138

I accepted a job offer for a student support position in a major bank in Austria. As expected, they require me to send some documentation before I start working there.

What surprised me is that they asked me to send a photo of both sides of my bank account card. Is it safe to do so?

I interviewed in person at the bank's headquarters office, so I don't think anything suspicious is going on.

Note that my card has a CVV.

EDIT

So I asked HR about this and they told me that it is due to internal rules which apply for all candidates. So I asked some of my friends who work there about this “rule” and they told me that they had to send pictures of their cards as well and that it is okay.

EDIT

After pressuring the HR with questions about these internal rules, they resigned and told me that it is sufficient to send only IBAN and BIC code. Thank you all for help!

Maria
  • 891
  • 2
  • 6
  • 7
  • 1
    Comments are not for extended discussion; this conversation has been moved to chat. – Neo Jul 15 '19 at 14:31
  • 175
    "due to internal rules which apply for all candidates" is NOT an answer to the question "Why do you need this?" – DJClayworth Jul 15 '19 at 20:33
  • What it you don't have bank card? Wouldn't they be able to hire you then!? – d-b Jul 15 '19 at 21:35
  • 3
    I just looked at my Maestro card. It has IBAN on front and BIC on back. If your card had CVV blur i it. – Bernhard Döbler Jul 15 '19 at 21:42
  • I would advise against blurring. You should ask what specific information they need, determine if it's sensitive, and make a decision on that. – Gregory Currie Jul 16 '19 at 01:17
  • 23
    Are you absolutely certain this is a real job, and not a scam? If it is, they may be testing you.. – Jonas Czech Jul 16 '19 at 05:56
  • 3
    @mehrdad That wouldn't make any sense in Austria, the have proper ID cards as means to verify who's who. – Diego Sánchez Jul 16 '19 at 06:51
  • @DiegoSánchez: I said second card. Just like in Austria, the first card is already the official state-issued ID card. – user541686 Jul 16 '19 at 06:54
  • 37
    *So I asked HR about this and they told me that it is due to internal rules* Me: ok show me those rules. Where is that policy written down? – Pieter B Jul 16 '19 at 09:27
  • @PieterB good point, I will ask this – Maria Jul 16 '19 at 09:34
  • 2
    @Maria also, I just looked at the back of my bank card and realized there's nothing on it. A European bank card is nothing like a credit card. I still think it's a weird request but in my case I wouldn't be too worried. (that's my case, not yours.) – Pieter B Jul 16 '19 at 09:42
  • 3
    @UKMonkey a lot of times people make up the excuse: "because that's the rules" when there actually aren't. The response is to call their bluff. – Pieter B Jul 16 '19 at 09:43
  • 2
    @PieterB so when they present to you the rules that say it - then what? You send over your card details? I wouldn't bother calling their bluff on if they were written down. I'd just simply say that the card details is a breach of contract with your bank and that as a bank they should be more than aware. – UKMonkey Jul 16 '19 at 09:45
  • 4
    @Maria are you sure you are talking about your EC Card? EC Cards here do not have a CVV. The only cards which have a CVV here are Credit Cards and those are not the cards the company asked for. I'm pretty sure they asked for your EC Card – undefined Jul 16 '19 at 10:00
  • 2
    @undefined For what it's worth, Visa indicates that Debit Cards can have CVV. I believe Debit Cards are the same as "EC Cards"? – Gregory Currie Jul 16 '19 at 10:05
  • 1
    @GregoryCurrie no, they are not the same. An EC Card is like the normal card for your bank account from your bank. With which you can get money on ATM, statements of account from machines in the bank and so on. It has nothing to do with VISA or MasterCard. For example, if you create a bank account at the Deutsche Bank you will get an EC Card from the Deutsche Bank for that account. You can additionally get a VISA/MasterCard/Credit Card linked with that account and all of those credit cards will have a CVV. The normal EC Card from your bank will have not – undefined Jul 16 '19 at 10:11
  • 1
    @undefined I only have a single card and I can do all those things (it's a Visa). It is possible there are banks in Austria where it is the same. Maybe for some users from some banks, the distinction is not important. – Gregory Currie Jul 16 '19 at 10:18
  • 8
    @undefined: Please don't talk about "EC cards". EC cards (short for "Eurocheque card") where abolished in 2002! What you probably mean is a "Girocard" - but that is a German system, not used in Austria. – sleske Jul 16 '19 at 10:20
