My bank uses a fraud detection system that calls you if suspicious activity is detected on your account. It then asks you to call back a number to verify the account activity. Every time they call, they provide a different callback number. Searching for the callback number online yields only one result, which is the fraud detection systems web page telling you to NOT trust phone calls of any kind (their advice is solid, but it tells you to not respond to their own legitimate calls)!
The only time I ever triggered fraud detection system on my card I got a text message from bank that was "Your card is blocked due to suspicious usage, please call 'number'". And the number was also some random unlisted one.
Only reason I didn't just ignore the thing is I did make a purchase on new website a half an hour before.
Called my local bank and they confirmed this was legit, I almost went off on a full rant about how bad their protocol is for this.
Yeah, I think they don't have any people working on the full UX flow, my bank does similarly weird stuff.
The example that comes into mind is making transfers to my wife, where every time I do it, they ask me to confirm a bunch of questions to make sure it's not a scam/fraud, which fine, good idea. Once I confirm, they display another notice telling me they won't ask for a confirmation/2FA code because I make transfers to that account so frequently.
The only reason I can come up with why it is like that, is because there isn't a single person/group responsible for the full experience.
Ye they don't follow their own rules. Once my bank called me for a insurance change I requested a month or so earlier and asked me to verify myself via the security dongle. Like, and then they act surprised when people are scammed.
Just piggybacking on this, if your bank (or eBay or Amazon or whoever) ever calls you to inform you of a suspected hack on your account, and says they're sending you a 2 factor authentication code to confirm your identity, do NOT tell them the code. It sounds obvious when phrased like this, but if you're not familiar with the scam then yeah, it's a scam and they're trying to get your 2FA token in order to access your account.
It makes more sense when you realize it's an ass-covering exercise. Legitimate transaction blocked: "It's the user's fault for not calling the number, see, we called them and told them to call this number." Phishing: "It's the user's fault for calling the number, see, it says on our website you should never call any number." No matter what, it's always the user's fault for disobeying advice. A lot of things in our world are like this.
It's fun when you phone the bank's regular number, waiting hours to get someone on the phone, and they say that number isn't legitimate when it actually is.
Even better when it's a bank you don't use and the number on their site goes to an automated system that won't let you access it without an account number, so you have to scrounge for alternative phone numbers to get to talk to someone.
Not a bank, but Apple Mail inline displays PDFs. I've been getting these PayPal Bitcoin scam emails lately and checking from Apple Mail they look legitimate. Problem is, I don't have a PayPal account...
In Gmail or Thunderbird they don't just show the PDF and since they display the sender differently it makes it obviously a scam.
Sometimes it feels like companies are just helping scammers and I don't know why.
They could have published the procedures/numbers online. IME companies decided that publishing notices/articles on the web, setting up subdomains and modifying apps are expensive projects. That leaves only noreply@bank.com for communication.
This is especially annoying when I have their app installed, if the app popped up warning me of fraud, I would trust it far more than a random phone call.
More. I work with a bank that sends text messages asking if you issued a check for $x amount.
Problem is, one of the most common check frauds is check washing. The PTO line is changed to a fraudulent name, and the amount stays the same. So, yes, the amount matches a legitimate payment, but who was paid? Ha!
I briefly worked on a product related to this. It was a chatbot meant to replace the human phonecall in just this situation. The user would get a text from the bank with a link to the chatbot. They ended up not being able to sell; the common complaint from the banks was that they'd been training their users to never click links like that.
My bank has implemented suggestions I've given them in the past (USAA), but recently they used a different domain for a legitimate-seeming email (the email was about something I just did, and it was to an address I only use with that bank), and I called them up and spoke with someone in their fraud department to ask about it. I told them either they were hacked, or they were training their customers to fall for phishing, and asked them to create a ticket.
They said that domain name was not theirs, and they only use usaa.com in their emails. They locked my account without telling me. I had to call them back to get them to unlock my account, and I think that person in their fraud department understood the issue and they said they created a ticket.
I interviewed for a software engineering position at USAA. After seeing the incompetence of the interviewers none of the nonsense they do surprises me.
That's something! My bank insists on exactly 6 numbers. Not characters, numbers.
They're also hostile to password managers and don't allow copy/paste. You have to click on the numbers with your mouse.
"My security" is very important to them, so they've moved 2nd factor from a physical fob, to an app tied to my phone, and now they've improved it further by switching to sms!
Now, this isn't some neighborhood mom 'n'pop bank, but the biggest or second-biggest bank in France.
There was some brouhaha a few weeks ago when someone posted a screenshot on reddit about an Indian public sector bank's app refusing to run because a user had installed Firefox, and according to that bank, was a "malicious app that could steal user data".
Indian banks and many of the government websites are some of the most user-hostile things out there. Once upon a time, I used to think this was primarily to deter malicious actors from preying on tech-illiterate users, but given that the banks don't want to use all the tools/frameworks out there which help websites be both secure and user-friendly, I've changed my opinion.
Indian banks and their websites are likely among the worst in the world. The fact that many situations require printing forms, dealing with SMS-based 2FA, multiple passwords, sometimes with different requirements… I’m not surprised that many Indians still prefer the hassle of visiting a branch.
There's a certain Indian public sector banking app which won't run at all unless you give it camera, full filesystem and some other crucial permissions.
I have not received any spam similar to the OP from my bank. But it seems (at least the popular belief) the lower level employees regularly leak your account details to scam callers.
Yeah my bank requires me to reset my password every 180 days, only accepts passwords from 6 to 11 characters, and has a whitelist of valid characters. All this leads to a situation where I want to sign in, I'm then prompted to reset my password, but the autogenerated passwords from Firefox don't actually work because they are too good, so I switch to a terminal to make up a custom password to their rediculus requirements.
When buying or selling a house, this can get really bad. You have all sorts of entities which extensions of other entities. The bank has a mortgage sector which uses a different domain.
I also had to deal with a medical device recall, which was terrible. I had to trust some skeezy domains.
This isn't hard to fix, all you need to do is list on your website your "partner domains."
My personal security protocol was to search a .gov website for contact info of financial institutions, go to the domain listed, look for a customer service number, and call that to find out what domains to trust. Customer service people thought I was weird.
