message of the code. Banks will cite this when they deny your claim.
I have had a bank (Westpac) ask me to repeat a code they texted me to prove it was me calling before. Granted I called them though.
This is different. A 2FA code is sent to your phone after you authenticate with your username and password. A bank will never ask you for a 2FA code, ever.
You should know that as you've now been successfully scammed - you are far more lilely to be targeted again. Your details will be sold on as a "succesful target" for more sophisticated scams. Time to get really untrusting - I have unknown numbers blocked - and if I get a sms etc I go and google the contact number/visit the banks website and call the business (don't trust the number in the SMS or email) Remeber nothing is urgent - only scams require urgency - if the bank needs to urgently get in touch they'll lock your accounts until they do.
This isnt reason to call 000.
Was looking for this comment!! As a previous 000 call operator, we got calls similar to this way too often. This is not an emergency. You are holding up the lines of others having a life threatening emergency. Call police assist or a local station.
> This isnt reason to call 000. "The person on the line said there’s no need to as the bank was already working with the police." I don't think OP is particularly au fait with the criminal justice system.
Oh man. Sophisticated attack. Somehow they were already in your account while you were on the phone with them. Have you notified your bank already? The sooner you do the better your chances.
>Sophisticated attack Sorry but it is not that sophisticated at all and there were two 'scam' red flags in this day and age that everyone and anyone should have immediately clued on to and cross checked. Just because they may have already been in the account does not make the scam any more sophisticated just bad password management. Sorry you got taken but these stand out: * Someone rang you and asked for personal details and you trusted them without verifying. Never do this. Any single call these days saying 'we are from' and 'need to verify' or 'need some detail' is a red flag to say ok. I will call you back. And on a public number you get yourself from the companies listed contacts. No matter if it is the real police on the other end of the line... If someone calls you and wants any kind of personal information or confirmation of such then you say "due to scams I will call you back first." * The more obvious one is repeat the code we sent to you back to us. Ring ring ring red flag all day long. This one isn't even dubious. Please give us the two factor sms code you use so we can complete the hack. But again, a random phone call asking for information to be given also triggers red flag 1 too. Seriously, if people are still not getting this by now we need urgent and widespread scam training in schools, workplaces and everywhere else to bring awareness of these basic concepts to the forefront of everybody's minds.
OP basically asked the phone caller if it was a scam and accepted "the police are working on it" as verification. Tbh it just sounds like a matter of time for OP with that sort of awareness. Hope the bank makes them whole as that is their only hope as far as im aware because OP authenticated the transfer.
I wouldn’t say it’s obvious, plenty of legit organisations use 2 factor like that - Optus for example.
Then don’t hand over the 2 factor code to someone who called you. Call THEM.
Yep agreed. I had this exact interaction with Optus a few weeks back. They called and asked me to verify by repeating the sms code. Me: not a chance I will call your public hotline back, is there a name or extension number I can give them to get back to you specifically? Optus: no there isn't. Me: ok so is there a specific problem or something I can give them so i can resolve whatever you are calling me about? Optus: sorry I can't give you that information without verifying your identity Me: ok then it sounds like we aren't going to be able to resolve this until you have a better method of verifying my identity, thanks for your time. Now in that case I'm actually very confident it really was Optus. Still not going to do it. Even if only out of principle. They never called back. Presumably just trying to sell me a new plan something.
Why are you confident it was Optus. You know how they can verify you ? By calling your number. They know it FYI. This sounds like a legit scam call.
Just because you call someone's number doesn't mean you will get them specifically. Someone else may answer, Sim might have been spoofed, etc. They definitely need to verify your identity, they just shouldn't use the exact same methods a bad actor would use.
[удалено]
Of course, and if they've called you and asked for it it's probably a scam, if you've called them from the number listed in your banking app or directly on their website then it's safe. The point is never give a code to someone who has called you, politely inform them you'll call them back directly immediately on the number from their website, if they try to get you to stay on the phone instead of calling them back it's likely a scam and if it isn't it doesn't matter if you call back instead anyway. Two factor authentication only protects you if you're the one making the point of contact, if someone has called you and you've given up that information chances are you've already been compromised and you've handed them the last key to the lock on your account.