  • 1
    @sleske Maybe you can add clarity, is there something similar in Austria which just shows the bank and account details? – Gregory Currie Jul 16 '19 at 10:22
  • well, it seems like OP is talking about a so called "Bankomatkarte" – undefined Jul 16 '19 at 10:31
  • 7
    @sleske no, EC means nowadays "Electronic Cash". But yes, EC Cards are today called girocard. Everyone still know what one means when on say EC Card – undefined Jul 16 '19 at 10:40
  • 2
    I would agree with a number of others above that the question as stated is unclear about what exactly the "bank account card" is. In Hungary, for example, the closest thing to this would be a credit card-sized slip of paper with various (non-sensitive) account details filled in by an employee, not an actual debit / credit / GIRO card. And of course the answer depends a lot on exactly what information is being asked for. – laszlok Jul 16 '19 at 11:58
  • @JMac I agree with your addendum completely. I guess my point is, that it could be a test that if the OP does it, he doesn't get hired, or it could be a real requirement of the bank, so that if he doesn't do it, he doesn't get hired. But if the requirement is a legitimate one of that bank, and the OP gets that in writing, then he (or she) can make a better informed decision about what to do next. Talking to the HR department and asking for the written requirement should be the first step, in my opinion. – CGCampbell Jul 16 '19 at 12:10
  • 6
    @undefined not "everyone" knows what you mean by EC card. In fact, given the name of it, I doubt that the creators of it even knew what they meant when they came up with the name: Electronic Cash is an oxymoron – Aaron F Jul 16 '19 at 16:35
  • 1
    Just to make sure – these friends are your personal friends that you have know in real life for a long time, not people you've only met on the Internet, possibly recently? When you went for the interview, you were inside their offices past the reception and not e.g. in the lobby or in an employee cafe? – Moyli Jul 16 '19 at 16:38
  • 1
    I'm also from Austria, and from many holiday jobs I can say this question is quite common (about 30% I'd guess). I always thought this is to a) prevent typos, and b) have some proof that the account number belongs to you (as your name is on the card). – MaxD Jul 16 '19 at 19:03
  • @BryanKrause Since the friends did this as well and already work there without having had money withdrawn (likely they would notice this), it's more likely a sign that they are incompetent. – Frank Hopkins Jul 16 '19 at 19:27
  • @undefined etc. had this discussion as well: there are debit cards from Visa and MasterCard that combine the normal money withdraw usage you know from Girocards / "normal" EC-Cards with a CVV based feature for online shopping (like with a credit card). Some Austrian banks switched to these cards apparently exactly because they allow for "easy" / well accepted online payment. – Frank Hopkins Jul 16 '19 at 19:30
  • Why doesn't The Workplace have a "scam" tag, like Finance and Travel do? – Andrew Grimm Jul 17 '19 at 02:21
  • 1
    @AndrewGrimm because this is no scam – undefined Jul 17 '19 at 06:22
  • 1
    @FrankHopkins yes, it took a while until I figured this all out. But please see my answer for details. Those "normal" EC-Cards with a CVV seems to be kinda new in Austria. I guess the bank from OP didn't think about that or just have old policies – undefined Jul 17 '19 at 06:23
  • "I asked some of my friends who work there"... so how closely do you know these "friends"? Don't just trust the place because they have a fancy building. Nigerian scammers have been known to set up an embassy in London. It can be sometimes shocking to learn how profitable these crimes are being for some people. So going to see "headquarters" may seem comforting, but not more compelling than giant red flags causing so many immediate strong highly-voted responses like what you see here. (And, they let you know their HQ? really? Or is that a front to make things look/sound "safe"? – TOOGAM Jul 17 '19 at 06:51
  • 1
    @TOOGAM these "friends" are my classmates. It was HQ for sure, as I have been there before on different occasion. – Maria Jul 17 '19 at 07:02
  • Are you being "tested" somehow ? – Criggie Jul 17 '19 at 20:01
  • @Criggie I highly doubr that. Others have sent the aforementioned pictures and were accepted anyway – Maria Jul 18 '19 at 05:55

11 Answers11

269

DO NOT DO THIS

You are interviewing at a bank. They SHOULD know better than to ask you for this information.