At one point, a customer service person said, "you know it's legitimate because if you go to LinkedIn, you can see the person you're dealing with has <Bank Name> listed as their employer."
> At one point, a customer service person said, "you know it's legitimate because if you go to LinkedIn, you can see the person you're dealing with has <Bank Name> listed as their employer."
"Yeah? Give me two minutes, and mine will say the same. So, will you give me your personal info?"
>When buying or selling a house, this can get really bad. You have all sorts of entities which extensions of other entities. The bank has a mortgage sector which uses a different domain
Huh? I got my mortgage thru a mortgage broker and I only dealt with a single person.
The naive people in decision-making positions often don't realize the risks involved in their behavior until they or someone near to them gets hurt -- in this case scammed or sued.
We used to have a lot of people like this running businesses in the US before roughly 2012, but white (and black) hat hacking began spreading quickly and made generally short work of the problem.
I used to work for a financial services company that had a strong and well-managed security culture. The company got acquired, and afterwards, we kept getting emails from third parties for various things, all supposedly initiated by execs/groups at the parent company.
We employees of the acquired company discussed the emails in Slack: we were sure that these emails were legitimate, but acting on them would have broken our security policies, so we all decided to all report them as phishing attempts. We understood that we were engaging in malicious compliance, but our actions were also a best practice, so we couldn't technically be criticized for it.
After a while of this, execs at the parent company would send out sometimes exasperated-sounding emails ahead of time, alerting us to the email that we should expect to receive and how they wanted us to respond. Of course, that led to discussions of how we know that that pre-email emails were legitimate. After a while, we all lost interest in this malicious compliance and adopted the much laxer security culture of the acquiring company.
I also suspect that the social dynamics of these kinds of organizations make it difficult for the right people for making these kinds of decisions to rise to the right positions for making them.
There's almost a catch-22: setting good, effective policies tends to involve a lot of telling people "no". And it's hideously difficult to do that without ruffling the feathers of people who control promotions.
Considering that on paper these businesses all have employees serving as CISO, EVP-, SVP-, and many, many Directors of Security, I find it highly unlikely that the accumulated experience of the people and their teams results in decisions like this. It's hard to distinguish incompetence from malice in many situations but calling them "naive" seems to be indirectly excusing customer-hostile behavior.
It doesn't make any sense to me because it's expensive to make sure your company's services are secure, but it's also expensive to not be secure. Perhaps it's less expensive to not worry about it because the loss-of-customers impact on revenue are still under the cost of doing it right. If that's the case it's a sad state for all of us.
My bank used to call me with random marketing crap, and insisted on telling them my birthday and my mother's name before they can reveal their latest exclusive offer or some other crap. They were always dumbfounded when I retorted that it is them who need to prove that they're really calling from my bank first.
When a random call asks me to confirm some information, I always reply that I'm not going to share any personal information because I have no idea who they are. Half the time, they just hang up, the other half of the time they launch into the sales pitch.
I have this happen all the time in healthcare. I had someone from a specialist office call me and immediately ask me for my date of birth. Their surprise when I said no was incredible. But I agree with you, if THEY are the ones calling, they need to prove their identity.
My bank eventually understood this, which is why currently you can check in the app whether on their end they're seeing that you're talking with their sales rep and which one specifically.
Between '06 and '19 I was a client of bank that proudly bear the title of "pioneer of online banking" here and tbh, they actually were. You won't met anybody in Poland who wouldn't have contact with that brand one way or another.
I opted-out for all marketing purposes once they allowed to do so but yet, I was getting random calls from bank and 3rd parties. One day I called them because I had login issues on Windows Phone. I did mention to consultant that I was getting these calls and in return lady hit me with quite a revelation: they had a single opt-out that was only available if you called them.
> So the next idea is to register the domain as a subdomain
I think the problem is, someone in the IT department understands the high risk associated with handing out subdomains, so they refuse to do it. So other parts of the company "work around" this by registering their own domain name.
I wonder how companies like Google handle this. A subdomain of google.com is probably the most valuable hack target in the world, but google does use subdomains occasionally (...or maybe more than occasionally! https://gist.github.com/abuvanth/b9fcbaf7c77c2954f96c6e55613...)
Nearly. It almost certainly never even touched IT.
The issue is that marketing is organizationally separate from IT and doesn't want to interact with them. IT is probably behind a slow, outsourced ticket based process and will take weeks to do a simple thing. They may also have random opinions about stuff marketing doesn't want them to have opinions about. So building out promos like this is delegated to SaaS services or contractors who also have no relationship with corporate IT. Then nobody in marketing really knows or cares what a subdomain is, because everything they do is just searching Google or clicking links. They never look at the address bar because it's always full of meaningless junk so why would they or anyone else care what's in it?
Anti-phishing training doesn't make sense, when you look at how people really use the internet. Not many people look at the actual text of a URL. The best anti-phishing training is "go to google and type what you're looking for, only click links from there" and not "carefully examine the domain name to try and intuit if it's owned by the organization you think it is".
Google handles it in the same shitty way. They send mails that could be phishing mails and use not only google.com but many other weird domains like goo.gl or foobar.google and so on.
Terrible. The times were one could rely on them have long passed.
For me, the money shot is Chapter 4: the bank needs to be held legally accountable of gross negligence for sending phishing-resembling emails to customers.
How do you hold someone legally accountable for a non-crime with no identifiable victims? Especially for "gross negligence", when the negligence is very clearly minor.
I see Conway's Law at work here. The marketing department must have its own IT department separate from the IT that maintains the core website and business functions. It's impossible for them to get on the same web domain (much less build something in the phone apps). Instead, they built their own disparate site and experience.
It gets worse. These German "Sparkassen" are small to at most medium sized credit unions. They are organised in a larger umbrella organisation that takes care of some of the services like IT, but the individual banks can pick and choose what and how much they want to handle themselves.
Some of them are larger and pretty well organised, but there are also a lot of small ones that just don't have the people and expertise for things like proper IT security practices. But customers trust them, because they position themselves as these local neighbourhood banks, even though most of them are pretty incompetent and will rip you off with high fees on accounts and shitty, underperforming investment products.