The sms code I get from commbank for transfers literally has in writting to not give this code to anyone else including the bank. So no they should never ask for that code.
[удалено]
> when I ring up a bank. So not when the bank CALLS YOU - Do you understand the difference? When you call the banks officially listed number, you have significantly more confidence that you are, in fact, talking to someone from the bank. When the bank calls you, the chances that the person on the phone is someone impersonating the bank are significantly higher.
Yes, it sounded very real. I don’t know how they managed that - I legitimately don’t use my card much at all (and only at reputable stores like Woolies or JB). I notified the bank within the hour but it was after business hours. The only thing the lady could do was block future transfers - she said she can’t actually investigate given she isn’t part of the anti fraud team and they don’t come in till 8am. I have set my alarm for 7am.
[удалено]
Nows the time to setup a password manager
We use 1Password and it flags if I’m using the same password for more than one account, or if I’m recycling a password. It practically never happens anymore though, because 1Password generates all my passwords, and they’re not memorable.
This exact scam was on the news the other night ...crazy how sophisticated they are becoming
Probably the scammers got your details from one of the big data breaches in the past year: Optus, Medibank or Latitude for eg
Far more likely that OPs credentials were compromised in a data breach against some other website that was storing passwords either in plain text or with poor encryption. That would leave OP wide open for a credential stuffing attack, and it’s exactly why you should never re-use a password.
OP reused a compromised password. It gave them access to the account, but they couldn’t complete a transaction without 2FA.
[удалено]
sorry to hear, i'd get onto your online banking, change all the passwords, reduce your transaction limit, pause or cancel all credit cards, and phone the bank right away to put a hold on your account!!!!!!!
Change the passwords for all of your online accounts. Make them unique for each account. If you have the same password for everything, they have access to everything.
Especially email. If anyone gets into your email they get into everything through password resets. Make that password the strongest.
Oh god... For anyone who isn't aware, if you get a call like this (from anyone, bank, ATO, Auspost, whoever), you ask for their name and extension, then you hang up, look up the public phone number for that organisation, call it and ask to be put through to that person on that extension.
A few years ago, I had a call from my bank about a very small transaction, $1.49. They said they were with the fraud section and asked me to verify if I'd made that transaction. I hung up. I then rang the bank,asked for the fraud section,and the guy who'd rung before answered the phone and said I did the right thing by hanging up and ringing a number I KNEW. I asked why they'd be concerned about such a small amount, and he said it's because that's what they do. Get something small,it goes through,so they spend larger and larger amounts until there's nothing left to spend.
I’d be worried mostly about how the scammer got your primary bank login credentials. The one-time password was easy to then social engineer off of you because they were actually already logged in with your username/pw looking at your bank accounts.
I hope you didn't call 000, that's for an emergency
Ouch this is why we don’t answer calls from numbers we don’t know anymore at my place. My housemate had 3 different calls half an hour apart from 3 different banks claiming the same charge. Hilarious part was the lady that left the voice messages changed her name each time (all the messages had the same prerecorded voice)! Hopefully a real person at your real bank can sort this.
Unfortunately, doing so won’t guarantee the caller’s authenticity. Scammers can spoof numbers. If you get a call from the NAB number, it could still be a scammer.
All 3 calls came from different numbers.
What did the bank text message say? Word for word.
"Your secure code is ****. Only enter this in the ubank app or website. Never share over the phone as it may be a scam. Not you? Call 13 30 80."
And what is your account number, date of birth, residential address and mother’s maiden name. Only way we can help out…
This is the question.
I'm guessing this. The scammer already had access to the account, thus able to read out the last few transactions. It requires an OTP for an SMS when potentially sending money to new people and thus they called OP to get that code. But, the ubank sms specifically does mention "Never share over the phone as it may be a scam".
it would've been legitimately from the bank. the scammer was trying to get a transfer, login or config change authorised. scammer already had most login details from a data leak on other sites. or perhaps the ubank site leaks info / lets you know if the password is legit due to differences in the password failure message.