It is possible that they believe your "bank account card" is just a simple "EC card" which may not contain any security features. They may not be aware that there are some banks that use a single card for transactions as well as for bank purposes. See undefined's answer for more information.

However, don't be caught in the game where you ask for reasons on why you should send pictures of your card. There is NO REASON why they need actual pictures of your bank card. So don't even invite them to say things that are not true and attempt to confuse you.

Here are some examples of common BS reasons given:

  • It's company policy
  • Everybody is required to
  • We can't pay you without it
  • It's required by government regulations
  • You can trust us, we are a bank
  • We just need some information from it
  • We need to verify your identity
  • So you can be protected from cyber attacks
  • (Anything else that is said)

They may say they are trying to prevent transcription errors, if you were to type out, for instance, your IBAN. However, it is far better to copy and paste that from an online statement, and allow them to copy and paste from the email into their HR system, than take photos and hope their staff manually transcribe correctly.

Regarding the card, there is often not just a CVV number, but there can be other security measures on that card, that you leak by trying to be clever, taking a screenshot, and blurring things out. For instance, on my Visa card, there is an additional code that some merchants use to verify the card is in my possession. So DON'T SEND A PICTURE OF THE CARD, even with blurring.

Because you are in Austria, simply send them either your IBAN, or your bank name, branch name, and account number. If they need more than that, contact YOUR bank, and ask for their advice.

Matthew Gaiser
  • 47,725
  • 21
  • 131
  • 195
Gregory Currie
  • 59,575
  • 27
  • 157
  • 224
  • 1
    Comments are not for extended discussion; this conversation has been moved to chat. – Neo Jul 16 '19 at 11:40
  • This is why I have removed the CVV from the back of my card: not because I took a photo, but to prevent anyone else from doing so. – KlaymenDK Jul 18 '19 at 08:07
  • Transcription Errors with actual consequences are very uncommon with IBAN, since the IBAN-Number contains an error-checking code, so a simple typo will usually result in an invalid IBAN, which is directly detected. – Falco Jul 18 '19 at 08:51
  • Also, blurring doesn't necessarily make something unreadable. It's theoretically possible for computer analysis to figure out what numbers are there from something that looks unreadable. A blurred 1, for instance, should be lighter than a blurred 8 (assuming dark text on a light background). "For instance, on my Visa card, there is an additional code that some merchants use to verify the card is in my possession" To what are you referring? – Acccumulation Jul 18 '19 at 17:28
139

Is it safe to do so?

Based on my experience this is not normal practice and not safe.

The company doesn't need a copy of your debit card in order to pay you. There are several security concerns when faxing, emailing, or sharing this information in general.

What I would do is provide my checking account number and routing number so they can pay me. If that is not acceptable to the company, I would be very cautious of going to work for them.

Gregory Currie
  • 59,575
  • 27
  • 157
  • 224
Neo
  • 84,783
  • 53
  • 276
  • 322
  • Comments are not for extended discussion; this conversation has been moved to chat. – Neo Jul 15 '19 at 13:46
  • 53
    To add to this, storing the CVV of a card in any way is against PCI Standards generally: https://smallbusiness.findlaw.com/business-operations/card-payment-security-pci-standards.html That a bank would not know this and would chose to insist on having such card information on file is difficult for me to believe. Of all the people who must know better, absolutely anyone in banking or finance must have at least this level of competence expected of them. – BrianH Jul 15 '19 at 17:50
  • 11
    FOR THOSE IN THE UNITED STATES rather than Austria, there's a caveat. Bank account numbers here are bidirectional. So while it's true that your employer should ask for your account number to pay you, it's also a strange situation because if you don't trust someone with your debit card number, you should definitely not trust them with your bank account number. – user541686 Jul 15 '19 at 21:45
  • @Mehrdad That's why for all of the contract jobs I had that I moved to a new state I opened a new bank account. The first of the three was really weird and kinda shady so I wasn't going to risk my existing account. The second one I also had some concerns with and repeated the behavior. Both ended up legit, the recruiting agency had just been acting a little unprofessionally. My current gig I just did things out of habit. – Draco18s no longer trusts SE Jul 16 '19 at 01:41
  • 6
    @Mehrdad: While bank account numbers here in the USA can be used to set up transfers in either direction, merely knowing an account number is not considered any sort of evidence of authority to transact on the account, while having card details is prima facie evidence of authorization. I definitely provide ACH routing and account numbers to persons and institutions which I would never share my debit card data with, and I think you are backwards -- if you wouldn't pay someone by check, you should definitely not trust them with your debit card number. – Ben Voigt Jul 16 '19 at 05:25
  • 1
    @BenVoigt: I mean, it's not exactly hard to order a check and put someone else's account number on it. So it just depends on if you're more worried about losing a few hundred bucks to someone who cares about their reputation, or your entire bank account's worth to someone who might, well, not. Personally I find the latter far more worrying but it sounds like you're more worried about the former. – user541686 Jul 16 '19 at 05:52
44