A friend told me about a company where the CISO instigated security newsletters aimed at staff to build up their experience on such topics, yet the newsletters were emailed from an external email and contained links to a hosting site that wasn't related to any of the employers regular website domains and like this case would often come across as a phishing attempt, especially when they ran competitions (apparently they appeared too good to be true, as friend's employer was famously tight!)
Every weekly newsletter I get at work is sent from an external spam-sender, containing links to an external hosting site that have a unique ID for tracking clicks. Those links are then munged by Outlook which makes them hard to identify. I searched on the company web site for any confirmation that the external sender or external hosting site were legitimately being used by the company and found none, so I refuse to click on those links. I should also report them as phishing scams really.
I got an email with a header that was obviously badly scanned from a paper document. It demanded that I provide proof of insurance or my car loan would be canceled. It had the name of the bank and my name and my email, but nothing else of import.
The only URL was to a domain unrelated to the bank.
I ignored the first couple, and finally looked into it the third time.
It was legit.
When I told them all the ways this looked like phishing, they couldn't understand my concerns.
I gave them the info they wanted in person at a local branch. I soon after paid off that loan and got away from them.
Heh, we did something similar at the bank where I work. Our marketing department, tasked with getting people to complete some "ongoing due diligence" (a bank term, part of KYC), sent out a bunch of SMS' with links to a page (on a non-core business domain) where we then asked customers to enter a bunch highly personal information. The SMS contained a lot of scary language about your account getting blocked and stuff.
I didn't know about it before my grandmother handed me an article from the local newspaper and told me some of her friends were worried about it. We laughed and I took the newspaper clipping to work and posted it on the wall of failures. Everybody in IT could immediately tell that this was a pretty bad idea, but we weren't asked.
I'd link the article and provide more details, but I'd have to visit my local library, and maybe later.
Something they do when they initiate a call to me on the phone is they start by making sure they are talking to me (they don’t ask me to prove it) and making sure I have the app on the my phone or access to a web page.
Then they initiate a MFA check within the app. I have to get it and read back a number. Then they ask me for my phone PIN or password. Once that’s done, then we can start talking.
Consumer-facing financial services in Germany are really bad at this, and it is not just Sparkassen: a few years ago an email supposedly from our corporate credit card provider to all of the foreign nationals at our company asking for scans of their passport photo pages triggered a deluge of phishing reports to IT, who had to subsequently inform everyone that yes, the email did indeed look exactly like a phishing attempt, but no, it was real.
I don't really know why the situation is so terrible -- there are many good and competent security professionals working in corporates in Germany -- but perhaps as the post alludes to it is due to a lack of legal or regulatory pressure to date.
Here's an interesting scheme. Some credit/debit card merchant accounts can arrange to get updated card info if your card expires and/or gets replaced. So if the merchant is a bad actor and doesn't charge your card directly but just tracks your updated card info so it can be used fraudulently elsewhere, you, your bank, and the card company will never know they were the source. And the card is linked to your bank account, you can replace it ad infinitum and the bad actors will get the updated info for the new card every time. The only way to break out of this is to close your bank account and open a new one.
Banks usually have a mechanism to prevent automatic billing/card data updates for exactly that reason for suspected/confirmed fraudulent used cards, but unfortunately not all of them, and I suspect even for those that do, not all customer service reps know how to do that.
In an ideal world, all merchants would be using tokenization already – then the bank could offer you a UI where you can just kick out the merchants you don't want to have access to your payment credentials anymore before reordering a new card. (If tokens were mandatory, like they are e.g. in India, you wouldn't even need to reorder the card in the first place, but that'll probably never happen in the US – too many legacy systems.)
This absolutely IS a reason to distrust a website claiming to be owned by a bank (or any other institution working with such sensitive assets). To be precise, such a website absolutely needs to have a certificate granted not only on the basis of "yes, I control the machine this domain points to" (which is what Let's Encrypt does), but also based on other, more physical and reliable means.
Not outright, but it's more likely that a malicious actor utilizes the simpler or cheaper solution. $300/yr+ adds up, especially if you need to go through due diligence to acquire the EV.
> While everyone can register for free on Let’s Encrypt, only (or mostly) serious companies pay money to register on DigiCert, GoDaddy, and so on.
GoDaddy is not a serious anything. DigiCert perhaps, but GoDaddy has repeatedly shown themselves to be scummy and untrustworthy.
That said, I do see the value in having an entity like a bank pay for a stricter cert with identity validation versus leveraging Let's Encrypt's free infrastructure which only validates domain/site control.
Something similar happened in Belgium in 2021. The Flemish government launched a compensation scheme for solar panel owners via a site called tellercompensatie.be.
I registered the obvious typo variant: teller-compensatie.be right after the tv and radio announcements, added a visitor counter and a link to the real site. It got ~20k hits in a few days, my second most popular project thus far.
I just went to check the “official” domain and it looks like the domain is now owned by an ad network. Classic.
I was on the phone with my bank recently (I called them) and they wanted to send a code to my phone to confirm my identity. I agreed. In came a text with a code and the phrase "nobody from the bank will ever ask you for this code..."
Phising and phishing education are inherently misguided. If my normal workflow includes much the following, then phishing will always eventually succeed:
- HTML emails where links and remote images obfuscate the 'real' content of the email.
- URLs which are not clearly and easily human-readable.
- A workflow where my normal and expected daily behavior is to receive valid emails that I don't recognizes with URLs from vendors, and then I'm meant to click on those URLs, go to web pages, and enter my credentials.
The fact that _any_ normal products or business processes expect this means phishing will always eventually succeed. No, I don't have all the UIs and URLs for every vendor memorized. I'd have no way to know if they changed validly, and my job trains me on a daily basis to click on emails and enter my credentials. It's just that _every so often_ this same scenario is set up by a bad actor.
Sharepoint is crazy. I get an email sending me documents, but to view them I need to click a link to an outside website and enter in my email login details??
I had similar with my energy provider in the UK (Octopus). For one reason or another a regular payment bounced which automatically puts you on a "call daily until the debt is repaid" list.
These calls come in on an unrecognised number, from staff who say "I don't know" when you ask them to prove they are from Octopus, and generate no call notes so you can't find out why they rang if you use the main customer service number.
