UPS requesting all my bank details to process a refund - is this safe, and necessary?

Sugar_Rush

They requested this:

PAYABLE TO:Customer Name

Address:

Country:

State:

City:

Zip / Postal code:

Bank name:

Bank branch location:

Bank Account Type:

Bank Branch ID Number

SORT CODE:

ACCOUNT NO:

IBAN:

BIC:

When I've gotten refunds in the past from other couriers, name, IBAN, BIC was all that was necessary.

What's with the account number, sort code etc.?

Would all this info not leave me susceptible to banking fraud?

They overbilled for a delivery, I had to pay cash to the driver, so they can't refund to my card.

Again - is all this info necessary, and isn't there risk in sending it all?

From a banking point of view, would sending all this info be considered a faux pas?

PS - I've checked with local UPS, and the dude e-mailing me is a legit employee for sure........ just based in India.

Cushie Butterfield

Your sort code & account number are contained in your IBAN

Jim2007

Since you have already confirmed that the request is genuine and the information requested is very common you should have no issue with this.

Jim_Hodge

It's standard info and they can't refund to your bank account without most of it.

Sugar_Rush

https://www.boards.ie/discussion/comment/121023909#Comment_121023909

https://www.boards.ie/discussion/comment/121023473#Comment_121023473

Really?

Jebus.

Just curious why bic and iban exclusively weren't requested as standard, instead of all this info.

Sugar_Rush

https://www.boards.ie/discussion/comment/121023909#Comment_121023909

But in the wrong hands, it could result in fraud?

The "wrong hands" doesn't seem to be the case here, definitely it's genuine, but from a general-information point of view, one would not want scammers to get all this info?

Super cautious of this at the moment as, as I posted in another thread, just days ago I received a very convincing attempt at bank fraud, including text correspondence and a live phone call (not just a recorded message) referencing their correspondence, knew my name and bank etc.

coylemj

OP, beginning at the fifth character, your IBAN contains the branch sort code and your account number. Of the first four characters, 'IE' is Ireland and the next two characters are check digits to flag an error in case you mistype one of the numbers from the sort code or account number.

You only need to be wary when someone says they're giving you a refund and they ask for your debit card details, includung the security (CVV) code. Because you only need those details to debit someone, the IBAN is all you need to send money to someone's account.

There's nothing suspicious about that form, it contains a lot of duplication but if that's what they're asking for, I'd just fill it in.

Jim_Hodge

https://www.boards.ie/discussion/comment/121024181#Comment_121024181

With that information all somebody can do is put money into your account.

Jim2007

https://www.boards.ie/discussion/comment/121024181#Comment_121024181

Every piece of the information you are being ask to provide, you have already provided to someone else in the past. Every time you have used a cheque, made a SEPA payment and so on these details are presented. If there was any general possibility of scamming with this information it would have been exploited a long time ago. At this point you can be reasonable certain that most kinds of technical scamming possibilities have been closed down and there really needs to be some kind of social engineering in order for a scam to succeed. And that is what you experienced.

IBAN etc, for payment to you

Card No. etc, for payment by you

The scammers want the latter.

Sugar_Rush

https://www.boards.ie/discussion/comment/121024922#Comment_121024922

The account number, sort code, branch address address - they wouldn't effect exploitation potential?

I'm clear the IBAN and BIC would not, but just as their request was for such a lengthy and comprehensive list.

Allinall

https://www.boards.ie/discussion/comment/121025115#Comment_121025115

They are all available from the IBAN.

Nothing that anyone can do with account number and sort code, other than lodge money into your account.

coylemj

https://www.boards.ie/discussion/comment/121025115#Comment_121025115

Their 'comprehensive' list has a load of duplication. For example, they are effectively asking you to supply details of your bank branch three times: (1) street address (2) sort code and (3) your IBAN.

The sort code is in the IBAN, it starts at position 9, after IExx and the four character bank code. You say you have no concerns about handing over the IBAN but you're not so sure about giving details about your account number and branch sort code. But both of them are embedded within the IBAN. And the sort code gives the branch address, each branch has a unique sort code.

Sugar_Rush

https://www.boards.ie/discussion/comment/121025277#Comment_121025277

Cheers.

I rang customer service from the bank yesterday to ask this.

Her accent immediately perturbed me but she swore blind I'd get fleeced providing anything more than the IBAN and BIC.

** sigh **

I'm reassured now however.

Mrs OBumble

https://www.boards.ie/discussion/comment/121025277#Comment_121025277

Indeed. And they ask for this duplicate info cos people regularly provide incorrect details. The duplication provides cross checks.

coylemj

https://www.boards.ie/discussion/comment/121026265#Comment_121026265

The third and fourth characters in the IBAN now fulfill that requirement so it should no longer be necessary to ask the customer to supply their branch details twice, via the sort code and the street address. The two digits which follow 'IE' in an Irish IBAN are generated by an algorithm based on all of the other data so if you're filling in your IBAN in a field on a screen and you mistype one of the numbers, it will be rejected.

Jim_Hodge

https://www.boards.ie/discussion/comment/121028655#Comment_121028655

Hence why some companies ask for the full list of details. They can then see where a mistyped number is wrong.

Furze99

I get requests like this from public bodies and the like to settle invoices. All they really need is the IBAN but it keeps some paper pushers happy to have all the various details typed out every time. Keeps someone in a job. And I guess part of financial controls except that they've already accepted one as a bone fide supplier. Once you know it's genuine, simplest just to grin and bear it.

