Banks criticised for muddying phishing waters

November 1st, 2005

A number of UK banks have been criticised for a lack of consistency and an irresponsible approach to contacting customers already troubled by the threat of phishing.

Over the past year the number and the sophistication of phishing scams has increased dramatically, leading many consumers to be suspicious of almost any unsolicited contact purporting to be from their bank.

But many banks aren't helping matters it would seem, with some seemingly contacting customers out of the blue and requesting personal data.

One silicon.com reader, Paul Green, was concerned when he received unsolicited automated phone calls, purporting to be from his bank Egg, asking him to call a given number and divulge personal information, such as his date of birth, which is used to access his account.

Green assumed he was being targeted by a phishing scam and contacted the bank.

"I rang Egg to let them know what's been going on, only to find the call was from them," said Green. "Considering how many phishing scams have been going around this year it strikes me as a little odd that Egg is carelessly behaving like the scammers."

Green expressed concerns that if such forms of 'out of the blue' contact become commonplace it could pave the way for scammers to get all the necessary log-in details for unsuspecting bank customers in just a couple of short phone calls - possibly asking for seemingly random characters from their password each time before piecing it all together.

Egg says the calls are an "anti-fraud system" which automatically contacts customers to verify certain transactions if they look at all suspicious.

A spokeswoman for Egg said given the time-sensitive nature of any card fraud means it is sometimes vital to contact customers 'out of the blue' but she added that customers should always call the main bank number (08451 233 233) if they receive any communication via phone, email or post, purporting to be from the bank that they think is at all suspicious.

Ironically it is that 'out of the blue' nature of such unsolicited anti-fraud measures which have raised concerns about the calls themselves being part of a scam. In some respects the banks are caught in a no-win situation.

Banks are aware that customers would be the first to complain if their accounts were emptied by a series of unusual transactions, but so are they likely to complain if they think their bank is creating a climate of uncertainty which could be tempting to phishers.

Egg certainly isn't alone. Many banks appear to have wrestled with this 'damned if we do and damned if we don't' conundrum of contacting customers on an 'as and when' basis.

A spokesman for LloydsTSB said the bank will occasionally contact customers via text message, or automated phone message, if necessary and like Egg attributed this to anti-fraud measures in attempting to swiftly crack down on potentially fraudulent activity.

silicon.com has seen text messages received by LloydsTSB customers who claim the bank contacted them out of the blue via SMS following missed credit card payments.

However, the LloydsTSB spokesman said the bank would never request customers divulge anywhere near the level of personal information required to complete a phishing scam, following such a solicitation.