"Bank customers should save themselves from scams"

Early Riser

Registered User
Messages
1,110
BOI very recently sent an email warning about fraud and the various things a customer should not do - very bold lettering. No doubt this was a follow up to the recent scam. My neighbour also got it - but refused to open it or read it. He had been listening to the saga on Joe Duffy and he was convinced that this email was an attempt to scam him.

As an aside, I have certainly got emails and correspondence from BOI over the years regarding scamming. To be honest I generally view it now as junk correspondence and ignore it. As I expect others do.
 

EmmDee

Registered User
Messages
716
.... It did come from a genuine source, the BOI text number, being used by scammers.

I know it's a technical point but the scammers didn't "use" the BOI number. What they did was fake the "from" number in the text. Your phone then read that and included it in any existing text list from the same number (or identified as BOI on your phone if you have the number saved in contacts). The exact same thing can be done with emails - the "from" address can be easily spoofed and then your email app will include it in the email chain from that address.

BOI didn't lose access to the number or get hacked. There's not a lot they can do. Nobody should assume a text or email is coming from the source your phone claims. And therefore treat it as any random text or email asking you to click a link
 

Sunny

Registered User
Messages
4,179
Yes I clicked the link because I thought it came from a genuine source. It did come from a genuine source, the BOI text number, being used by scammers.

These scams work to fool your phone to think it came from the BOI number so your phone will group it with genuine texts from BOI.

That wasnt something I was aware of.

Doubt many people are to be honest. So imagine you are an elderly person getting a text from what appears to be a genuine number linking to a website that appears identical to the banking website you have used previously....And then have people call them stupid.....

Where should I send it ?:):)

I will send you details on where to send it through private message. Also, if you could e-mail me through your PIN that would be great as well to make things easier....Trust me. My name is Sunny.
 

Monbretia

Registered User
Messages
2,050
I listened to days of that Joe Duffy topic and have to say I could understand how some were caught, they were far from all elderly, one was quite young as in a college student who should be well up with technology.

I listened to many of the stories and especially the fact that the txts were dropped into the existing BOI thread of messages on phones, also BOIs t&c for online had a portion read out by one woman where it actually says they will contact you by txt if they suspect fraud on your account so in fairness no one reads the t&cs probably but the bank can hardly say now they don't send anything of importance on txt messages.

As an ex banker myself I was not on the bank's side in this one even though when the discussion started I presumed the people involved had all been careless but there was more to it than that, BOI knew the problem was going on for months and there was too much information available to the scammers, in some cases they had info on the accounts you would not expect them to have gained before actually getting to talk/txt customer. To be honest I actually really thought the scammers had some 'in' to BoI systems or info, now probably not and I presume we just have very smart scammers but it really sounded like a very insecure system.

I use online banking myself but never on a phone but then again I'm more old school and am working on a computer every day so it's handier to use it. Telling older people go to Post Office or CU is neither here nor there, not all are able to do this so online access is handy if they are able to use it, however it should be a bit more secure than having any scammer able to drop txts into a legitimate thread of txts from a bank or being able to make a call look like it's coming from any number they want. It it can't be made more secure then txt system should not be used for important stuff in my opinion. BOI in their statement to JD show (I think or statement to someone anyway) said they don't put anything of importance in the txt messaging system which contradicts the t&cs read out but if it's that unimportant why bother using it at all when it's a pathway for this stuff.
 

Ceist Beag

Registered User
Messages
1,311
Hi Ceist

My general principle would be that people should be careful and should not be compensated for giving out their details to a website or cold caller.

However, I was not aware that BoI had admitted that they were in the wrong. If they were in the wrong and if the customer was not careless , then the customer should not be paying.

Brendan
As per https://www.buzz.ie/news/bank-of-ireland-reimburse-customers-affected-by-scams-382675, from the CEO Retail Ireland, Bank of Ireland in relation to this issue,
"We know that Bank of Ireland can do more to build awareness around fraud and we are committed to doing that. "

That's the closest thing to an admission that they were wrong that you will get from a bank!
 

Brendan Burgess

Founder
Messages
44,665
That's the closest thing to an admission that they were wrong that you will get from a bank!

That might be the closes, but it's not admitting that they did anything wrong in this case. From reading through this thread, it seems that BoI did not do anything wrong.

Brendan
 

Ceist Beag

Registered User
Messages
1,311
I disagree Brendan. BOI failed to adequately deal with the issue when it was first reported to them. They did not take enough measures to protect customers. By refunding the customers the bank have accepted that the customers were not at fault here and they have admitted that their own processes were not adequate for protecting customers from such fraud.
 

Early Riser

Registered User
Messages
1,110
By refunding the customers the bank have accepted that the customers were not at fault here

Surely that puts the bank in a lose-lose situation. If they didn't offer refunds they would have been condemned in the court of public opinion and on the Joe Duffy show (if there is a difference between these). And offering refunds is being interpreted as "admitting" guilt.

It seems to me this was a very sophisticated fraud, operated by very sophisticated fraudsters. I am pleased for the customers involved that they will not be losing out. But I find it hard to see that the the bank has responsibility. No doubt we will see as scams as sophisticated in the future - or even more sophisticated. What then ?
 

NoRegretsCoyote

Registered User
Messages
3,046
Your mother and others who don't want to use 21st century technology can go to the Credit Union or Post Office.