NOPE! BIG RED FLAG!

The information on both sides of your card is enough to put some nasty charges on your account. People interviewing at the bank should absolutely know better. The person who asked this of you (it might not be the interviewer) could well be a rogue employee.

Either that or they are gauging how susceptible to social engineering you might be. Unlikely though, as this would be a poor way to start employer-employee relations.

I would send the email asking for pictures of the card to their fraud department either way.

Community
  • 1
520 says Reinstate Monica
  • 14,872
  • 3
  • 29
  • 60
  • 1
    It might not even be an employee necessarily. Getting access to a conference room at an office building does not take much – Layman Jul 16 '19 at 08:05
  • 2
    @VictorS For a typical office building you are correct. The offices at sizable financial institutions are typically more locked-down. With that said it still isn't impossible for a non-employee to get in. – 520 says Reinstate Monica Jul 16 '19 at 09:17
  • 1
    Not necessarily. The building I work in hosts a BofA team. A MitM attacker could simply greet a candidate right off the public elevator at the BofA floor and get them to some other floor for their interview. The attacker does not need actual access, just the illusion of it – Layman Jul 17 '19 at 02:18
  • 1
    @VictorS Fair enough. Its disturbing how easy your scenario seems. – 520 says Reinstate Monica Jul 17 '19 at 09:22
20

The request from the bank is NOT scam.
Seems like the OP is talking about a so called "Debit-Bankomatkarte" which indeed have a CVV.
But I still think that the employer in question did not mean that card. It is more likely that the the employer isn't aware that OP already got this new card (because those cards are kinda new in Austria).


[please note I'm excluding foreign bank accounts and foreign cards from my answer (foreing for Austria)]

In contrast to all other answers, for me this is a normal behaviour, which I have already experienced with several employers.
There are no security features or the same on the EC card.

The employers who wanted me to do this in the past said they needed it so they could be sure that the salary payments were in the right account.
Because such an incorrect transfer is difficult or impossible to reverse.

It seems like OP is having a so called Debit-Bankomat-Card. Those cards are kinda new in Austria (first issued in early april 2019):

Seit Kurzem gibt es in Österreich eine neue Karte zum Geldabheben, die die bisherige Bankomatkarte ersetzt: die Debitkarte. Ausgegeben von Erste Bank und Sparkassen kann die neue Karte, eine Mischung aus Bankomat- und Kreditkarte, auch für Onlinezahlungen verwendet werden. source

(A new card for withdrawing money has recently been introduced in Austria, replacing the previous ATM card: the debit card. Issued by Erste Bank and Sparkassen, the new card, a mixture of ATM and credit card, can also be used for online payments.)

Further information:

... Ab sofort geben Erste Bank und Sparkassen statt Maestro-Bankomatkarte eine Mastercard Debit aus.
Der größte Unterschied im Vergleich zur früheren Maestro-Debit-Karte liegt beim Bezahlen im Internet. Überall dort, wo gewöhnliche Mastercard-Kreditkarten akzeptiert werden, kann auch mit der Mastercard Debit bezahlt werden.

Die entsprechende Nummer findet sich auf der Karte auf der Vorderseite, genauso wie bei einer Kreditkarte. Der oft abgefragt CVC2-Code befindet sich auf der Rückseite neben der Unterschrift. ...