To top it off they ask you to key in your card info on the phone after asking for your personal information.
I complained and they offered to fob me off with £30 credit instead of talking to their CISO, but they did at least say they can add phone passwords to individual accounts.
Royal Bank of Canada hasn't done anything this egregious but it always gave me a lot of confusion.
They use so many different domains. I'm not talking about redirects either. Like their landing page is at rbcroyalbank.com and then the login is at secure.royalbank.com. for ages rbc.com was another website for ages, but now also appears to be the Royal Bank (or is it?). I forget under which domain the dashboard is hosted.
Like, I get buying all the variations of your bank name, but please just redirect to one cannonical one! Marketing should also be for one domain. Way to easy to be scammed by royalbankofcanada. com or rbcbank.ca, because who the heck knows what their actual site is!
I know this from sport events but often the lottery or prize draw are organised by external marketing companies. So likely this is one reason for not making it a subdomain.
The other is that Germans seem very bad at this kind of stuff. Why the heck would the application for the German passport or Ausweis be published by some random GmbH and not Bundesregierung.gov?
But .gov are for American government sites, and Elon's friends (oh geez I loaded doge.gov, it looks so dodgy...), and I assume the assignment of the domain names under .gov is done by somebody in the federal government, if they haven't been DOGEed as well. If any country's government can get a .gov domain, I can imagine the hacking that could happen, similar to hackers managing to infiltrate Bangladesh's central bank and almost managing a heist, but for a typo: https://en.wikipedia.org/wiki/Bangladesh_Bank_robbery
At least for Switzerland the federal government puts its sites under the domain admin.ch . And the Cantons have their own domains, e.g. zh.ch for Zurich.
> Why the heck would the application for the German passport or Ausweis be published by some random GmbH and not Bundesregierung.gov?
This way the government doesn't have to release information to the public (think FOIA) about it. Moving central part of government operation into a private GmbH wholly owned by the government has (sadly IMHO) become a somewhat common strategy for the government. Not just Governikus (the one with the passport) but also the Telematik (Health system) and probably some more.
Speaking of normalizing bad habits, does anyone else remember when you were supposed to only ever enter your password into a site if you'd entered the address yourself (or used a bookmark), because if some other site had redirected you there it might be a fake?
To verify your account during online customer service calls, Comcast will text you a six digit 2FA looking auth code which you must provide to the Comcast customer support. Guys.
My bank replaced their phone authentication with something that asks you to speak a phrase (the same one every time) and tries to recognise your voice. Luckily that's completely bulletproof, there's no way it can be forged :-/
I read the FAQ on mine and it assures me it is totally safe and the voice cannot be forged. This mechanism was defeated in a hacker movie from the early 90s using a tape recorder but is actually being pushed as state of the art. I can't imagine how this method could ever be safe, even if it were possible to use some kind of advanced detection which would fail any time I had a cold my voice can be recorded and played back in high fidelity!
My mom was recently phished. The scammer got into her bank accounts and charged a bunch of air india tickets to her credit card and used zelle to transfer money out. When we reported it to the bank they said it wasn't covered because their fraud protection doesn't cover scams. So the banks just don't care. (It was Capital One FYI)
Why would insurance companies care? These banks never have to take significant losses for their incompetence. If they were fined 1% of profit every time they were hacked, then I could see all sorts of mitigations being considered.
insurance companies operate the same way! customer service departments aren't a hotbed of security awareness (coming from personal experience - no sleight to CS reps in general; it's systemic as much as it is personal).
I left Chase because their anti-fraud detection was so suspicious that Chase's own customer service told me it was fraud and had me close my checking account in the middle of a vacation. Only later I put together it was legitimate fraud detectiontriggering on an unexpected transaction location.
I called the number on the back of my Chase credit card (which goes to a call center in what sounds like India), and the person told me he has to verify me by hanging up, and then not to call anyone because he will call back in a few minutes... (Probably while he's on a "bathroom break" running to the scam center on the next floor of the same building.)
All the other times, they just ask for my verbal password to verify me.
I reported it and they said they created a ticket, but a month later when I called for a follow-up on the ticket, they said they had no idea what I was talking about :-/
(If anyone from Chase reads this, I have the recordings of those calls if you want them.)
>Only later I put together it was legitimate fraud detectiontriggering on an unexpected transaction location.
If I use my Chase debit card more than fifty miles from my home, transactions are denied as potential fraud. Then again, if someone uses my card details at a gas station in Santo Domingo, DR, that's just fine, even though I'm using the card in my home town on the same day.
Major US banks sometimes do similarly dumb things: TD Bank owns onlineaccessplus.com and myonlineaccount.net. Citi's credit card site used to have you log in at accountonline.com.
The US city I live in 9 months/year has a yearly burglar/fire alarm licence fee.
A few years ago, I got a postcard that said "renew your alarm licence on-line" and the domain wasn't the .ca.gov domain the city uses, but something like "alarm-renewal-online.info"
I had to spend 30 minutes on the phone with my city to verify that this was a legitimate way to renew the alarm. They had contracted with an outside company to do the payment servicing. In the end, I just decided to mail them a check.
This is on us, as software “engineers” for not having standards that may be used to regulate software development. There are building codes, fire codes, but no software codes.
Text messages used to be limited in size to IIRC 140 characters. (And I still have that limit on my Garmin inReach--about an abysmal a texting device as you can get, but it works off Iridium, not the cell net. I can be on the back side of nowhere and still talk to emergency services.)
i've gotten unsolicited calls like this before from my insurance company and when i tell them i don't provide personal information to people who just call me out of the blue and ask for it, they act like i'm from mars.
then of course i have to call them back, sit on hold (and maybe get the same call center agent!) to verify their identity and conduct whatever business they originally called about. thanks, your bad practice just cost me an afternoon to deal with the inefficiencies of a private industry i think shouldn't even exist.
I've mistakenly deleted from our mail quarantine multiple times as spam/phishing.
Imho it's wilful négligence toynkeep such a system operating in 2025.
