UK banks use robo-callers to make fraud-check calls, conditioning customers to hand out personal information to anonymous machines that phone them up out of the blue

My latest Guardian column, "Automated calls, fraud and the banks: a mismatch made in hell," reacts to the news that UK banks are using robo-call machines to check in with customers on possibly fraudulent transactions, and going about it in the worst way possible:

The banks, bless them, are only trying to prevent fraud, but this is a pretty silly way of going about it. For starters, there's the business of calling up people and asking them to give you all the information necessary to prove that they are indeed a bank customer – all the information that a fraudster needs to impersonate that person at the bank, in other words. The banks have spent decades systematically conditioning us to give our personal information to fraudsters, which is a strange way to prevent fraud.

But at least this silliness had one saving grace: a fraudster can only make so many calls per day, and so the scope of losses from such a programme of bad security education is limited by the human frailties of con-artists.

Enter the robo-caller. The banks are now outsourcing their fraud prevention to computers that can make dozens of calls all at once, around the clock, fishing (or phishing) for someone who just happened to have made an unusual purchase and is thus willing to spill all his details down the phone to get it approved. Note that most of the categories of purchase that trigger false positives from fraud detection systems are also the sort of thing that customers are anxious to see go off without a hitch. The unusual and the urgent often travel together.

Automated calls, fraud and the banks: a mismatch made in hell


    1. Tell them that you’ll give them the last four digits of your social security number (or whatever) if they tell you your mother’s maiden name (or whatever).

    2. ask them for their department, name, extension, &c., then call the bank yourself. it’s usually not important to even get the same person on the line.

      1. I’ve just thought of one. I could have ready printed out at my desk (they normally call during work hours) a list of my online accounts and the names I’ve given them, that information should be pretty secure. Certainly as secure as my mother’s maiden name, my DOB and address (there are others that my bank uses that I haven’t listed).

    3. Easy!  I used to get calls from my bank and that ended in stalemate.  So I contacted my bank and told them if they ever wanted to contact me by telephone they would have to confirm a pass phrase I gave them.

      They’ve never rung again.

  1. What my bank – in Hong Kong – have started doing more recently is sending me an SMS when they get a flagged transaction.  It says something like “Unusual transaction of $XXX detected on your card ending 1234. Please reply 1 to approve or 2 to decline”, you send back a “1” reply (or “2” as appropriate) and get another confirmation message back.  It’s simple, cheap – particularly when you’re abroad and roaming – and at least only gives part of my card number, should the message go astray.  They don’t ask for any information at all from me other than the single bit approve/decline…

    I have, in the past, refused to give information to someone – a human! – from the bank when they called me, asked for their extension number, and called back on the bank’s main line.  I’ve also asked them to prove their ID to me, but strangely enough they don’t like doing that.

    1. I like this system because I hate phone calls in general. It also look fairly bulletproof at a glance.

      The last time I had trouble with a US bank I had to give personal info to resolve it, although I confirmed the caller first (tough nuggets if they don’t like it, I’m a tough customer, if I compliment your customer service technique it is a real compliment)

      The last time I had fraud trouble with a Canadian bank it was the same, and more contentious as it was on a joint account, plus the rep wasn’t as willing to confirm as they should have been.

      I hate phone calls, and you are calling me with prospectively bad news? Trust me, bankster, you want a better way.

  2. I have had a transaction flagged once.  I was buying a bottle of juice in a store that I had shopped at before in a town that I had lived in for over a year.  I got a phone call minutes after the purchase, but I do not remember what information it (not a real person) asked for.  I approved the transaction, but the card was still rejected when I tried to use it at another store about an hour later.

  3. I found the system great. I purchased a watch online for several hundred groats and within a few minutes I had an SMS alert to my mobile give me instruction to call the banks security line (Barclays infact) and/or take the automated call on the landline. 
    The landline rang and the robot asked me the ID questions by providing all the correct answers themselves in multi-choice form. 
    What is you date of birth 1938,  1973, 1989, 1978 ?So no real security issue there as I am not providing anything they didn’t prove that they already knew. A fraudster should be easy to spot by call out of the blue and not knowing answers to any of the questions. Anyone that falls for it going to fall for any phishing scam really.

    1. The bank tells you something’s funny, and to please call the bank — and they don’t give you the bank’s number because you should already have that. This way, you’re not giving information to an unknown who calls you, only to someone whom you have called, namely, the bank.

    2. Rather than giving personal information to someone who contacted you out of the blue, the bank is asking you to contact someone at the bank. You can do so using any method that you’re certain actually connects you to someone at the bank — the phone number on your credit card, the bank’s official website, or by walking into a branch of the bank. Doing so allows you to be sure the person to whom you’re speaking is who they say they are because you initiated the contact using a channel you trust.