... Erste Bank and Sparkassen are now issuing a Mastercard Debit instead of a Maestro ATM card.
The biggest difference compared to the former Maestro debit card is when paying on the Internet. Wherever ordinary Mastercard credit cards are accepted, payment can also be made with Mastercard Debit.

The corresponding number can be found on the front of the card, just like on a credit card. The often requested CVC2 code is located on the back next to the signature. ...

OP should not send a photo of this card to the new employer, instead OP should tell them that OP is having a so called Debit-Bankomat-Card which contains sensitive information.

undefined
  • 396
  • 4
  • 15
  • 1
    From the wikipedia article on CVV: "Diners Club, Discover, JCB, MasterCard, and Visa credit and debit cards have a three-digit card security code." – Gregory Currie Jul 16 '19 at 10:27
  • 2
    @GregoryCurrie yes, which are all not "normal" bank account cards. – undefined Jul 16 '19 at 10:33
  • 1
    They are where I am from, and would appear to be the same for the OP. – Gregory Currie Jul 16 '19 at 10:34
  • @GregoryCurrie please see my edit. I didn't mean to be rude, sorry if it seemed so – undefined Jul 16 '19 at 10:38
  • 1
    All good. I'm going to update my answer anyway. This is the most likely source of confusion. – Gregory Currie Jul 16 '19 at 11:17
  • 1
    The point that you have witnessed a case in real world which turned out legitimate is interesting. But that employer was something else than a bank, I assume? They may do it because nobody noticed it's quite grotesque by sheer ignorance. A bank does not have that excuse. – Volker Siegel Jul 16 '19 at 12:51
  • @VolkerSiegel as pointed out in the comments under Gregory Currie answer: "such a request was no security risk prior to the new Debit-Bankomat-Card" – undefined Jul 16 '19 at 13:11
  • 3
    I'll say as an Austrian myself, I never heard of "Debit-Bankomat-Cards" myself and a normal debit card will not contain any sensitive information (name, IBAN, valid through, card number in my case). While I don't understand why anybody would ask for more than simply the IBAN, it seems like such a weird exception to the case that it's probably the first time this comes up. – Voo Jul 16 '19 at 16:33
  • 1
    What you call a "normal debit card" may only be normal for Austrians. In Australia, an overwhelming majority of "normal debit cards" have sensitive information. – Gregory Currie Jul 16 '19 at 23:18
  • @Voo thank you, that is exactly what I tried to explain. This "Debit-Bankomat-Cards" thing is pretty new. And the "normal" cards do not contain sensitive infos. I'm pretty sure that the bank from OP just didn't expect that people already have this new card and thus didn't updated their policies – undefined Jul 17 '19 at 06:29
  • @Gregory Are those pure debit cards and not debit/credit cards? What kind of sensitive information would be on those? – Voo Jul 17 '19 at 07:48
  • I can't overdraw with the card (it is not a credit card), but I can use it in any place where one may use a credit card. It is the only card I have from my bank, and is used with ATMs etc. They have two security devices on the back: a CVV and a number used with "Verified by Visa" and "MasterCard SecureCode". – Gregory Currie Jul 17 '19 at 07:56
  • For the record, this is NOT new tech, and from what I can gather has been the standard "everyday" card for the past 10 years. (Though the "Verified by Visa" and "MasterCard SecureCode" is somewhat new it seems). – Gregory Currie Jul 17 '19 at 07:58
  • 1
    People are claiming these cards a new. They may be new for one particular bank (and I have no idea why this particular bank is mentioned - the OP has not mentioned it once) but it's likely to have been in use with a variety of other European banks for at least a few years. For a bank to not understand this, it is no trivial mistake. – Gregory Currie Jul 17 '19 at 08:01
  • One option that might work for OP - whenever I send ANY kind of PII document to any company, I will always put a piece of a post-it note over part of it, and hand write the date and the name of the company I'm sending the document to on it before taking a photo. For a driving license or passport I'd usually put it over some blank part where it doesn't block any information they may need, but prevents the image being used elsewhere. For a bank card, I'd cover the entire signature strip and CVV at the very least on the back – timbstoke Jul 17 '19 at 08:19
  • @timbstoke I have a similar idea! Rather than cover certain parts of the card and write the date and company, why not cover the whole card, and write what data is actually required by the bank. By the way, if I did what you suggest with my card, I'll be leaking a different security device, one that many people may not know exists on their card. – Gregory Currie Jul 17 '19 at 08:24
