Major UK banks are training their customers to fall for scams

Adam Jones

Major UK banks are training their customers to fall for scams

This is my personal blog, where I write solely in my personal capacity. It does not represent the positions of any organisations I'm associated with.

Also, everything here is provded "as is", without warranties of any kind, express or implied.

4 April 20254 April 2025

"Never share your details when someone calls you" - unless, of course, it's us. This is the stance of many major UK banks, who warn their customers about phone scams while implementing practices that normalize responding to these calls.

Bank	Where do they make unverifiable outbound calls
Lloyds, Halifax	Complaints process (source: website - see below). Don't allow you to hang up and call them back.
NatWest, RBS, Ulster Bank	Complaints process (source: personal experience). Don't allow you to hang up and call them back.
HSBC	Complaints process (source: personal experience). Don't allow you to hang up and call them back. On their website they falsely claim they don't do this.
First Direct	When making large transfers (source). Don't allow you to call them for this.

Lloyds complaint form, saying they will call and will ask you some security questions, within 1-8 weeks

A prime example: Lloyds saying they'll call you sometime in the next 1-8 weeks and expect you to answer security questions.

However, there are a few banks who show it can be done well! These make calls possible to verify:

Bank	Good practice
Barclays	Send you an app notification to confirm it's really them calling
Monzo	Call status indicators
Starling Bank¹ Conflict of interest disclaimer: I used to work at Starling Bank.	Call status indicators, plus allow you to hang up and call them back

Why This Matters

Every time a bank makes an genuine outbound call requesting security details, they're training their customers to:

Trust unexpected callers
Share security details over the phone

Often the advice given for these scenarios is to hang up and call back. But in almost all the cases above, this is not possible: the team or person simply does not accept inbound calls.²

Some banks above support this for some functions, but not all. E.g. HSBC supports calling them back regarding fraud, but not regarding complaints.

This is great for scammers. After all, if real banks occasionally call and demand details, how are customers to know the difference between their bank and a scammer?

The Fix

It's simple: Banks should practice what they preach. No more unverifiable calls. If they need to get in touch, they should do so through their apps, or use something like a call status indicator or app notification to verify their identity.

Until then, they're part of the problem they claim to be fighting.

Conflict of interest disclaimer: I used to work at Starling Bank. ↩
Some banks above support this for some functions, but not all. E.g. HSBC supports calling them back regarding fraud, but not regarding complaints. ↩

Major UK banks are training their customers to fall for scams

Why This Matters

The Fix

Footnotes