So, yesterday (23/08/24), I almost got scammed out of everything. I’m not stupid, I don’t click on dodgy links or engage with fake HMRC phone calls. I laugh at callers who ask me about my recent car accident. I don’t believe a woman in Russia wants to marry me. I've even completed my information security e-learning at work - twice!
But yesterday I got a call from the HSBC fraud department. I’d had one before, some years back: ‘Have you just spent £14.99 at Argos? Yes. £36.00 at Tesco? Yup. £56.00 on a gym membership? CANCEL MY CARD!'
So, this call started off in a similar vein. This is HSBC, we’ve noticed unusual activity on your account. Can you confirm if you’ve tried to spend £1,068 on X, £1,042 on Y and £1,600 on Z? Nope. They guy was so calm and confident. As I said ‘no’ during his spiel he didn’t stop speaking and accept my answer after each question, he finished his sentence entirely before noting my answer. Truly professional. He then asked me to confirm some account related stuff, which I did (no PIN numbers). He explained that my current account was now secured, and a new card would be issued within 3-4 working days. All seemed legit.
He then said that I needed to move my savings into my current account as my savings account had also been compromised and would need a Level 3 security sweep (or something similar) to make sure it was secure, before I could move the money back into it. At this point my current account was at -£19, so he wasn’t going to get rich on that. If I’m honest, he wasn’t going to get rich on my savings either, but we’d have been totally screwed to lose them!
He asked me to log on to internet banking using my phone, and I moved the savings over to my current account. I was getting a little twitchy by this time, and asked him for proof he was actually calling from the bank. He had my name, address and banking details, and he was VERY professional and reassuring, but something seemed just a bit off. He said he’d send through a code so I’d know he was from the bank, and that this was a code from one of the attempted fraudulent transactions.
A code duly appeared, in my list of previous texts from the bank. Looked legit. Ok I said. He then asked me to quote the OTP on the text. This was where I really started to get worried. I said to him that the text itself said to never give out this code to ‘bank staff or police’. He told me he wasn’t bank staff, he was the fraud dept so it would be ok. At this point I said no, please don’t take this personally but phone numbers can be faked (I remember back in the day faking an email header to a mate just because), and I wasn’t happy to do this. I asked him for his name and a number I could get back to him on, and said I’d call back and give him the code then (I wouldn’t have used any number he gave me obviously). He gave me a name and told me, so very, very calmly, to use the number on the back of my card (so another red flag here, he didn’t have a direct number), but that I wouldn’t come back through to him. I said that was fine as I’m sure they’d be a record on my account and whoever I did speak to could pick up the case.
The really chilling thing is that at no point did he lose his rag, or try to persuade me not to do this, or try and rush me. Nothing like those you see on scammer payback and similar. He sounded SO genuine I could have so easily said ‘never mind, let’s just carry on and get this over with’ based on his demeanor. There were NO clues in his behaviour.
Needless to say, I did call the number on my card, and the guy I spoke to in fraud confirmed it was a scam, my account hadn’t been compromised (any more than my card details being made available) at that point, and my card has now been cancelled. Savings are back where they belong, in an account that has no card access. I know my card has been cancelled as Amazon are already whinging :D
So, if you get a call, no matter how convincing, tell them to cancel the card if need be (in case it is genuine!) and then hang up. Call the bank back using the number on your card. HSBC confirmed that they will NEVER ask for the OTP, or for you to move money into another account. Beware of callers asking YOU to confirm lots of stuff. I assume most banks would be the same. I can’t believe how close I came to giving everything over to some shitty scammer. Don’t be me.