  • @GregoryCurrie in the sources I cite is written that it is in fact new for Austria. The first "Debit-Bankomat-Cards" were issued in early April 2019. That's why people/I refer it as new – undefined Jul 17 '19 at 08:41
  • @undefined New for an Austrian bank maybe. We have no idea who the OP banks with. Unless Austria is different from the rest of Europe (and it may be for all I know) and it is rather difficult to bank with a foreign bank. – Gregory Currie Jul 17 '19 at 08:48
  • @GregoryCurrie OP stated "major bank in Austria". So it doesn't really matter which bank specifically. As far as I know those "Debit-Bankomat-Cards" are an Austria thing. The term Bankomar-Card seems to be specific to Austria. At least in Germany I'm not aware of those cards. But I feel like this is irrelevant because OP wrote about Austria and I (can only guess) OP banks with an Austria bank too – undefined Jul 17 '19 at 09:04
  • Note also that even "normal" cards can have sensitive information.They can have a "Kartennummer" (card id) that identifies the individual card. This is in some processes used as an additional way of identification. For instance, it may be asked when you want to get a new card. And when you use chipTan to generate tan numbers this number may be registered with the bank for the chipTAN generation/verification. Hence, it can give an attacker some additional information or help them order and intercept a replacement card (e.g. while you're on holiday). Not as straight forward as with a CVV though. – Frank Hopkins Jul 17 '19 at 09:26
  • @undefined "Major bank in Austria" refers to where they are applying, not where they bank. You said "such a request was no security risk prior to the new Debit-Bankomat-Card". That's not correct. There are variety of banks that have been using such cards for a while. "I'm pretty sure that the bank from OP just didn't expect that people already have this new card". This makes sense only if the bank only deals with cards issued by themselves. They do not. – Gregory Currie Jul 17 '19 at 11:20
  • @GregoryCurrie I dont know how often I have to repeat it... I think our disagreement lies in our different origin. I know about which cards I'm talking about. And I know that that only slightly security relevant info on them is the card number. My answer is, of course, not valid for all cards all over the world. But it is valid for the cards (I'm talting about) in Austria and Germany. "This makes sense only if the bank only deals with cards issued by themselves. They do not." maybe you have to re read my answer again? I stated already multiple times that those "Bankomat-Cards" are just only – undefined Jul 17 '19 at 12:00
  • a few month old. I'm not sure what you're trying to argue about here. "There are variety of banks that have been using such cards for a while" Sorry, thats not correct for Austria. And I'm not talking about other countries or cards from other countries – undefined Jul 17 '19 at 12:02
  • Your claim is that the only cards that exist in Austria are Austrian or German in nature. This is false. You are saying that the so-called "Bankomat-Cards" are only a few months old. I am not disputing that. However, nothing the OP says suggests they have a "Bankomat-Card". You are claiming the bank didn't expect people to have the "new card". But "Bankomat-Card", which only may have been introduced a few months ago as you claim, is only one such implementation of a "new card". – Gregory Currie Jul 17 '19 at 12:10
  • 1
    Given how easy it is to bank across Europe, a bank should be aware that there are a wide variety of different cards, issued by different banks in different counties. The bank is violating good security practice by asking for more information than they need. In addition, they are likely violating several European regulations. No justification you can attempt to manifest, by quoting that an Austrian bank has just released such a card, makes sense on a fundamental level. – Gregory Currie Jul 17 '19 at 12:14
  • @undefined Rather than repeating yourself, you could try addressing those specific points. – Gregory Currie Jul 17 '19 at 12:17
  • "This is false." It's not false, its logical as the majority of cards will be from inside the country. "nothing the OP says suggests they have a "Bankomat-Card"" everything suggest that because its the only possible solution when one is not talking about Credit Cards or foreign cards (which I exclude from my answer). " issued by different banks in different counties." I dont see a reason why they should care about foreign cards. – undefined Jul 17 '19 at 12:17
  • Let us continue this discussion in chat. – undefined Jul 17 '19 at 12:18
19

IMHO, sounds like a scammer phishing for personal information. No employer needs your card for payroll setup. Bank information provided on the first day of employment when filling up the forms does that.