My grandmother has been a BoI customer since the 1940s! She is also a nice source of zero-cost deposit funding for them.

Why on earth should she have to move her business?

BoI (to my knowledge) do not insist on use of physical card readers by current account customers. This is expensive and difficult to roll out of course but makes this kind of fraud much more difficult.
 

EmmDee

Registered User
Messages
716
I use online banking myself but never on a phone but then again I'm more old school and am working on a computer every day so it's handier to use it. Telling older people go to Post Office or CU is neither here nor there, not all are able to do this so online access is handy if they are able to use it, however it should be a bit more secure than having any scammer able to drop txts into a legitimate thread of txts from a bank or being able to make a call look like it's coming from any number they want. It it can't be made more secure then txt system should not be used for important stuff in my opinion. BOI in their statement to JD show (I think or statement to someone anyway) said they don't put anything of importance in the txt messaging system which contradicts the t&cs read out but if it's that unimportant why bother using it at all when it's a pathway for this stuff.

First off - the online banking app is probably more secure than the web. Less chance of redirection or spoofing. But that's by-the-by

They realise texts are not secure. That's why they specifically say never click a link in texts. They also say that they will use texts for notifications or warnings (as a one way push notification) or on questionable transactions you can respond BY TEXT to confirm a transaction. But they also point out that if there's a problem you should log in separately to online banking or call them and NOT CLICK ANY LINKS. They do use texts for important things like notifications - but not exclusively and not as a route for web links

Even using texts for two factor authentication is not secure and banks are moving away from them generally.


As per https://www.buzz.ie/news/bank-of-ireland-reimburse-customers-affected-by-scams-382675, from the CEO Retail Ireland, Bank of Ireland in relation to this issue,

That's the closest thing to an admission that they were wrong that you will get from a bank!

By refunding the customers the bank have accepted that the customers were not at fault here and they have admitted that their own processes were not adequate for protecting customers from such fraud.

I can pretty much guarantee you the funds were returned with no admission of liability at all - a goodwill gesture. The quote, as I read it, was closer to "ok ok - we'll tell people AGAIN to not click on links". I didn't read it as an admission or even close

They allowed their text number to be used by scammers !
...
If the bank allows their text number to be used by scammers, ?

They didn't allow their text number be used by scammers. Read what was said above. They had nothing to do with it. It's pretty easy to send a text or email that appears to come from another number / email
 

joer

Registered User
Messages
527
They might not have allowed their number to be used by scammers but it was used . When people clicked on the link it brought up all their personel details exactly like their bank account would. So it seemed legit to them.
 

Sunny

Registered User
Messages
4,179
I am still not sure why Brendan and others have such an issue with the Bank Of Ireland doing this. It is not like every victim of a scam is compensated every time by a bank. BOI obviously looked at the sophistication of this scam and realised that the people involved weren't completely stupid and had being caught out by a sophisticated scam. The bank decided to make a goodwill gesture to compensate customers while admitting their warning campaign about a threat that had been flagged for weeks could have been better. Sending texts and emails and having online campaigns about the treat of text, email and online scams is worthless and they know that. People are going on about creating moral hazard or something similar. Yes, because those people got their money back this time, they won't care if they get scammed again and I am going to share my details with people because I know the bank will compensate me if I lose money. It's nonsense.

If people have such an issue with what BOI did and feel as a more intelligent type of customer that they have been let down, then maybe they should take Brendan's advice and join the credit union or post office where apparently the issue won't arise.
 

EmmDee

Registered User
Messages
716
They might not have allowed their number to be used by scammers but it was used . When people clicked on the link it brought up all their personel details exactly like their bank account would. So it seemed legit to them.

Just as your number or email could be used - or any number or email. It is not a security failure by the bank

When people clicked, did they not get a false login page (per the screenshot above). I've looked at reports and haven't seen any indication that clicking on the link brought up personal details - do you have other information or examples?
 

joer

Registered User
Messages
527
But listening to the callers on Liveline all last week it did happen. One person said that she clicked on the link to unsubscribe and it brought up all her details. And as far as I can remember when a statement was read out saying that the bank actually do contact customers be text . That was when the bank agreed to reimburse their customers.
 

EmmDee

Registered User
Messages
716
But listening to the callers on Liveline all last week it did happen. One person said that she clicked on the link to unsubscribe and it brought up all her details. And as far as I can remember when a statement was read out saying that the bank actually do contact customers be text . That was when the bank agreed to reimburse their customers.

I know there is a lot of "I heard someone on Joe who said when they clicked saw all their details" but I've failed to actually find any specifics. I haven't seen anyone actually confirm that is what happened to them with specifics.

The closest I can find is someone who received a text saying a payment was about to be made and to click a link to halt it - essentially a form of phising were a generic payment/transaction is quoted with the hope that somebody will click.

But are there any examples of people's actual details appearing either in the text or on the page when they click? It's an important distinction because if that actually happened it would indicate access to BOI data. But if it didn't happen, people should stop claiming the bank was hacked without evidence
 

EO2020

Registered User
Messages
27
Do you want to explain to my 75 year old mother why the URL in that screenshot is not a link to BOI

I could get my 79 year old mother to explain it to yours if you like? This idea that all elderly people are unable to use technology or have some sense is offensive. If you haven't helped your elderly mother to do these things, then you should have helped to her use a simpler form of banking, which contrary to your statements is easily available.
 
Top