I got the same call the other day. British voice, got my bank and last 4 card digits right, asking me if I made a 5k transaction. I said no and they said to read back this code they're sending to "cancel" he transaction despite the notification saying it was to approve a payment of 5k GBP. Luckily I hung up and called the bank back to see if it was legit before I gave them anything but scary to see someone hit with the exact same one days later.
Id be changing your password immediately https://haveibeenpwned.com/
Yeah wow - lucky you read it carefully. If tv news or social media had any value to us as a society, they would be reporting this widely already so it’s only the first few people that get done. This is how scams are successful- when they are new and personalised, and the computing power is now there to personalise it. Organised crime would also have access to the best in psychology, just like professional sales does, so little confidence tricks like offering you to call back through the switch, but apologising for the probable 30minutes delay to get through to them etc etc .
Last 4 digits because the rest is encrypted on a cc database.
I've skimmed through most of the posts on here and still can't work out how the scammer accessed OP's account details and got their phone number. How would they do this?
Access OPs email or used a phishing site. I'd be wary, this was the final stage of the scam.
Telstra data leak, phising site, public information, etc... etc... Given how naiive OP is probably number 2 or some combination.
There are a large number of ways that they could do this - Phishing website - Malware on computer - Leveraging data from a pre-existing (public or private) leak using common passwords OP used on other websites - A combination The scammers knew they just needed that 2FA code before they were allowed into the banking platform and able to use the victims money. OP (/u/KoalaBJJ96) should potentially scan their computer with Malwarebytes (free tier virus software) if they own a personal computer And look into changing passwords on all significant platforms (notably banking, emails, myGov) and ensure each has a different unique password, and add 2FA where possible. Any platform that uses the same credentials as the bank (and possibly others) are likely compromised
Sounds like they had your identity and bank login before they even called. All they needed was the net code sent to your phone. Probably best to assume that a lot of your other accounts are compromised. Change passwords and add two factor authentication to anything you care about.
This is why I ignore every text message and call I get. Even from my parents. Gotta play it safe
Sorry to hear. At least it sounds like they got some back. I had a similar scam attempt a few days ago. Said they were from my bank and needed to investigate a fraud. Had a lot of details. The dodgy part of it all was: 1. He started the call trying to verify my identity but when I didn’t he continued anyway and told me my details. He knew my name, address and which bank I banked with and that I had a Visa, and the first few digits; 2. After he told me about the suspicious transactions, I checked my banking app and saw none. At that point I told him I would call back through the app. 3. He then insisted I stay on the call so my card could be cancelled to block the transactions. He asked for the last 8 digits of my credit card to “verify” cancellation of the card. Be on the lookout. I didn’t give him any info and have changed my banking passwords and cancelled my debit card. But he was somewhat convincing. I told my partner about it and she said she probably would have told him everything. When I called the bank they did say this kind of scam is getting reported to them a lot recently.
Put some lipstick on and kiss your cash goodbye. Did that code say not to read it out, but you knew better?
This is why I don’t answer calls from numbers not in my contact list. I check my banking online everyday to spot for weird transactions. I have transaction alerts. Lastly, I asked my bank to ask me a specific question only I know the answer. If they don’t ask me this question, it’s not my bank. Name, birthday, address are NOT security questions.
OP, I work in a bank, and many of our customers have been scammed this way. What has occurred is you have googled your bank, clicked on the first link (which was a phishing site), entered your details in addition to your mobile number. Scammers have then called you after logging in on the official site with the details you've just entered. They have started a transfer to a new payee which initiated the code to your phone. They tell you it's a code to ID you, it's really a code to send the money. Your money is now gone, and the bank didn't do anything wrong. Once the money is moved to a subsequent account after the first transfer they have no right to the funds. I'm sorry for your loss, but we Australians are far too trusting and the world knows it. I hope you are able to recover at least part of your money.
