Reminder: Protect Your Security (Even if Your Bank Won’t)
I’d like to remind everyone that if anybody calls you and claims to be calling from your bank (or any other institution you ordinarily trust), please do this:
1. Politely but firmly inform the caller that you will be calling “my bank” (don’t name the bank) at the published telephone number on the back of your card.
2. Ask the caller if there is any reference code you should provide when you call.
3. That’s it. Provide no information, not even your name. If the caller argues with you, hang up.
Several banks in Singapore are behaving badly, putting their customers’ security at significant risk. Their employees are calling, asking “verification questions” (which involve sensitive answers, such as NRICs, birth dates, full names, addresses, mother’s maiden names, etc.) And these behaviors are terrible, completely insecure. You have absolutely no way of knowing that the individual calling you is a bank employee acting in an official capacity over a bank monitored channel.
And it just happened to me, again. I’m sick of it. This nonsense has got to stop, and you can help. Push back; protect your security. And report such incidents here if you’d like.
Yes, your bank obviously needs to verify that it is speaking with its customer, you. However, you have at least as important a security requirement to know that you are speaking to a bank employee who is acting in an official capacity over a bank monitored channel. Even if you recognize your banker’s voice, you cannot verify all that. Even if you recognize the Caller Number Identification (CNI) that pops up on your mobile phone’s screen, CNIs can be easily faked. (That just happened to me only a week ago. The CNI indicated a call from my employer’s phone number range, but it was a scammer making a phishing attempt. I provided no information, and I reported the incident to our corporate security.)
Why are so many banks in Singapore putting their customers’ security at risk, training them well — including elderly Singaporeans — to trust whomever calls? There are a few likely reasons:
1. MAS (the banking regulator) and the Cyber Security Agency haven’t acted yet. They should; they’re late.
2. In some countries (the U.S. for example) banks that pull these stunts would pay serious court damages, because their victims have strong, effective tort remedies (class action lawsuits). In Singapore the tort system favors the banks.
3. Banks evidently don’t want to incur the minor costs involved in having a more secure “handshake” to communicate with customers, such as providing temporary reference codes. (“Please call your bank at the number published on the back of your card, and reference code XYZ123.”)
4. Banks are trying to peddle their products, to engage in marketing. They don’t like the idea of any restrictions on calling their customers out of the blue.
None of these factors are your problems to solve. You need to take charge and protect yourself, every time, consistently.
Also, as a reminder, NEVER provide your PIN or password. Even these reckless banks in Singapore are never supposed to ask for these pieces of information. And that’s part of the counterargument they make, that your account is “secure” because they’re not asking for your PIN or password. But why should anybody who you cannot verify is acting in an official, monitored capacity have any information about you? They shouldn’t; it’s none of their business, unless you can verify they have a legitimate, monitored reason to know. And it’s only a small step, especially for a confused elderly person (your future self perhaps), to be phished/scammed into revealing your PIN or password. Example: “Now, let’s set up a new PIN for you. Please enter a new PIN on your keypad....” Which is your old PIN of course, which is game over.
It’s time to fight back! Be careful out there, and let’s help banks in Singapore adopt even these basic security precautions. Thanks for your help.
Mum has a terminal illness and she hopes that he can spend more meaningful time with her
