Yet Another Cycling Forum
General Category => The Knowledge => OT Knowledge => Topic started by: TPMB12 on 11 December, 2019, 08:37:25 am
-
I'm probably being paranoid here but what steps would you take before giving your bank details out to a legitimate request that you've been expecting?
We have made an insurance claim which is fully backed up with evidence as requested. I've received an email that looks like it's from the insurance company complete with the same worded header containing the claim reference. Everything looks legit but it's asking for full bank details. Account no, sort code, name of bank, account name / type, holder of account, etc. Very simple form really.
I was expecting the claim to be accepted and payment to be made. I know I'm being too cautious and paranoid but what is a wise check I could make? If I take sensible precautions would that help if it did end up being a fraud?
-
Hover your mouse pointer over the link without clicking it: the URL should appear and you can see if it's that of your bank or not. If it doesn't appear, see if you've got an option to view the source code of the message, then search for the link and check it. If your email client doesn't all you to view the source code, open the mailbox with a text editor and do it there.
NB I use Eudora as an email client. It's primitive, so it gives me a lot of possibilities for this kind of mucking about. If you're using something like Outlook or Thunderbox, or some denizen of the Apple world, you might not be able to do any of these.
-
Phone to confirm before replying, or simply never by email.
-
Same domain in the email but can't see source code.
It's the insurance company so could call to check. They might take the details over the phone if I go through the claims line. Could be better option.
-
Did you not put most of that information on the claim form?
Personally I'd never send this information by email. There has been a lot of interception fraud targeted specifically at the likes of solicitors and insurance companies simply because large sums of money are a stake.
Caution is not paranoia: I am always cautious.
-
I'd go for the phone option if you can. Plenty of history of email details being stolen and sold to dubious people
-
I have a spare bank account that typically has a balance of a few pennies. I can give out the info necessary for people to put money in, but given there is nothing in there to take out, it doesn't matter if the info leaks.
Reduces some of the worry.
J
-
About the worst someone can do with your bank account number / sort code is set up a direct debit, which isn't a particularly useful type of fraud and you can easily cancel it. I wouldn't worry.
-
It is not much risk to your bank account. The main fraud risk is the money being sent to the wrong place. If someone has hacked your email, they could have already replied with different bank details. So the money goes to their account instead.
Could be worth emailing to reply, then phoning up to check they have received the correct bank details.
-
Thought about another account for payment and receipts then keep little in it. A transfer account only.
My partner used one for that but it became a pain since the internet fraud team there kept freezing her account even after a regular but varied payment to a pre- school. Became unusable because it took a visit to the nearest branch in a city we simply don't visit the centre of.
In had the idea of finding the claim line number I made the Irish claim call to. That came from the insurance documents. Told you I'm paranoid! I'm even unsure of numbers from the internet. ;)
-
About the worst someone can do with your bank account number / sort code is set up a direct debit, which isn't a particularly useful type of fraud and you can easily cancel it. I wouldn't worry.
IIRC Jeremy Clarkson helpfully demonstrated this, by publishing his account number and sort code in some newspaper or other. Predictably, a several of Driect Debits were set up to suitably non-Clarksonian charities.
Not being an egg-faced celebrity, I'd be more wary of cockup than fraud.
-
About the worst someone can do with your bank account number / sort code is set up a direct debit, which isn't a particularly useful type of fraud and you can easily cancel it. I wouldn't worry.
It's also useful info for further social engineering and phishing.
Someone could ring up and use that info to convince you (well, maybe not you but someome) to confirm something else, i.e. your postcode.
Then, a while later, someone rings up giving some more info you've previously given them, and gets your house name/number. Can I just confirm your mobile number. What network is that on?
And so it goes on. They might try pretending to be someone completely different to get some obviously useful information (card number, etc) as it's always worth a shot as plenty of people do fall for these things.
Whilst the individual requests may seem innocuous they can eventually add up to be useful information for scammers.
Bank details and mobile numbers are very useful for scammers that rely on unauthouised SIM Swaps. They can use the information they know about you to socially engineer the call centre people into performing a SIM Swap when they shouldn't, and then two factor auth tokens (such as account recovery codes for email addresses) can then be intercepted.
