Bank of Ireland - texts look like scam

[Mrs Vimes]

Hi,

Just got a text from BoI about setting up Banking365 or I won't be able to check my credit card online any more. (I don't have a current account with them).

The text contained a phone number to ring "from this phone" so I could set it up. It was a different number to the one on their webiste. It dropped into my boi text thread, but we all know that's no guarantee.

I emailed their 365security who assured me the text is genuine!

How can banks still hold customers responsible for any security breaches when they don't follow their own guidelines??

 

[SparkRite]

How can banks still hold customers responsible for any security breaches when they don't follow their own guidelines??

What guidelines have they failed to follow?
That is assuming that the text did not contain any links or requests for PIN information.

 

[odyssey06]

What guidelines have they failed to follow?
That is assuming that the text did not contain any links or requests for PIN information.

How do you know the random phone number is Bank of Ireland and not a scam setup if it isn't one of their public numbers?
I bet the first thing that happened when you dialled the number was you were asked to provide your PII data.

 

[Páid]

@Mrs Vimes You did the right thing. When you rang the number on the 365Online website you should have continued to set up your account (if you do wish to register).

 

[Mrs Vimes]

@SparkRite That's what put me off - the text had a phone number in it which I was supposed to click on.

@odyssey06 @Páid I spent about twenty minutes on hold listening to them tell me that call volumes were very high due to all the text scams! I didn't have time today to try for any longer but I'll post back when I get a result.

I feel the banks' security measures are getting more and more complicated (or I'm getting old) which eventually causes previously cautious people like myself to click on a link like the one above. The end result is that when people do get scammed the bank denies any responsibility.

If, for example, I called that number having been advised to by their security email people, and next time I do it again, looks the exact same to me, but the next time it is a scam, you can be sure the bank would say "we told her never to click on a link, we won't reimburse her loss".

 

[SparkRite]

That's what put me off - the text had a phone number in it which I was supposed to click on

Yes I understand that, but, not a link to an unknown URL or suchlike, which would be a breach of their own guidelines, but just a phone number to click so the phone goes to the dialler.

From BOI site:-
"Fraudsters may send texts pretending to be from Bank of Ireland. They target mobile users by sending texts with links to fraudulent websites to trick you into providing your online banking details or card details. These fake texts can be dropped into a thread of genuine Bank of Ireland text messages. Bank of Ireland will never send you a text with a link to a site that asks you for your full 365Online PIN or one-time passcodes."

And no doubt there is more , I'm sure the above is not complete.

BTW, Just to be clear I also think you were absolutely right to be suspicious and did the correct thing, however I was curious as to why you said :-

....... when they don't follow their own guidelines??

 

[odyssey06]

I dont see a material difference between including a link and a number?
They both can direct you to a place of unknown provenance when the number isnt one the customer can verify as being a genuine BOI number.

 

[SparkRite]

I dont see a material difference between including a link and a number?

I agree, up to a point, usually it can be easier to find out, by asking a few pertinent questions to the callee, to prove they are genuine than it is to know whether a site is .

But as far as I can see BOI do not state that they will never send you a text containing a phone number, in their anti-scam guidelines, maybe they should?

 

[odyssey06]

I agree, up to a point, usually it can be easier to find out, by asking a few pertinent questions, to the callee whether they are genuine than it is to know whether a site is .

But as far as I can see BOI do not state that they will never send you a text containing a phone number, in their anti-scam guidelines, maybe they should?

They should but its a concern that they dont seem to recognise the risk at this stage.
People are scammed on calls all the time so it isnt enough to rely on customers skills at making the determination of genuineness.

I dont see the difference between being directed to call a number of unknown provenance versus receiving a call from a number you dont recognise.
They say they will never call you and ask you for PII data. But they will send you a text (easily spoofed) that directs you to call a number that will...

 

[SparkRite]

They should but its a concern that they dont seem to recognise the risk at this stage

Absolutely agree 100%. Non public phone numbers should not be embedded in a text.

But as it stands at the moment, as far as I can see, the text the OP received is not in contravention of their own guidelines and that was what I was genuinely questioning.

How can banks still hold customers responsible for any security breaches when they don't follow their own guidelines??

What guidelines have they failed to follow?

I believe it would/should be regarded as quite a serious matter if they were breaching their own guidelines, but unfortunately it would appear that @Mrs Vimes is mistaken in her statement above.

 

[C3PO00]

I had a couple of calls from them last year about some information I would have to give or they would close my account. It was legitimate it turned out, but really seemed like a scam. They call you out of the blue, then straight away ask you for private information to verify for security reasons to prove its your account.

 

[Hooverfish]

Just got a text from BoI about setting up Banking365 or I won't be able to check my credit card online any more. (I don't have a current account with them).

In recent months I've received similar texts from BoI. Initially I thought, as my partner does have accounts with them but I don't, that I must have given my number as a backup on his account. When we checked it out, this was not the case, though I have since gone through the palaver of adding my number as a secondary device backup for Banking365. Therefore the only reason I can come up with is yes, we did have a joint BoI account in the 1990s, and I've had the same phone number since then, so they must have ignored data protection and kept my number. I wonder if they are just spamming all phone numbers they have, regardless of the history or type of account, to ensure people take up Banking365? I don't disagree there are scams, but this wasn't one. I could not figure out why they had my number, other than they had just kept it, which they shouldn't have done.

 

[roker]

Hi,

Just got a text from BoI about setting up Banking365 or I won't be able to check my credit card online any more. (I don't have a current account with them).

The text contained a phone number to ring "from this phone" so I could set it up. It was a different number to the one on their webiste. It dropped into my boi text thread, but we all know that's no guarantee.

I emailed their 365security who assured me the text is genuine!

How can banks still hold customers responsible for any security breaches when they don't follow their own guidelines??

I had a letter from my bank, it had 2 typo errors in the address and no headed address from the originator, it gave me a phone number to reply to which could have been a scam, but as far as I know, it was genuine. But how am I supposed to know?

 

[scallywag]

Slightly different but I arranged a callback from PTSB, and the first thing they did on calling me was to ask for my security credentials. I can't understand how this is safe. OK since I arranged a callback the same day it was probably them, but should I be giving my security credentials to somebody who calls me? Like the OP says, it seems like the banks are warning us about scams on the one hand and encouraging dangerous practices on the other.

Is it normal for a bank to ask for credentials when they call a customer? Do you think that's a safe practice?

 

[abc_xyz]

Slightly different but I arranged a callback from PTSB, and the first thing they did on calling me was to ask for my security credentials. I can't understand how this is safe. OK since I arranged a callback the same day it was probably them, but should I be giving my security credentials to somebody who calls me? Like the OP says, it seems like the banks are warning us about scams on the one hand and encouraging dangerous practices on the other.

Is it normal for a bank to ask for credentials when they call a customer? Do you think that's a safe practice?

Seems to be fairly normal based on my experience. And not just for banks, also had it with utility providers. I call them back on their public on their public number.

 

[scallywag]

Seems to be fairly normal based on my experience. And not just for banks, also had it with utility providers. I call them back on their public on their public number.

I ask them can I call them back directly. And the answer of course is always no. I have very little patience for trawling through their menus and listening to their recorded messages.

 

[roker]

I ask them can I call them back directly. And the answer of course is always no. I have very little patience for trawling through their menus and listening to their recorded messages.

when you do call back you get reception who has no idea who called you