I have managed risk on behalf of big businesses, but I am also an individual who is the customer of big businesses that supply me with vital services like banking, energy and communications. This is why I find it hard to understand why the operational risk policies of big businesses so often exhibit a brazen double standard when it comes to identifying both parties to a phone call. The business may call you, at any time convenient for them, even if you are roaming abroad, and will instantly throw questions at you because they expect you to identify yourself without hesitation. But when you challenge the caller as to why you should believe the call comes from the purported institution, their robotic scripts supplied to their staff permit no answer except that you should trust they are not really a scammer, even though that is exactly what a scammer would say. This latter observation has become less fair over time, because the sheer number of phone scams enabled by the arrogance of big businesses does mean many now acknowledge their inability to authenticate themselves, and will suggest you call them back. However, calling the business back can be inconvenient, relies on the customer’s ability to independently check the business’ number, and may still fail if the return call gets stuck in a queue. One bank has finally done what they should all be striving to do, by creating a simple mechanism for customers to check if a call from the bank is authentic whilst they are on the line.
Monzo is a British online bank which requires all customers to install an app on their phones. A new upgrade means any customer receiving a call from Monzo can verify if the call is genuine by simply opening their app. As Monzo explains on their corporate website:
It’s a new feature we designed to stop fraudsters from tricking you into sending them money by convincing you they work for Monzo.
If we say we’re not talking to you, hang up
Here’s how it works. If someone calls and tells you they work for Monzo, open your Monzo app and head to ‘Privacy & security’ in Settings by tapping your profile in the top left of the Home screen.
If the ‘Monzo call status’ is showing that a member of the Monzo team isn’t talking to you, hang up right away and report it to us. You can start a report by tapping the call status.
If the call is genuine then the app will also inform the user of the name of the Monzo employee who has called them. This will provide further comfort to customers who are worried about being scammed. App-based authentication is such an obvious route to improved security that it makes sense to use apps for two-way authentication as well as two-factor authentication. Then both sides of the call will be protected from imposters.
Techniques like this would reduce reliance on less well focused security measures, such as the authentication of CLIs or the use of analytics to label calls. An app can provide an independent means of confirming a call is genuine that will continue to work when the customer is roaming abroad, whilst CLI authentication is very unlikely to work across borders because of the way national regulators are each imposing their own separate standards without any realistic prospect of cross-border interoperability. Giving confirmation to customers would be especially helpful in instances where the customer is traveling and needs to be contacted urgently, perhaps because a bank is unsure if payments made in a foreign country are legitimate.
Congratulations to Monzo for implementing such a simple but effective way of reassuring their customers and defeating criminals. Let us hope many other businesses follow their example by doing a better job of authenticating themselves when they need to call customers.