Just got scammed out of almost 1k

[BonneMamanAbricot]

Please be so careful of phone calls from your bank. Always call them back, as caller ID can be faked. My actual bank said they had never seen this scam. They duplicated everything, all the spiels, the robot connecting voice, the hold music.

Second month of being paid after 5 months of no income. Back to nothing again. FFS.

I can get an OTP for your Lloyd Group account if I have your account details, name, address and DOB.

The security is that when you try to reset your log in info, or add a new device, the OTP is displayed on the screen. The OTP is useless to anyone though, unless you can also answer the call that asks for the OTP, which goes to the phone number verified and linked to the account.

The bank doesn't need to explain how the scammer got the OTP, that's not the security part. The security part is the account's real owner giving that OTP back to the bank to confirm they are the person who generated the OTP. Which the OP inadvertently did by answering the automated call from the bank and providing the OTP the scammers had generated.

It's a really simple fraud, and exactly what you would do if you had someone's name, DOB, and address. They do need the account number and sort code to reset the log in details, which they then collected from the OP to generate the code.

Not kind or helpful.

The only time I've been called by my bank was when we already knew something weird was going on, we tried to withdraw money abroad and it failed. Then got a text message saying suspicious transaction. Then the bank rang and confirmed what had happened (it was just a mix up due to not understanding a foreign machine and trying to do a balance check on a credit card). But the call didn't come out of the blue.

Once you've got someone's name and address, for a lot of people it's easy to find their date of birth with some social media stalking (or indeed from a data compromise from another institution).

A lot of scammers guess the bank (I've had scams from Santander, who I don't bank with - it was the first clue it was a scam) - but when OP provided the sort code then it confirmed who they banked with. She could be the 100th person they've rang, 99 didn't bank with Lloyds (for example) but OP did and so it sounded more legit to her.

If the OP's data was picked up from a data leak, then it might have had card info with it which would have told them who she banked with. It's not actually that hard to put together, and it might have had an element of luck.

From any number of sites where you put in these details.
Many of them aren't secure at all.

Could be from any number of hacking incidents - m&s, Eurostar etc ... take your pick.

OTPs are never verified via phone calls. Automated phone calls give you then OTP which are input into the device.

With Lloyds or Halifax the message on the phone is you are registering a new device with "bank" if you did not ask for this code please press star. The it says to enter the code after the beep or something along these lines. But OP obviously thought she was doing something with the device to secure her bank and thought she was asked for the code by the bank. Which when stressed is an easy mistake to make.

These details that the scammer had name, DOB, phone number and address are all details that you would put into most sights when registering. Even some banking info would be stored in sites that are not very secure at all. It's really easy for scammers to get this info which is why everyone should be hyper vigilant as to who they are speaking to on the phone

Who is putting all that info into random websites?

Other than my bank I can't think off the top of my head what sites would hold all of that information on me. I am very cautious and never click the remember my bank details option but how often are you asked for dob when paying for something?

The OTP is given on the app when you register a new device. The app then generates a call to the mobile number on the system and you input the OTP on the phone call.

In this instance the OTP was generated on scammers phone via the app and the phone call went to OPs phone. The scammers then gave the OTP to the op who answered the phone and gave them the OTP to confirm registration of new device. This wasn't an OTP to confirm a payment it was an OTP to register a new device

That's good that they do explain you're being asked to register a new device. I'm surprised they agreed to refund in that case.

I used to work for a large telco that you all would have heard of and I recall one person being sacked as they were caught selling account details to scammers.

With the number of companies offshoring call centres to low wage countries and the amount of access these people have to personal data I'd expect selling on of details and hence increase in fraud to be more frequent.

I wasn't told that. I wasn't given any information from the bank on what the code was for

When I set up my banking app on my new phone it happened the other way around. The OTP was sent to my registered phone number and then I put this into the app to complete the set up. The text message with the OTP was very clear what it was for, so an automated voice call could be more confusing for someone already frazzled/distracted. This may be why the scammers chose this particular bank to target.

I dont believe that either of those hacks involved customer banking information being stolen

I don't think M& S could have covered that up given how many customer accounts they must have.

Best to use the short code now - call 159 and choose your bank from the list. That way you don't have to find/remember your specific bank phone no.

An OTP to register a new device doesn’t generate a phone call either.

I set up a Lloyds bank account and app all not that long ago, I didn’t receive any phone calls.

Either Lloyds have a very slack security or this is not right.

My bank rang me to check if a large payment I'd made online was actually made by me.

Deal with your bank in person; it is old fashioned but safer.
These scams are becoming too clever.

Have your actual bank's phone no. in your bag. Always hang up and ring your bank directly.

So the bank presumably isn't one in the Lloyds group then

I was not aware of 159, thank you for this. I have seen the TV program trying to intercept scammers, it is appalling what these people try and unfortunately succeed in doing

Exactly this is how it normally works. I don’t recall Lloyds being any different.

If your new to bank they send an OTP in the post now to ensure you're the correct customer but if your changing passwords or moving to a new device the app absolutely does generate a code and initiate a call. There is a system where they send a passcode via text but when moving to a new device they will generate the code on the app and verify phone number through a call

@BonneMamanAbricot any chance you could share the name of the bank so others can be aware? I know it can't be the same as mine & looks like it isn't Lloyds group?

I think it would be useful to know as a warning to customers if the bank isn't making it clear what the code is for

From the replies I've read it seems like most posters already know to do the usual things like calling the bank on their actual number and not giving out your account details on the phone