When I got locked out of my mobile banking app, I got a security code in email to reset the app or something, but it didn't work. Then, I've called my customer representative for help, who promptly asked me to tell her the security code in the email so that she can reset the app. Yet, the email, in bold letters, said to never divulge the code to anybody, including the bank personnel...
I've been getting lots of scam calls lately, especially AI voice generated once, and there was one particularly annoying. Very persistent call about being approved for some loan, no reference to any particulars, all very vague, and I kept ignoring. In my mind I had no doubt it was a scam. Well, long and boring story short, now I have a missed payment on my credit report for my new HVAC system..
It seems to me the better and simpler solution is to continue teaching your users that this pattern this bank engages in is in fact still the pattern of hostile actors and let the bank deal with the consequences.
The system will surely rectify itself eventually when their spammy, manipulative, promotional banker campaigns do not produce results (is that a bad thing?) and they seek out firms that do produce results based on knowing what they are doing.
The author could even use it as an opportunity to promote his or someone else’s services and use this write-up as an artifact of evidence.
I don’t want to get too generalizing, but it is a perspective that does not surprise me coming from what seems to be a German, for better or worse. Complaints about not being in compliance with universal norms instead of taking advantage of a presented opportunity to break ranks for one’s their own individual advantage, strikes me as a very German perspective; like I said, for better or worse, without judgement, since both of these perspectives have their advantages and disadvantages.
Do what I did: move to a new bank that respects your security. When you close your account, give formal feedback about why you are closing. Outflows of depositors should send a signal.
(i had on issue with PNC in the US where they kept calling and asking for a 2FA code. Totally indistinguishable from phishing. Clearly they lack proper infosec, so I moved to Schwab and have not looked back.)
My employer regularly sends out phishing honey pot emails. Which is great but they then will send out legitimate emails which are genuinely difficult to separate from actual phishing (using novel new email addresses and domain names in links). They also like to use some email filtering which has a habit of mutilating URLs.
Same with DHL, they basically train their customer base to trust messages from random channels like whatsapp containing links. They have all the urgency/nonsense markers of spam.
I know somebody who tried doing a standard vehicle emissions test (gov't facility) in the area they live in. Bank thought it was suspicious and locked their card. Then they tried sending money from the bank to buy a car (they were just borrowing it before buying from a family member), and the bank thought it was fraud so removed online banking too. No tickets or phone calls helped. Ridiculous. Never once did they call to ask "hey is this fraud?"
The problem is that banks are too regulated. They get into problems (of different kinds) when it's actually fraud and they don't block the account. And then, customer support is expensive, more than losing a few customers.
gewinnen-mit-wero.de: It is pretty common to use a dedicated domain for a large campaign so that the spam complaints don't hurt the deliverability of your main domain.
"We'd like to confirm this wire. We just need some details."
"Okay, I am me, that's true. But I should probably call Chase back for this right? This is textbook scam stuff. What do I tell them to get to you as fast as possible."
"All right, sir. That's fine. Let me just make a note on the account. You should be able to find the phone number on the website"
And then I usually just find my way. It's funny, but you kind of have to be disciplined.
The site also uses a Let's Encrypt certificate, which seems strange. This appears to be a massive, coordinated and not very well-executed effort to promote this Wero service. My guess is that the sites were all build by the same advertising agency.
It's been a while since mine triggered on me, and the weird thing of it was a bought a TV that day, which is what I assumed they called about. Nope, it was for getting a car wash halfway between the store and home.
I've been preaching about this issue for years, even to my friends working in banks as IT security, but for some reason they are more obsessed about solving the wrong problems with buying expensive hardware.
Some of the worst practices I've seen are from FedEx. When you order an international package, you get a text from some random FedEx employee's personal mobile number, containing a link to a website where you're meant to enter your credit card details to pay import duties. WTF? NO. I've called up about it and the support team were just like "ugh, yes, I know, yeah that's actually probably legit."
I know of a bank that it asked for every piece of PPII they have on you for account validation. This allows their phone support folks to have every piece of information to steal your identity.
I'm also with Sparkasse and it's the worst. Their digital systems and their technical understanding is the bottom of the barrel. On the other hand, the "most digital bank" in Germany, N26, a so called "neobank" has laughable security [1]. It's a huge mess over here. I used to also bank in Singapore, the difference is night and day. Fun story: Sparkasse has an integration with a stock brokerage, and the stock charts are PNGs generated at the backend. It's literally 1995-level HTML usage, One can only laugh.
The one that kills me is when a financial institution or healthcare facility calls and says,
"Hi, this is so-and-so from The Place. I was calling about your request/account/etc"
→ "Oh, ok"
→ "Before we get started, I need to verify your social security number/address/other personal information"
→ "Yeah, you called me and I have no way of knowing if you are who you say you are. I'm not going to give you that information. Can you give me your name, and I'll call the number on the website and ask for you?"
→ "Flabbergasted Well, our system doesn't work like that, so you'll have to submit another request"
My Bank (ally) absolutely refuses to do any sort of secure authentication. No TOTP, no U2F key, no Passkey... however, they're unbelievably climbing over the garden gate to tie my account to my phone. Want to log it? yeah lets text you. Want to do anything else? Hey we sent a push notification to your phone.
Seriously, fuck my phone. It's the least secure thing I own. Stop acting like its my damned identity.
Oh as a bonus... Hey want to integrate with a third party website? Oh just enter this code that we are literally telling you not to give away to anyone else. Lol.
TheFreim|7 months ago
Algent|7 months ago
Called my local bank and they confirmed this was legit, I almost went off on a full rant about how bad their protocol is for this.
diggan|7 months ago
The example that comes into mind is making transfers to my wife, where every time I do it, they ask me to confirm a bunch of questions to make sure it's not a scam/fraud, which fine, good idea. Once I confirm, they display another notice telling me they won't ask for a confirmation/2FA code because I make transfers to that account so frequently.
The only reason I can come up with why it is like that, is because there isn't a single person/group responsible for the full experience.
rightbyte|7 months ago
taneq|7 months ago
ToucanLoucan|7 months ago
Three guesses on how you log in to the service.
immibis|7 months ago
SketchySeaBeast|7 months ago
Even better when it's a bank you don't use and the number on their site goes to an automated system that won't let you access it without an account number, so you have to scrounge for alternative phone numbers to get to talk to someone.
godelski|7 months ago
In Gmail or Thunderbird they don't just show the PDF and since they display the sender differently it makes it obviously a scam.