Jim2007

https://www.boards.ie/discussion/comment/121029173#Comment_121029173

The thing about this is that while in theory you only need an IBAN to make or receive a payment there are cases where this has just been bolted on to other systems that do require various other bits of data to function.

cython

Just to correct some of the assertions in this thread that BIC and IBAN can't be exploited for anything nefarious - this is not true, with plenty of people having been scammed by means of fraudulent direct debits being set up against their account. Granted it is not as prevalent as card fraud, and it's a slower pay off for the scammers, but it is possible and there is thus no harm in a moderate dose of skepticism being applied to requests for them.

Mrs OBumble

https://www.boards.ie/discussion/comment/121029173#Comment_121029173

If you were dealing with the private sector company I work for, not only would you be asked to fill in the details, but before first payment, you would receive a phone call, on a number obtained independently from the form you filled in, asking you to verbally confirm that you'd made the request and the details. Calls are recorded for training and quality purposes.

Sugar_Rush

https://www.boards.ie/discussion/comment/121029360#Comment_121029360

Hmph.

I received that phone call from UPS.

Furze99

https://www.boards.ie/discussion/comment/121029360#Comment_121029360

No doubt, but when you're filling in the same or similar forms time after time, it gets a bit wearisome. It's as if the finance departments live in a parallel world in that you might be well known to whoever you are dealing with in said company/ body but when it comes to getting paid, you may as well be a complete stranger. Possibly good practice to avoid fraud but a little more communication between finance people and their fellow staff mightn't go amiss either.

I did €50 worth of something for one body last year - took me several and various mails with requests for info just to get paid. Ridiculous. Lesson learnt there though, will just double/ triple the invoice next time :)

coylemj

Cython posted ...

Just to correct some of the assertions in this thread that BIC and IBAN can't be exploited for anything nefarious - this is not true, with plenty of people having been scammed by means of fraudulent direct debits being set up against their account

Jeremy Clarkson was tired of hearing this urban myth so he published his IBAN in one of his newspaper articles. All that happened was that a prankster submitted a monthly donation form to a national charity, claiming to be Clarkson and supplying his IBAN. Clarkson saw the first DD payment, queried it and his money was refunded.

You claim that ‘plenty of people’ have been scammed by fraudulent DDs - can you please explain how? Won’t a bank only accept a DD mandate from a bona fide business and not any old dude with a bank account?

You can generate an IBAN from the data at the foot of a cheque. In Ireland, the agricultural sector probably accounted for the bulk of the 19 millions cheques written in 2022. So why hasn’t every farmer in the country been scammed at this stage?

wench

https://www.boards.ie/discussion/comment/121029318#Comment_121029318

In the vanishingly unlikely event that a fraudulent DD was set up, you can get an immediate refund of any in the last 8 weeks, extending to 13 months for fraudulent ones.

Jim2007

https://www.boards.ie/discussion/comment/121029318#Comment_121029318

This is only true in the context of people who fail to manage their financial affairs. If you regularly review your bank and credit statements and have a good handle on your bank balances you will detect this kind of thing on the first attempt to execute the DD and you can challenge it. Nobody has a bigger interest your finances than you and if you fail to do this, then yes a lot of bad things can happen.

cython

https://www.boards.ie/discussion/comment/121036930#Comment_121036930

I know of at least one instance of a fraudulent DD being set up against an account, the IBAN of which was published to facilitate collection of sponsorship monies for a charity event. While the organisers were able to recoup the funds as outlined, they have since disabled the facility for DDs to be set up against the account entirely. I know of another couple whose personal account had a second eFlow) or equivalent) DD set up against it, and they overlooked/missed it for far too long (an admitted lack of vigilance on their part) , enough that they were not able to reverse all of them. So it does happen, unfortunately, even if compounded by action/inaction on the part of the account holder(s).

https://www.boards.ie/discussion/comment/121036948#Comment_121036948

I don't disagree that fiscal vigilance can mitigate (not prevent!) such fraud, but that's locking the door after the horse has bolted, IMHO. I'm sure you've heard the expression that prevention is better than cure, and not disseminating any details of your financial accounts any further than absolutely necessary is part and parcel of that. Personally I'd rather avoid the hassle of having to pursue such reversals where possible, and only providing the details required to create a DD to a bare minimum number of people is one way of minimising my exposure to the risk of same.

However, you feel free to do you as they say.

coylemj

https://www.boards.ie/discussion/comment/121037174#Comment_121037174

It remains the case that the data required to generate an IBAN is right there at the bottom of a cheque. Of which 19 million were written in Ireland in 2002.

https://www.independent.ie/business/personal-finance/use-of-cheques-falls-but-we-still-wrote-19-million-of-them-last-year/42214851.html

cython

https://www.boards.ie/discussion/comment/121037567#Comment_121037567

Granted, but I don't have a cheque book, so I don't have this exposure either. I've provided examples of fraudulent DDs having been set up against two separate accounts of which I'm aware, so the simple fact is it can be exploited. At no point did I claim it was as prevalent as card fraud, primarily as it is higher effort for lower reward.

The J Stands for Jay

..

NewbridgeIR

Going back OP's point, some manual payment forms for electronic transfers will insist of all of the quoted fields being completed - so I wouldn't worry about it.

As for the fraudulent DD point - how exactly does a fraudster benefit from this given that the criteria to become a Direct Debit Originator is very stringent?

If you set up a DD for EFlow using someone else's bank details then the only people to benefit are EFlow.