-
I have a spare bank account that typically has a balance of a few pennies. I can give out the info necessary for people to put money in, but given there is nothing in there to take out, it doesn't matter if the info leaks.
Reduces some of the worry.
J
I have used my revolut card account in the same way.
-
Not being an egg-faced celebrity, I'd be more wary of cockup than fraud.
If giving the bank details over the phone, more risk of them mishearing or mistyping a number. At least with email can copy and paste, and double check it is correct.
-
Not being an egg-faced celebrity, I'd be more wary of cockup than fraud.
If giving the bank details over the phone, more risk of them mishearing or mistyping a number. At least with email can copy and paste, and double check it is correct.
Agreed.
As does this chap, I reckon
https://www.cambridge-news.co.uk/news/cambridge-news/cambridge-man-gets-sort-code-17382929?utm_source
-
My cheap and dirty technique is to split my bank details into two separate routes so I'll send the account number by email and the sort code by text or something.
-
Not being an egg-faced celebrity, I'd be more wary of cockup than fraud.
If giving the bank details over the phone, more risk of them mishearing or mistyping a number. At least with email can copy and paste, and double check it is correct.
I don't hear well enough on phones to willingly use them for something important like that, even before you consider the security implications.
-
The digits zero through nine each has a distinct sound whereas letters often do not i.e. bee, pee, cee, gee, vee, dee or bravo, papa, charlie, golf, victor, delta.
That is the point of the phonetic alphabet.
It is always possible to read back and read back numbers and letters until you are blue in the face but once a button is pressed on an email it can be impossible to stop.
-
Not being an egg-faced celebrity, I'd be more wary of cockup than fraud.
If giving the bank details over the phone, more risk of them mishearing or mistyping a number. At least with email can copy and paste, and double check it is correct.
Agreed.
As does this chap, I reckon
https://www.cambridge-news.co.uk/news/cambridge-news/cambridge-man-gets-sort-code-17382929?utm_source
I thought the banks have decided (forced) to take action against this type of error/scam. They have to check if the name matches the recipient account now or something.
-
The digits zero through nine each has a distinct sound
Apart from "five", which sounds like "nine". Hence "niner" and occasionally "fife".
It is always possible to read back and read back numbers and letters until you are blue in the face but once a button is pressed on an email it can be impossible to stop.
Just like once a button pressed in a callcentre, except that over the phone you're perhaps more likely to retain plausible deniability when it comes to allocating blame (ie. charges) for the mistake.
Ideally, these things would have checksums, like credit and debit card numbers do, so that simple human errors can instantly be detected.
-
Not being an egg-faced celebrity, I'd be more wary of cockup than fraud.
If giving the bank details over the phone, more risk of them mishearing or mistyping a number. At least with email can copy and paste, and double check it is correct.
Agreed.
As does this chap, I reckon
https://www.cambridge-news.co.uk/news/cambridge-news/cambridge-man-gets-sort-code-17382929?utm_source
I thought the banks have decided (forced) to take action against this type of error/scam. They have to check if the name matches the recipient account now or something.
It doesn't appear to mention it in the above linked article but the same story on the BBC news carries this footnote.
https://www.bbc.co.uk/news/uk-50702234
Under plans from the UK's payments operator, from next spring the sender will be alerted if the name does not match the account. The change was originally set to begin in summer 2019, but was delayed.
-
I've been dealing with my parent's estates recently, and its a little scary seeing how far you get on automated systems with just a full name, date of birth, and first line of the address plus postcode.
-
It is a fraud risk to give bank details via email. However the risk lies with the party making, not receiving, the payment
The insurance company may have assessed the risk and decided they were happy to accept it.
-
To the OP: maybe ask if the organisation you are dealing with has a secure portal?
My accountant uses a secure portal system to transfer documents (and sensitive info e.g. company authentication code) rather than email because email is NOT secure. A reputable outfit doing financial stuff which requires transfer of sensitive info really should have some such facility........
GC
-
Although I always do a wry smile whenever firms insist that email isn't secure and force you to use some convoluted system. The worst require a portal which needs a code sent to your mobile. Which of course assumes a) everyone has a mobile and b) they have got signal.
Yes, in theory, email data can be hacked, but the reality is that it's far more secure than the post, where (especially at this time of year), umpteen humans within Royal Mail can at any point nick a letter passing through their hands.