Recently the regulatory bodies did just that and so the banks should only use 1600 numbers to contact their customers. My bank scam calls have dropped to 0.
Same in their app eg you try to do a sepa wire to a new recipient and you get a warning "are you on the phone with someone ? did someone ask you to do that ? please call your bank by pressing this button. By the way we will never call you to ask an auth code or to do a wire"
(But in any case your bank will never call outwards to you, unless you've specifically requested that, which you almost never do.)
Please tell us more context with regard to your UK banks making multiple unannounced calls demanding your ID ... were you an individual customer? finance director? MD? or what? Why on earth do they do that? Have you told them in writing not to? There must be more backstory to that.
Non-banking: getting a call out of the blue from my Internet Service Provider again demanding enough credentials to get access to my (business) account, and unable to understand why that was very poor practice. I used to like that ISP a lot, and have been with it for a looooooong time, but the angry exchange with who seems to have been my account manager has soured the relationship a lot.
What are they, then? Sales/marketing calls? Or some security notifications ("we noticed some suspicious operations in the last 3 days...")? If it's the former, that's still scam in my books. Specifically, it's a first-party scam, as opposed to a third-party scam, where some third party pretends to be your bank.
They both should be treated similarly; unfortunately, you can't report first-party scams to police.
<phone rings, I pick up> Hello
Them: Am I speaking to Sean Hunter
Me: Yes
Them: This is <rubbish bank who should know better>. Can you confirm your <date of birth/full address with postcode>
Me: Yes
Them: Err, … sorry I didn’t quite catch that.
Me: Yes.
Them: <thoroughly confused>I asked whether you can confirm your <date of birth/full address with postcode>
Me: Yes. I can.
Them: err… I can’t talk to you without you passing security.
Me: You called me.
Them: I’m sorry…?
Me: You called me. You wanting to talk to me about something is your problem.
Them: I need you to pass security before I can talk to you.
Me: OK, well. Have a nice day. <hang up>
Only to find the 2 pieces of ID were just for them to talk to me and ask for more documents. Rubbish like employment letters (uhhhh, how about YOU call my employer instead of me printing out the “letter” they’ll email me?) or tax return stuff mid-year.
I cut up the credit card and mailed the pieces to their legal department. Someone called me pretty quick and without any authentication hassles.
I generally say at some point before terminating the call "you should not train your customers to give out account access credentials to strangers" and the caller usually has no clue what I mean. Does no one in the security teams have theory of mind?
This will be the way I bring up the issue with the regulator if I do. I can think of many ways round this issue that would be much safer and not especially arduous.
But the usual security call is exactly like a spam call, no authentication from their end, immediately requesting id verification "answer these security questions", and refusing to go off script.
People have been asking for years to be able to lodge a security challenge code on their profile that can add confidence in the caller. Given there are already multiple security questions on an account, this could be a process change: the security challenge script becomes "the first and sixteenth characters of your mother's maiden name are 7 and F, what are the third and fifth characters of your first pets name".
[0] https://www.starlingbank.com/news/starling-bank-launches-in-...
[1] https://monzo.com/help/monzo-fraud-category/monzo-call-statu...
It mostly is, but Monero is pretty good.
I’d been hunting for ways to use a Wisecard standoff a bank but got a bit wary of what would happen if they went bust. Government backed guarantee do not exist for Wise.
Same app is used to auth to government pages and all kinds of stuff online, even purchases.
[1] https://xcancel.com/Abishek_Muthian/status/18063480222902113...
Truecaller cannot accurately tell you whether or not the person calling you from a phone number is actually in control of that phone number.
The problem here is that the correct security posture of the bank against third-party scams also protects the customers from first-party scams. Telling people the bank will never call them for anything, and even if, they're to always hang up and call the number on the back of their card, works equally well against criminals and telemarketers.
If a bank calls their customers directly and trains them to get phished, the bank does not get to claim gross negligence when this happens and has to refund the customer.
If a bank tells their customers that they'll never call them (and actually doesn't), they have much better chances of claiming gross negligence on the part of the customer.
"Hello, I'm calling from Blockchain, I would like to talk about your investment portfolio"
it weirded me out they would pretend to be from the underlying technology instead of an exchange or something. I kept thinking I should pretend to be the CEO of TCP/IP or something when they called.
always though the agreement was: we don't call you, you call us. we'll send letters though.
They have to make posts to assure people it's not a scam, especially as they'll ask you to mail ID etc to that address:
I was working in anti-spam at the time, so I was eyeballing a lot of raw email dumps and writing analysis scripts for "anomalous" urls, so it popped up fairly frequently.
https://web.archive.org/web/20000608173453/http://support.mi...
Would you please explain more?
There should be a long list of companies whose policies are worse than theirs.
It’s not a good excuse…
I can easily see a social media company demanding an ID falling under this definition if the accuser believes that the actual use of said ID will be different or more expansive than implied. That is not an unreasonable assumption, IMO.
Yeah. I queried the 1st thing that came to mind and internalmicrosoft.com and microsoftinternal.com are available. With that much potential out there, I'd want to keep my official domain group tight.
That's because people report them as spam, so they hop domains to avoid that.
The real reason for multiple domains is likely more stupid than that. It’s likely because different teams want to move faster than the whole of Microsoft, so register a domain for their MVP to enable them to prototype like a start up. Because going through the usual hoops with enterprise regarding using their established domains will be a long and torturous process. And before long, their new prototype domain becomes so integrated into their product that adopting it as official is just easier than switching to microsoft.com.
I couldn’t say for sure that’s what has happened here. But it’s the story I’ve seen with domain ownership in other enterprises
This is why with rare, rare exceptions nothing "real" is on Microsoft.com including even the login page, with one exception (the passkey domain).
The new cloud.microsoft domain for Office will possibly help, but it's still a heck of a long list - https://learn.microsoft.com/en-us/microsoft-365/enterprise/u...
And IIRC this is just for office and windows, not azure.
...and microsoftonline.com is not among them (unlike microsoftonline.net and other variants). But it seems to have been registered in 2002, and the record looks legit:
https://github.com/HotCakeX/MicrosoftDomains/blob/main/Micro...
but that one doesn't contain any microsoftonline.
It’d be interesting to hear a senior old-timer from MS to weigh in on their blog about this, and similar/adjacent problems that arise from working across such a colossal entity.
It’s a wonder they ever release anything new, if I’m being completely honest. The amount of governance, hoops, process and procedure across every aspect of their business must be staggering.
If the existence of a domain/subdomain is considered sensitive information, then something has gone very wrong.
“Always has been.”
https://www.techmonitor.ai/technology/microsoft_forget_to_re...
Same with third party services, sometimes they used one for something for a while and collected customer or user data there and then stopped but kept paying for it, and forgot they had it. We typically found these through analysis of their accounting.
Easier to just keep paying.
Spam filters.