Sometimes it feels like companies are just helping scammers and I don't know why.
aitchnyu|7 months ago
bearjaws|7 months ago
xtiansimon|7 months ago
Problem is, one of the most common check frauds is check washing. The PTO line is changed to a fraudulent name, and the amount stays the same. So, yes, the amount matches a legitimate payment, but who was paid? Ha!
hypersoar|7 months ago
hinkley|7 months ago
Mine actually tries to ask for PII and I tell them to kindly fuck right off and go to my bank website and ask them what the fraud number is.
RandomBacon|7 months ago
They said that domain name was not theirs, and they only use usaa.com in their emails. They locked my account without telling me. I had to call them back to get them to unlock my account, and I think that person in their fraud department understood the issue and they said they created a ticket.
We shall see...
kakuri|7 months ago
0x5FC3|7 months ago
- hostile to password managers.
- You cannot copy paste passwords.
- Client side password hashing
- Stupid requirements like the password cannot have more than 15 characters and even have a whitelist of character sets! (Looking at you HDFC)
- And of course, run of the mill spam
They are all stuck in the early 2000s.
vladvasiliu|7 months ago
That's something! My bank insists on exactly 6 numbers. Not characters, numbers.
They're also hostile to password managers and don't allow copy/paste. You have to click on the numbers with your mouse.
"My security" is very important to them, so they've moved 2nd factor from a physical fob, to an app tied to my phone, and now they've improved it further by switching to sms!
Now, this isn't some neighborhood mom 'n'pop bank, but the biggest or second-biggest bank in France.
sometimes_all|7 months ago
Indian banks and many of the government websites are some of the most user-hostile things out there. Once upon a time, I used to think this was primarily to deter malicious actors from preying on tech-illiterate users, but given that the banks don't want to use all the tools/frameworks out there which help websites be both secure and user-friendly, I've changed my opinion.
eldaisfish|7 months ago
never_inline|7 months ago
I have not received any spam similar to the OP from my bank. But it seems (at least the popular belief) the lower level employees regularly leak your account details to scam callers.
yonatan8070|7 months ago
ddejohn|7 months ago
Forgive my ignorance, but what's wrong with this one?
pyuser583|7 months ago
I also had to deal with a medical device recall, which was terrible. I had to trust some skeezy domains.
This isn't hard to fix, all you need to do is list on your website your "partner domains."
My personal security protocol was to search a .gov website for contact info of financial institutions, go to the domain listed, look for a customer service number, and call that to find out what domains to trust. Customer service people thought I was weird.
At one point, a customer service person said, "you know it's legitimate because if you go to LinkedIn, you can see the person you're dealing with has <Bank Name> listed as their employer."
AnimalMuppet|7 months ago
"Yeah? Give me two minutes, and mine will say the same. So, will you give me your personal info?"
astura|7 months ago
Huh? I got my mortgage thru a mortgage broker and I only dealt with a single person.
TimTheTinker|7 months ago
We used to have a lot of people like this running businesses in the US before roughly 2012, but white (and black) hat hacking began spreading quickly and made generally short work of the problem.
stantaylor|7 months ago
We employees of the acquired company discussed the emails in Slack: we were sure that these emails were legitimate, but acting on them would have broken our security policies, so we all decided to all report them as phishing attempts. We understood that we were engaging in malicious compliance, but our actions were also a best practice, so we couldn't technically be criticized for it.
After a while of this, execs at the parent company would send out sometimes exasperated-sounding emails ahead of time, alerting us to the email that we should expect to receive and how they wanted us to respond. Of course, that led to discussions of how we know that that pre-email emails were legitimate. After a while, we all lost interest in this malicious compliance and adopted the much laxer security culture of the acquiring company.
bunderbunder|7 months ago
There's almost a catch-22: setting good, effective policies tends to involve a lot of telling people "no". And it's hideously difficult to do that without ruffling the feathers of people who control promotions.
Mtinie|7 months ago
It doesn't make any sense to me because it's expensive to make sure your company's services are secure, but it's also expensive to not be secure. Perhaps it's less expensive to not worry about it because the loss-of-customers impact on revenue are still under the cost of doing it right. If that's the case it's a sad state for all of us.
meindnoch|7 months ago
criddell|7 months ago
s3p|7 months ago
Tade0|7 months ago
pndy|7 months ago
I opted-out for all marketing purposes once they allowed to do so but yet, I was getting random calls from bank and 3rd parties. One day I called them because I had login issues on Windows Phone. I did mention to consultant that I was getting these calls and in return lady hit me with quite a revelation: they had a single opt-out that was only available if you called them.
unknown|7 months ago
[deleted]
phendrenad2|7 months ago
I think the problem is, someone in the IT department understands the high risk associated with handing out subdomains, so they refuse to do it. So other parts of the company "work around" this by registering their own domain name.
I wonder how companies like Google handle this. A subdomain of google.com is probably the most valuable hack target in the world, but google does use subdomains occasionally (...or maybe more than occasionally! https://gist.github.com/abuvanth/b9fcbaf7c77c2954f96c6e55613...)
mike_hearn|7 months ago
The issue is that marketing is organizationally separate from IT and doesn't want to interact with them. IT is probably behind a slow, outsourced ticket based process and will take weeks to do a simple thing. They may also have random opinions about stuff marketing doesn't want them to have opinions about. So building out promos like this is delegated to SaaS services or contractors who also have no relationship with corporate IT. Then nobody in marketing really knows or cares what a subdomain is, because everything they do is just searching Google or clicking links. They never look at the address bar because it's always full of meaningless junk so why would they or anyone else care what's in it?
Anti-phishing training doesn't make sense, when you look at how people really use the internet. Not many people look at the actual text of a URL. The best anti-phishing training is "go to google and type what you're looking for, only click links from there" and not "carefully examine the domain name to try and intuit if it's owned by the organization you think it is".
valenterry|7 months ago
Terrible. The times were one could rely on them have long passed.
