Is telephone banking safe?

julia kukiewicz
By Julia Kukiewicz

telephone banking

There's something about banking by phone that feels a little insecure, probably because we're always being told not to give out our personal details over the phone.

Gratifyingly, this isn't just me. Research from Accenture shows that only 50% of us trust our own bank, and trust in banks in general is around just 29%.

High profile data breaches and stories of customers having their savings stolen by scammers don't help us feel any more comfortable about talking to our bank over the phone - what exactly is it safe to say or do?

Are we just being paranoid?

Is telephone banking safe?

To find out, I took a look into the figures.

At first glance, they seem pretty encouraging.

CIFAS, the UK's fraud prevention service and top purveyor of fraud statistics, found just 585 cases of staff fraud within 153 organisations in 2015.

That's not very many considering the thousands of calls and other customer interactions that big companies deal with every week, and compared with the overall fraud rate of more than 320,000 reported cases that year.

However, this figure is a little misleading for a few reasons.

First, as Lydia Vye from CIFAS points out, their figures for staff fraud are based only on the instances of fraud actually uncovered by the companies.

In many cases of identity fraud, the criminal is never found and, therefore, there's no way to know where they got the details they're using.

Secondly, while membership of CIFAS is growing, it remains the case that organisations which don't participate in the shared database scheme are often less aware of what to look out for or how to challenge it when discovered, leading to much higher levels of fraud.

When it's not you calling

Similarly, those figures don't account for the cases where the risk comes from the person making the call, in the form of scammers getting enough of our details together to try calling and passing themselves off as us.

Financial Fraud Action UK figures for 2015 show that losses from this type of telephone banking fraud rose by a massive 92% on the previous year's figures, up to £32.3 million; that coincides with a 97% rise in the number of known cases, up from just under 5,800 to nearly 11,400, despite better identity checking processes by banks.

Since then several banks have started to bring in voice recognition security measures, which should be able to identify us even if we forget all our details - and should spot a scammer no matter how well informed they are.

Pausing to put the figures into perspective: in most cases banking by phone is likely to be safe and certainly it doesn't seem to be the case that a large proportion of calls are subject to fraud, but there is an element of risk.

Call centre fraud: should we be worried?

How big a risk is what we'll consider now.

Could I lose money?

First of all, let's address the central concern here - could we lose money, permanently, as a result of this kind of fraud?

Potentially, the answer is yes. Customers are liable for fraud if the bank can determine they were at fault - so if for example, someone gave out their PIN over the phone, the bank wouldn't need to reimburse them.

The extent to which we can end up liable for this kind of fraud has been highlighted by cases in which customers have been walked through transactions or generated the one-off security codes necessary to approve a transfer of funds.

The banks have responded by saying that because we've authorised the payments, they don't owe us anything by way of recompense.

Vishing is a growing problem, and even the Financial Ombudsman Service have made a point of warning that we are liable for any losses incurred.

In the majority of cases though, the answer should be "no". Personal liability is hard to prove, and it's up to the banks to provide that proof. If they can't, they must refund their customers.

We've looked at this issue in more detail in another guide: take a look over here.

More than money

Alongside the financial costs of such fraud are the added hassle of checking and double checking that everyone now needs to do to be sure their details are safe.

And for the victims, the distress caused by both the incident and the knowledge that once criminals have our bank details they'll have plenty of personal information that they can continue to exploit.

What makes call centres vulnerable?

Almost three quarters of us think that call centres should do more to prevent fraud, according to a Syntec poll.

The human factor

While the numbers reported to CIFAS are small (fewer than 100 incidents in 2015), there is a fairly steady incidence of staff obtaining account or customer details to use for their own benefit.

Simply put, we're talking here about call centre workers tricking customers to steal their money.

Figures from BDO's annual FraudTrack report show that in 2016, "non-corporate third party" fraud - that is, someone stealing from a customer or customers - made up less than half the reported cases of fraud against individuals - but in monetary terms it accounted for 86% of such fraud, at almost £150 million.

In the book Other People's Money former conman Elliot Castro explains how he got his start this way: when talking to customers, he would take extra details about their credit cards and accounts "for the credit card provider".

By the time he was fired from that job, he walked out with a notebook full of stolen details that would enable him to spend thousands of stolen pounds.

Poor fraud prevention

While the method used above is recognisably fraud, it's worrying partly because it feels so much like the genuine techniques used by banks to protect us from outside fraudsters.

It's hard for us to tell the difference between someone doing their job, making sure we are who we say we are, and someone asking for details with bad intentions.

Perhaps because of that, and perhaps partly because they're a pain, we tend to get annoyed at the very security procedures banks are trying to protect us with.

There's evidence that being told repeatedly how careful we need to be has the opposite effect: "security fatigue" sets in.

A poll carried out in 2013 found that more than half of us were annoyed by having to repeat security information on the phone, with 51% saying they would be less likely to use a phone service that required a lot of passwords and security details.

What are banks doing?

So what are banks doing to help?

Staff side: Within banks, a large part of mitigating fraud is employer monitoring, including identifying staff who might be at risk of committing a crime.

As Lydia Vye puts it, "the best way of dealing with insider fraud is to stop it before it has even happened."

Companies are therefore increasing their vigilance, from vetting procedures for new hires to looking out for early warning signs among employees - and being more aware of external factors that could lead to fraud.

There was a notable rise in staff fraud after the economic downturn, for example, as more people struggled with their personal finances: while figures from FraudTrack showed that 66% were motivated by greed, in 11% of cases the staff member had a gambling problem, and 10% were taking money to pay off debts.

Consumer side: Banks have continued to increased security checks.

As mentioned above, voice recognition should help both us and the banks quickly verify our identities - but at present only HSBC and Barclays have introduced it for their telephone banking customers.

In the meantime, we have to hope that security has increased since 2013, when Which? research found that some banks' initial security procedures were easy to pass with information that could easily be obtained from a stolen bag.

Halifax and Santander got the lowest scores in the test, though both claimed that the researchers simply couldn't see the non-visible checks staff were performing.

Not phone banking: when 'banks' call you

Finally, it's worth noting that all of the above doesn't cover two growing areas of UK fraud: people pretending to be from banks, and large scale, out of control, fake banking fraud.

In the first case, we're growing used to seeing horror stories about "vishing", where a fraudster gains information by posing as a bank employee, or even a fraud investigator, police officer or other authority figure.

In the latter category, we could put criminal gangs making money through loan fraud.

In early 2013, for example, more than 1,000 people a day were being contacted from a Delhi call centre bent on promising them non-existent loans.

100 people a day paid a £90 to £250 fee to "activate" their loans.