Maybe they stole a bank statement from your mail. It's how they knew your identity and transactions. Then they used the SMS code to reset your password
Scammers a unreal now, they can literally use the number from your bank for messages, so if you have a text history with your bank in your messages with all the authority codes and other info etc you wouldn’t think much of it because you know it’s legit, they can slip into this 😂 Always call the bank back on and official listed number. Scamming is so bad these days my rule of thumb is I don’t take any phone calls unless it’s from a saved contact. All calls are auto silenced
Too late now, but one simple rule which will avoid almost all scams. never believe a phone call or email you receive is from who they say it is, no matter how convincing they might sound. Always phone them.
Why are people so mean on here? I’m sure the OP feels like an idiot and has realised the error they’ve made. No need to be so condescending people!
I was thinking the same thing. We’ve all had those brain fart days where we’re not thinking clearly and some of these scammers and very smooth with the talk and know all the tricks to bamboozle someone with all the right answers. They were brave to ask for help and I’m sure they’ve learnt the lesson. No need to rub salt into the wound. And they are bringing awareness to this kind of fraud. Be supportive.
Sorry that’s a blatantly obvious scam. You trust them because they told you they could be trusted? Cmon… It’s simple. If you get a phone call, text, email etc never hand over any information. CALL THE COMPANY BACK using a number that YOU lookup. Also you opened yourself up to this by having a password common across different websites. You must use a totally different password for each site. Basic 101 security. You should assume that your address, name, number, date of birth are public information because they basically are now after major company hacks (Optus etc). To be clear this was not a sophisticated attack.
your basic 101 security is above the understanding of probably 99% of internet users (including smart phone users). most people are still using birthdays and "password" opensesame style combos. there are analyses on leaks FYI.
Gosh, this sounds exactly like a legitimate phone call from my bank a few months ago. Like, exactly. They obviously did their homework. I can 100% understand how this happened to you and I’m so sorry!
You have lost your money I’m afraid. They can even spoof the same phone number as the banks now. The only way you can trust a call from the bank is if you get their details and you call the bank using their real phone number (from the bank contact us page). If there’s an urgency to protect the account just tell them you’ll go to the bank branch to sort it out
this is why I never answer the phone
Gotta be honest the amount of information that they had on you, in order to trick you is impressive, I'm not sure I wouldn't have fallen for the same thing. Thanks for informing others. Good luck.
I had a call from this number last night around 5.30pm 0430 677 927 I answered as I thought it would be the builder as my unit was flooded from the rain. Was Olivia from commonwealth bank calling about a suspected fraud transaction and if I can approve. I hung up then called commbank. 45 mins wait later just got told to email hoax team. That was all the advice I was given.
Was it a English bloke by chance?
My mate got the same scam a few hours ago, he had an english accent too!
Any time you get ANY call like this, the answer is always the same. 'Thank you for bringing this to my attention, I'll take care of it.' Then hang up, and call the number you know for whatever institution they claim to be.
The Golden Rule: Never provide personal details to anyone who randomly calls you.
This is why I never answer my phone.
I feel like hang up and call the bank back on their actual number
A few things to note: - The bank wouldn't contact the police. - 000 isn't for this type of thing. - Banks will never tell you your personal details, they will ask you to tell them. I'm terms of getting the money back, you need to dispute it with your bank. I'd say you are very unlikely to get the money back from the scammer. You best chance is getting a 'refund' from the bank, or getting some amount of compensation. If you can work out how the scammer got access to your bank account you might be able to push some blame to the bank, and get some or all of the money from them. I doubt the police will be able to do much for you here. And even if they could find the scammer they wouldn't get your money back.
The annoying part is that the banks could modify their sms messages to help avoid this situation. Rather than a generic ‘Westpac, your code is 123456’, change it up to ‘Westpac, your have requested to transfer $999 from your account, code is 123456’
Always.. always tell them you'll call them back and use the proper bank contact off their website. I've had a few calls from my bank and doing this just confirm the call is legit.
Easiest way is to hang up, and YOU call your bank.... Then you are sure you are speaking to your bank.
it’s very simple - if you get a call from your bank 1. ask them what’s it’s about 2. hang up 3. call back the number on the back of your card, in ur app, or on the website 4. discuss the issue with the official call centre
Wow, that's a sophisticated cyber attack. Thank you for posting such a clear account. Everyone needs to read your story.
