The fraudster who called Judge asked for his birth date and mother’s maiden name, which Judge shared. But then the fraudster asked him to share a “one-time passcode” — a type of two-step verification — that was texted to his phone.
Judge says he refused to do that, because the message also told him not to share the code with anyone, and said that no one from Scotiabank would ever ask for it.
The fraudster claimed that he stopped the charges from going through and hung up.
But two days later, Judge discovered a charge for $17,900 to Anglia Ruskin University in the U.K. on his statement, and a second for $1,800, supposedly paid to someone by the name of Paula S. Taylor.
“All that the bank has done is accuse [Judge] of either negligence or malice,” said Claudiu Popa, who has 35 years’ experience in cybersecurity and wrote The Canadian Cyberfraud Handbook.
I’ve had banks reach out about possible fraud and it always seems scammy. I have definitely been on the phone and had a text or email with a code that I had to repeat to the person on the phone. So it isn’t even universal that you don’t give the code to the person you are talking to.
The best policy is that if your financial institution calls you is to hang up and call the number on the back of your card. You might have to wait on hold for a bit or explain to the operator but it is the only way to be very confident that you are speaking to the bank.
I just had a fraud prevention call yesterday. It was automated. It said it’s a fraud prevention call, and to look up the number on the website, repeated once then hung up.