Rygian|7 months ago
constantcrying|7 months ago
clarkdale|7 months ago
this_user|7 months ago
Some of them are larger and pretty well organised, but there are also a lot of small ones that just don't have the people and expertise for things like proper IT security practices. But customers trust them, because they position themselves as these local neighbourhood banks, even though most of them are pretty incompetent and will rip you off with high fees on accounts and shitty, underperforming investment products.
nmstoker|7 months ago
mnw21cam|7 months ago
wccrawford|7 months ago
I got an email with a header that was obviously badly scanned from a paper document. It demanded that I provide proof of insurance or my car loan would be canceled. It had the name of the bank and my name and my email, but nothing else of import.
The only URL was to a domain unrelated to the bank.
I ignored the first couple, and finally looked into it the third time.
It was legit.
When I told them all the ways this looked like phishing, they couldn't understand my concerns.
I gave them the info they wanted in person at a local branch. I soon after paid off that loan and got away from them.
delusional|7 months ago
I didn't know about it before my grandmother handed me an article from the local newspaper and told me some of her friends were worried about it. We laughed and I took the newspaper clipping to work and posted it on the wall of failures. Everybody in IT could immediately tell that this was a pretty bad idea, but we weren't asked.
I'd link the article and provide more details, but I'd have to visit my local library, and maybe later.
quitit|7 months ago
However every time I use it, instead of answering through the secure channel, they try to call me on the phone.
Now they've put out security warnings about scammers impersonating bank staff making calls to customers.
massung|7 months ago
Something they do when they initiate a call to me on the phone is they start by making sure they are talking to me (they don’t ask me to prove it) and making sure I have the app on the my phone or access to a web page.
Then they initiate a MFA check within the app. I have to get it and read back a number. Then they ask me for my phone PIN or password. Once that’s done, then we can start talking.
mnw21cam|7 months ago
You should only reveal an MFA code to someone that you have called, knowing that it is the right person.
BobAliceInATree|7 months ago
ainiriand|7 months ago
_petronius|7 months ago
I don't really know why the situation is so terrible -- there are many good and competent security professionals working in corporates in Germany -- but perhaps as the post alludes to it is due to a lack of legal or regulatory pressure to date.
j_seigh|7 months ago
lxgr|7 months ago
In an ideal world, all merchants would be using tokenization already – then the bank could offer you a UI where you can just kick out the merchants you don't want to have access to your payment credentials anymore before reordering a new card. (If tokens were mandatory, like they are e.g. in India, you wouldn't even need to reorder the card in the first place, but that'll probably never happen in the US – too many legacy systems.)
jonathantf2|7 months ago
This is NOT a reason to distrust a website.
spiffyk|7 months ago
bob1029|7 months ago
jmholla|7 months ago
> While everyone can register for free on Let’s Encrypt, only (or mostly) serious companies pay money to register on DigiCert, GoDaddy, and so on.
GoDaddy is not a serious anything. DigiCert perhaps, but GoDaddy has repeatedly shown themselves to be scummy and untrustworthy.
That said, I do see the value in having an entity like a bank pay for a stricter cert with identity validation versus leveraging Let's Encrypt's free infrastructure which only validates domain/site control.
sam-apostel|7 months ago
I just went to check the “official” domain and it looks like the domain is now owned by an ad network. Classic.
A news article link ( https://www.vrt.be/vrtnws/nl/2021/01/22/compensatieregeling-...) still ises that domain name in it’s article, but now redirects to a proper gov site: vlaanderen.be/veka
fsckboy|7 months ago
everdrive|7 months ago
- HTML emails where links and remote images obfuscate the 'real' content of the email.
- URLs which are not clearly and easily human-readable.
- A workflow where my normal and expected daily behavior is to receive valid emails that I don't recognizes with URLs from vendors, and then I'm meant to click on those URLs, go to web pages, and enter my credentials.
The fact that _any_ normal products or business processes expect this means phishing will always eventually succeed. No, I don't have all the UIs and URLs for every vendor memorized. I'd have no way to know if they changed validly, and my job trains me on a daily basis to click on emails and enter my credentials. It's just that _every so often_ this same scenario is set up by a bad actor.
BobaFloutist|7 months ago
rainforest|7 months ago
These calls come in on an unrecognised number, from staff who say "I don't know" when you ask them to prove they are from Octopus, and generate no call notes so you can't find out why they rang if you use the main customer service number.
To top it off they ask you to key in your card info on the phone after asking for your personal information.
I complained and they offered to fob me off with £30 credit instead of talking to their CISO, but they did at least say they can add phone passwords to individual accounts.
jszymborski|7 months ago
They use so many different domains. I'm not talking about redirects either. Like their landing page is at rbcroyalbank.com and then the login is at secure.royalbank.com. for ages rbc.com was another website for ages, but now also appears to be the Royal Bank (or is it?). I forget under which domain the dashboard is hosted.
Like, I get buying all the variations of your bank name, but please just redirect to one cannonical one! Marketing should also be for one domain. Way to easy to be scammed by royalbankofcanada. com or rbcbank.ca, because who the heck knows what their actual site is!
seb1204|7 months ago
The other is that Germans seem very bad at this kind of stuff. Why the heck would the application for the German passport or Ausweis be published by some random GmbH and not Bundesregierung.gov?
netsharc|7 months ago
At least for Switzerland the federal government puts its sites under the domain admin.ch . And the Cantons have their own domains, e.g. zh.ch for Zurich.
sp1rit|7 months ago
This way the government doesn't have to release information to the public (think FOIA) about it. Moving central part of government operation into a private GmbH wholly owned by the government has (sadly IMHO) become a somewhat common strategy for the government. Not just Governikus (the one with the passport) but also the Telematik (Health system) and probably some more.
tbrownaw|7 months ago
And then now we've got OIDC.
whatusername|7 months ago
In the government/banking/etc space - there is at least FIDO/WebAuthn/Passkeys which also resolves it. But it's a fair criticism.