      If you’re speaking to someone that’s an authorized representative of the bank, it’s much less risky to authenticate yourself since you and the bank have a contractual relationship. The representative is sure you’re who you say you are because you can trust an official bank representative with your information, and we’ve already established that the person with whom you’re speaking is an official representative.

      Using this approach, neither you nor the bank share personal information with an unknown person. The case number isn’t personal information; it doesn’t reveal anything about your finances. The case number just makes it easier to identify the specific reason why the bank asked you to contact them.

  4. Barclays doesn’t do anything nefarious with its automated fraud system. I get my card locked on a semi regular basis. I guess I have an inherently odd spending pattern or something.This is the followup process that happens when I get my automated phone call:

    1: The phone identifies me by name, and asks me to press “1” to confirm, or to hang up if not.
    2: I’m then given 4 multiple choice answers as to my year of birth. I just confirm which one is accurate
    3: It then reads off 5 recent banking transactions in the past few days. It identifies the amount spent, as well as the registered name of the seller. It also attempts to identify the category these stores fall under since some of the registered company names with Barclays are not the same as you see as a customer. 
    4: I’m asked these are all valid purchases. If yes, I press “1” and my card is unlocked. If no, I’m asked to call the Barclays fraud department directly.

    If everything goes according to plan, I’ve done nothing more than confirm my name and year of birth (which this random robot caller already has) and my 5 most recent purchases (which this random robot caller also has). That’s it. It takes no more than 2 or 3 minutes and I don’t feel uncomfortable in the way it interacts with me or the level of information it provides or asks me to provide.  

    1. Same here with Lloyds. They tell you a bunch of information, then a simple yes or no to each question is what’s required.

      I understand that having computers choose when to decline a transaction can cause problems, but I don’t know of any bank that asks you to give details over the phone on a random call.

  5. These calls only ever entail responding to yes or no questions based on information your bank (or the caller) has on you – I don’t see how that’s giving away information to anyone.

    If the information they provide you is wrong, you just hang up or say no. If it is correct, then why would a fraudster be calling you to confirm your details?

      1. Cory is referring to UK banks in the article, based on something he heard on Radio 4, a BBC station. He’s writing for the Guardian, a UK paper.

        I’ve not heard of any UK bank that calls its customers asking for information. In fact, the two banks I use here explicitly tell their customers that such calls, and emails, are always fraudulent.

  6. smile in the UK do have a robo-caller ring you up when they flag your account for fraud – but all it does is read you the last few transactions on the account (by business sector rather than business name) and ask you to phone their fraud line if anything in it sounds dubious.

    Admittedly, I’ve twice been confused by £1-or-so charges from a “Telecommunications Provider” – because I just don’t associate that with the App Store…

  7.  If they are calling me, then they already know who I am. They should be the ones to identify themselves. It seems obvious to me that in a real fraud-prevention call, the banker would tell me who I am and what the suspicious transaction is. Maybe they’ll ask me a question to verify that a burglar didn’t pick up my home phone, but there is no way I’m ever going to tell my credit card number to someone who calls me.

    As for robo calls, that’s even easier: I hang up the moment I notice I’m talking to a robot. I don’t mean to be whatever the anti-robot version of racist is, but I have nothing to say to those things.

  8. Waaaait, are you telling me that some of those fraud-robots calling several times per day might be “legit”?
    I’ve seriously considered not just hanging up on them but following through and giving them bullshit data just to mess with the system…

    I am entirely weirded out by the amount of spam phone calls you get in the UK. The other day someone said they’d got “signals from my computer’s IP adress” that something was out of order and wanted me to help them fix it… and it wasn’t even a robot. I gave the guy a stern talking, but I wonder if there’s not a better way to deal with this.

    1. If you’re bored and you’re speaking to a human, you can either waste their time or (I’ve adopted this technique) you can ask them if they feel bad when they look at themselves in the mirror in the morning, knowing they’re going to work where they spend all day trying to steal money from people.

  9. I had this kind of rubbish years ago from my bank,  who would phone me up, and attempt to “take me through security”. If I asked them to tell me what it was about they wouldn’t tell me, and having gone through the hoops, they’d usually try to sell me insurance.
    When I told them in writing that three such calls would give a scamster everything they wanted to know to get into my account and rip me off, I got an arrogant letter back telling me that they “took security very seriously” and they weren’t doing anything wrong.
    These same card sharps are now offering rubbish rates to savers and crippling rates to borrowers (or more likely no loan at all) because they’re addicted to the nipple of public money and have no incentive to earn a proper living any more.
    Don’t get me started on these inherently fraudulent leech organisations.