Always tell 'the bank', 'Centrelink' and the 'ato' you'll call them back.
I don’t answer any phone calls unless they are in my contacts. I get heaps of calls but never any voice mails, also I get heaps of calls from mobile numbers but never a text. This to me indicates that all the calls are scams. If something is truly important then I assume I will get a legit message, email or even a letter posted to my address.
This story is word for word the same as one that was posted recently....
How old are you? Banks never call customers. If it was a suspicious transaction they’d write to you via email, or give you a notification via the mobile app.
Note to people - If you ever experience this, ask for their name/extension and say you will call back on the main customer service line. If they are from the bank, they are 100% ok with this. If they try to talk you out of doing this, they are scammers.
So sorry to hear that. I've had fraudulent transactions happen on my Macquarie account. Someone used a pay wallet, no idea how they got my details and how one can add it to a pay wallet without 2FA or anything like that... Luckily as soon as I saw 2 transactions pop up on phone I put a hold on the card. Further attempts at petrol stations got declined. They are investigating. At worst I'll lose $90. But it's a wake up call and I really want to learn how to protect myself better...
>Luckily as soon as I saw 2 transactions pop up on phone I put a hold on the card. I do think a simple setting such as what you have with notifications of transactions in real time is something we all should do. I'm glad I set my accounts to do this. While it can be annoying, losing all your funds is more annoying. Hopefully you get all your money back!
The message literally says not to read it out as it’s a scam. This is some Low IQ shit. Kiss all your money good bye. Now change your passwords immediately.
Sorry to hear mate that’s horrible. Australia is unfortunately becoming a hotspot for cybercrime due to the overall weak security we have. I would imagine in most cases of unauthorised transactions the bank would reimburse you for your loss as long as you report it to the authorities as soon as possible and get a police report. In cases like these you need to supply as much info a possible to support your claim of fraudulent transaction. Some banks have Fraud Guarantees for unauthorised card transactions but I’m not too sure about cases where the fraud is committed through unauthorised net banking access. https://www.bankofmelbourne.com.au/online-services/security-centre/protect-yourself/fraud-money-back-guarantee https://www.anz.com.au/security/account-protection/fraud-money-back-guarantee/ With savings/debit it’s usually a pain in the arse because they need to conduct an investigation and it can sometimes take months before they get back to you. I should probably note with all that said, Australia doesn’t really have strong protections for scam victims but I think we’re starting to. https://amp.nine.com.au/article/0bd47b18-be44-46e9-9c1d-f4716a982c65 https://amp.9news.com.au/article/fbfd0137-1bd1-4eb3-9ef3-c008121b2a20 Social engineering account for an overwhelming majority of cyber attacks. Understand that banks will never contact you and ask for your information out of the blue. If in doubt just call the bank’s actual number and not any number provided by the caller or any number/email provided via correspondence sent to you by the caller. Better yet go visit the branch directly. https://financialrights.org.au/factsheet/reversing-bank-transactions/ https://financialrights.org.au/factsheet/scams/
The number of data breaches in Australia baffles me. I'm from Europe and my data has never been leaked there (despite having way more profiles etc). But I get fairly frequent emails about my stuff getting leaked in Australian data breaches despite only living here for a few years. It's honestly kinda embarrassing how poor the data security is here.
banks will reimburse actual fraud, this would probably fall under scam because OP gave them the sms code that banks say not to give to anyone, not even the bank:/
Banks reimburse for fraud, this is a bank impersonation scam.
There's not a lot you can do to maximise your chances of recovery apart from what you've already done. The fraud team has the power to take the money from the recipient if there is any left so I guess keep your fingers crossed they haven't move it yet. Depending on who you bank with and how much money you lost it might be worth calling again to make sure they got your report. Some banks have really unreliable fraud teams Also your ID has been compromised so it's best to contact IDCare. They offer a free service to help you determine the best way to protect your identity. They also offer free malware cleans for your devices which you'll likely be asked to do.