Is this a banking scam SMS?

by @edent | , , , | 3 comments | Read ~388 times.

Earlier this week, my holiday was interrupted by a sophisticated SMS scam. Rude! Let's take a look at it.

Screenshot of text message from Lloyds bank. It addresses me by name and gives me the name of someone who is going to call me - plus their phone number.

Let's take a look at all the ways we can tell it is a scam.

Firstly, and most obviously, I am not a customer of Lloyds Bank! But these scammers send out to multiple people hoping to catch victims.

Secondly, I've not made a complaint to Lloyds! But, again, scammers know that plenty of people have. So this adds a touch of authenticity. If you were a Lloyds customer who had recently complained - you're now primed to accept the scammer's call and treat it as legitimate.

Thirdly, that phone number. If you call it, a recorded voice says "Welcome to customer services..." Whose customer services? It doesn't say "Welcome to Lloyds". This is likely a number that scammers put on texts claiming to be from HSBC, Lloyds, NatWest. Cheaper for them to have a single phone number.

Fourthly, the reference number. It is just my phone number! That's an unusual reference number for a bank.

There's some weird spacing between "Mr" and "Eden" - not what I'd expect from a professional message.

What do you think of the SMS? Would you flag it as spam? I asked my Twitter followers and their responses were unanimous.

A few minutes after receiving the SMS, I got a call from a Peterborough number - not the 0800 number. The phone number was flagged as suspicious (read the number's reviews).

After the customary pleasantries, the voice at the end of the phone said "Can you just confirm your name and address for me please?"

I replied that I didn't give that information out to cold callers.

"Completely understandable sir. If you check your messages, you'll see an SMS from us scheduling the call. Did you receive that?"

I replied that I get lots of spam texts and that I couldn't be sure it was legitimate.

We reached an impasse.

With a little subtle social engineering on my part, I found out the nature of the complaint. And then I realised... it was a legitimate call!

A few months ago, I'd complained to Halifax Bank that they were sending letters to someone who didn't live at my address.

The 0800 phone number is owned by Halifax

Halifax are part of Lloyds Bankings Group.

The geographic number I received a call from is the Lloyds outbound number.

In my defence - this did have most of the Hallmarks of a scam! Lloyds have tried to do the right thing by alerting me that the call is coming. They've provided a trusted phone number for me to call if I am concerned. They've given me the name of the caller, and a reference number.

But these are all things a scammer can do as well!

Lloyds could have made this better. Does the average user know that Halifax is part of Lloyds? I didn't. Why didn't the call come from the number that they'd sent in their text? Would a link to a simple URl like lloyds.com/contact have reassured me? How about lloyds.com/complaint/ref/123...?

Instead, several silly mistakes and my unhealthy paranoia collided and convinced me it was a scam.

What's the solution here? Sure, Lloyds can up their game - but a canny scammer can just tweak the wording and send out a convincing forgery. We can all abandon SMS and move to some cryptographically signed service which no one can use properly. We can hope that mobile networks crack down on SMS spam and only let legitimate messages through. Or users can dial down their paranoia - and hope for the best.

But, sadly, it seems that trusting messages from financial services are all but impossible right now.

3 thoughts on “Is this a banking scam SMS?

  1. I was right! I voted "probably legit" purely on the basis that for some reason I have an idea in my head that 0800 numbers are hard for scammers to register. No idea if that hunch is true or not though, and I instantly second-thought my vote after I cast it.


  2. the end with this kind of thing, I say to myself that if a thing with the bank is serious enough and legit, eventually they'll write a letter and I'll call in on the bank's standard number. Erring on the side of "probably a scam" is surely the best policy.


  3. I wonder if there's some kind of protocol one could use to satisfy both ends of the call that the other end is legitimate ? For example, we (caller and called person) are going to read out your bank account number and govt ID number, one digit at a time, taking turns. Maybe same with amount of latest transaction in the account. That way, we end up both being assured that the other knows the numbers too.

Leave a Reply

Your email address will not be published. Required fields are marked *