    1. One of our banks does the insurance thing, or did, until I took 20 minutes of my life I’ll never get back to train them not to.

      Selling anything via phone to me seems stupid these days, whether  warm or cold calls, but to add identity confirmation to the mix makes it doubly annoying and sketchy. 

      Plus, during that 20 minutes, I forced such information out of the bank rep as: 

      The firm calling me was not the bank in question but a third party.

      The individual did in fact have some or most of my confirmation data.

      The bank did not know the individual or the third party hiring practices and recourse if something went wrong amounted to terminating the contract with the third party, something that protects only the bank.

      The insurance was also third party, so in the end the bank was merely selling a customer list w/account information. A check for the bank, no service provided via the bank to their customer.

      Fuck those guys. But I still have an account(s) there, I like to have accounts at all major banks, why put things all in one place, plus you can combat fees in this manner.

  10. I’m glad to know that I’m not the only one who shouts at the radio. 

    I have also complained to my bank about them training their customers to glibly hand out personal information to anyone claiming to be their banks during unsolicited phone calls, from people the customer doesn’t know, or even heard of.

    When I get such a phone call from someone claiming to from, or ‘representing’ my bank, I first state that I hope this call is being recorded “for quality assurance and training puposes”, then I ask them why their bosses think it’s a good idea to be training their customers to adopt bad consumer habits. For added drama, I sometimes ask them if they think it’s a good idea for their customers to be scammed by 419 schemes, etc…

    Some friends, to whom I’ve complained about this to, have subsequently taken up the torch and criticized their banks about this when the case arose.

    Really, the bank can rework their procedures so they’d even work from robo-calls: They can call you, vaguely explain the situation, and ask you to call back – reminding you to use the phone number printed on the back of your credit card.

    Here’s one sentence I’ve commited to memory:
    “I do not give out any information of a financial nature on any phone call that I did not originate.”

    I repeat this sentence as often as necessary during the conversation.  After a while, I change the sentence to “What part of “I do not give out any information of a financial nature on any phone call that I did not originate.” do you not understand?”

  11. In the US the bank simply robo-calls you and asks you to confirm the transaction (“press 1 for yes…”).

    I never thought about it, but that is a security hole. If you’ve lost your credit card then there’s a great-than-average chance that you’ve lost your phone — think of someone leaving their handbag on the bus.

    So in the US someone steals the handbag, they use their card in a fraudulent manner, and then when the bank calls them they can simple press 1 to confirm the transaction.

    The UK system seems worse, for the reasons that Cory mentioned. But the solution Cory gave wouldn’t be at all attractive to banks either — banks have a vested interest in stopping fraudulent transactions instantly, before they can accrue more charges. If you have to call the user and ask them to log into a website, either you have to keep their card active for the next few hours (potentially racking up charges) or you have to close the card immediately (inconveniencing everyone who’s using their card legitimately).

    1. Rather than having just two statuses “Accepted” and “Declined” there should be (if there isn’t already) a third status of “Pending; contact financial institution.” If the customer doesn’t contact the bank/etc. within X minutes (for a small value of X — 5 to 10 is probably sufficient) and authenticate both themselves and the transaction, decline the transaction and lock the card.

  12. Banks have been teaching customers to get phished for years. The whole idea of banks sending emails with clickable links in them is just a recipe for creating a phishable consumer base. For the sake of a little convenience, customers have been educated to believe that when they get an email apparently from their bank, they should just click the links.

    In the US, many smaller banks also farm out their online banking operations to some external provider. For example, my last bank used to redirect me from a domain that had their name on it to pages at ‘’, or ‘’. The lesson that the banks seem to want us to take home from that is “Don’t worry if you see some totally screwy domain name in your browser’s address line, just trust that you’re in the right place.”

    Phishers must love this stuff.

    1. My bank repeatedly states on their website that they will never contact me by email. (I’ve asked them about using PGP, I got a blank/puzzled stare.)

      (Edited to reword that to “… I got a bank-puzzled stare.”)

    2.  I started receiving e-mails like that from my bank.  I called them up and told them that I would never respond to an e-mail that asked for my banking information, because chances were good it was a phishing attempt, and got the obligatory, “Oh we are very serious about security…”  Then I started forwarding all those e-mails to, and miraculously stopped getting them.

  13. I got one of these from my bank in the US. When I heard the robo-called I just said “yeah, right” and hung up, assuming it was a phishing attempt, and sure enough, a few days later, my debit card stopped working. 

Comments are closed.