SAI_Peregrinus|7 months ago
seaucre|7 months ago
unknown|7 months ago
[deleted]
rwmj|7 months ago
reginald78|7 months ago
Pxtl|7 months ago
imzadi|7 months ago
ryandrake|7 months ago
nullc|7 months ago
Mitchell and Webb has a good commedy skit on this subject: https://www.youtube.com/watch?v=CS9ptA3Ya9E
aivisol|7 months ago
GuinansEyebrows|7 months ago
mitthrowaway2|7 months ago
andrewmcwatters|7 months ago
1shooner|7 months ago
RandomBacon|7 months ago
All the other times, they just ask for my verbal password to verify me.
I reported it and they said they created a ticket, but a month later when I called for a follow-up on the ticket, they said they had no idea what I was talking about :-/
(If anyone from Chase reads this, I have the recordings of those calls if you want them.)
nobody9999|7 months ago
If I use my Chase debit card more than fifty miles from my home, transactions are denied as potential fraud. Then again, if someone uses my card details at a gas station in Santo Domingo, DR, that's just fine, even though I'm using the card in my home town on the same day.
It's maddening.
pflenker|7 months ago
meatmanek|7 months ago
fortran77|7 months ago
A few years ago, I got a postcard that said "renew your alarm licence on-line" and the domain wasn't the .ca.gov domain the city uses, but something like "alarm-renewal-online.info"
I had to spend 30 minutes on the phone with my city to verify that this was a legitimate way to renew the alarm. They had contracted with an outside company to do the payment servicing. In the end, I just decided to mail them a check.
RandomBacon|7 months ago
smsm42|7 months ago
Wow, they never ever stop nickel-and-diming people, do they?
_1tem|7 months ago
meroes|7 months ago
Is this some kind of meta-level play to sound less fake?
LorenPechtel|7 months ago
andrewstuart|7 months ago
“Hello this is your bank can I please confirm your personal details?”
GuinansEyebrows|7 months ago
then of course i have to call them back, sit on hold (and maybe get the same call center agent!) to verify their identity and conduct whatever business they originally called about. thanks, your bad practice just cost me an afternoon to deal with the inefficiencies of a private industry i think shouldn't even exist.
seb1204|7 months ago
tharos47|7 months ago
I've mistakenly deleted from our mail quarantine multiple times as spam/phishing. Imho it's wilful négligence toynkeep such a system operating in 2025.
kalleboo|7 months ago
bsoles|7 months ago
dsabanin|7 months ago
hopelite|7 months ago
The system will surely rectify itself eventually when their spammy, manipulative, promotional banker campaigns do not produce results (is that a bad thing?) and they seek out firms that do produce results based on knowing what they are doing.
The author could even use it as an opportunity to promote his or someone else’s services and use this write-up as an artifact of evidence.
I don’t want to get too generalizing, but it is a perspective that does not surprise me coming from what seems to be a German, for better or worse. Complaints about not being in compliance with universal norms instead of taking advantage of a presented opportunity to break ranks for one’s their own individual advantage, strikes me as a very German perspective; like I said, for better or worse, without judgement, since both of these perspectives have their advantages and disadvantages.
cheesepaint|7 months ago
clbrmbr|7 months ago
(i had on issue with PNC in the US where they kept calling and asking for a 2FA code. Totally indistinguishable from phishing. Clearly they lack proper infosec, so I moved to Schwab and have not looked back.)
VBprogrammer|7 months ago
sneak|7 months ago
The links to that redirector service are http:
You don’t even need to phish them, AmEx does it for you. All you have to do is rewrite the redirect on the wire.
unknown|7 months ago
[deleted]
upstandingdude|7 months ago
Neywiny|7 months ago
valenterry|7 months ago
edarchis|7 months ago
meindnoch|7 months ago
renewiltord|7 months ago
"We'd like to confirm this wire. We just need some details."
"Okay, I am me, that's true. But I should probably call Chase back for this right? This is textbook scam stuff. What do I tell them to get to you as fast as possible."
"All right, sir. That's fine. Let me just make a note on the account. You should be able to find the phone number on the website"
And then I usually just find my way. It's funny, but you kind of have to be disciplined.
unknown|7 months ago
[deleted]
lqet|7 months ago
The site also uses a Let's Encrypt certificate, which seems strange. This appears to be a massive, coordinated and not very well-executed effort to promote this Wero service. My guess is that the sites were all build by the same advertising agency.
ccorcos|7 months ago
They call, they say I can call back and wait in a queue, but that’s stupid.
Also crazy they don’t have a TOTP (e.g. Google Authenticator)based two-factor authentication. It’s just way more secure than email or phone number.
detourdog|7 months ago
mcv|7 months ago
Training about this kind of thing is mandatory for bank employees in my country, as far as I know.
hinkley|7 months ago
kodzoman|7 months ago
taneq|7 months ago
rightbyte|7 months ago
Like, companies are making it so easy for scammers to pretend to be them.
I_dream_of_Geni|7 months ago
sitkack|7 months ago
aivisol|7 months ago
I mean this is just ... incredible. Are they living on the moon? Many real phishing messages are even more sophisticated than this.
gwbas1c|7 months ago
Once I got a vaccination, and in order to do it I had to fill out a form where I chose the arm. The form said to circle either "right or left."
The word "right" was on the left and "left" was on the right.
I pointed this out to the nurse and she laughed, and then realized her error, because she made the form.
pbhjpbhj|7 months ago
Or in other words, looking at me, my right arm is on your left.
data_maan|7 months ago
cheesepaint|7 months ago
zero_k|7 months ago
[1] https://archive.org/details/33C3-Shut_Up_and_Take_My_Money
JadoJodo|7 months ago
→ "Oh, ok"
→ "Before we get started, I need to verify your social security number/address/other personal information"
→ "Yeah, you called me and I have no way of knowing if you are who you say you are. I'm not going to give you that information. Can you give me your name, and I'll call the number on the website and ask for you?"
→ "Flabbergasted Well, our system doesn't work like that, so you'll have to submit another request"
→ Repeat ¯\_(ツ)_/¯
exabrial|7 months ago
Oh as a bonus... Hey want to integrate with a third party website? Oh just enter this code that we are literally telling you not to give away to anyone else. Lol.
Kate5477|7 months ago
[deleted]
idkfasayer|7 months ago
[deleted]
wykmbh666|7 months ago
[deleted]
wykmbh666|7 months ago
[deleted]