DO NOT SEND them these pictures and no more personal information.

Instead, start researching the party you are in communication with.

BSMP
  • 11,647
  • 6
  • 39
  • 54
Strader
  • 13,415
  • 1
  • 26
  • 59
  • This was my first thought, that this is a particularly good spoofing attempt. I recall reading a blog post from someone in security who'd recently fallen for a fake account reset email...because they had actually used a password reset link moments before they got the fake email. Scams like this hinge on luck: they are counting on at least one person actually expecting an email from the person/business they're pretending to be. – BSMP Jul 15 '19 at 16:11
  • 12
    Might even me a MitM attack sourcing candidates for a real bank, without the bank being aware. – Jeffrey Jul 15 '19 at 22:22
12

The best thing to do is ask for an explanation and provide appropriate information. In all likelihood, your employer is working to set up payroll for you.

It doesn't hurt to make a quick call or email to a recruiter or manager inquiring about the request. You can always phrase your question as "I want to make sure I get you the right information, can you share what my banking information is needed for?"

A photo of your IBAN/BIC card is fine if your employer is looking for your account number and sort code for payroll. If your card doubles as an ATM card, you should obscure anything except your name and the account numbers.

If the employer provides a reasonable explanation and asks for appropriate information, be prompt in providing it.

Jay
  • 12,286
  • 2
  • 41
  • 63
  • 3
    THIS. Ask for clarification. Don't be argumentative, but ask a sincere, honest question of "Why?" They should be able to explain. – Keith Jul 15 '19 at 12:12
  • 1
    You can then refuse politely by explaining your security concern about giving them the whole card - perhaps you could pixelate or cover the Expiry date / CVV in any image you send them, – Smock Jul 15 '19 at 13:00
  • 31
    No. Just no. No matter what they say, never share the CVV with anyone. – Gregory Currie Jul 15 '19 at 13:11
  • 22
    It doesn't matter what they say -- they don't need a copy of your card and three digit code period. – Neo Jul 15 '19 at 13:41
  • 6
    @MisterPositive what if they say "we need your account info for direct deposit" and the discussion of the card was a misunderstanding by OP? I agree sending the right information is best, but asking for clarification is an important step here. – Jay Jul 15 '19 at 13:44
  • 1
    @Jay Then I would say they are full of it good sir. – Neo Jul 15 '19 at 13:45
  • 3
    I agree it makes sense to just ask. The sentence, I interviewed in person at the bank's headquarters office, so I don't think anything suspicious is going on. makes a literal scam seem unlikely. I'm wondering if there's some context we don't have in this question, or some confusion on the OP's behalf. – dwizum Jul 15 '19 at 13:46
  • @Jay You just say no. You don't entertain their justification. It's simple. – Gregory Currie Jul 15 '19 at 13:46
  • The thing with asking is your would only ask if there is a justification that makes sense. There is no justification here. – Gregory Currie Jul 15 '19 at 13:47
  • 8
    Are we totally dismissing the possibility the OP could be confused about what was requested? I'm surprised the popular reaction is to be uncooperative with a future employer without seeking some clarification. – Jay Jul 15 '19 at 13:47
  • @Jay We are not saying be uncooperative. We are saying: send them the information they need. – Gregory Currie Jul 15 '19 at 13:49
  • 3
    So, are you suggesting that the bank doesn't know how to ask for the right thing? And you should just send them what you think they need? That seems just as foolish as sending them the card info. I don't understand the reluctance to just simply seek some clarification. Hi, I'm was curious about why you asked for my card info, can you let me know? strikes me as a better response to a new employer than just randomly sending them something they didn't ask for. Just pick up the phone and call them. There's no point in trying to outsmart them instead of just having a simple conversation. – dwizum Jul 15 '19 at 13:52
  • @dwizum We are seeing evidence of that. In any case, it's not hard to respond gracefully. "As requested, here are payment details..." In Europe, sending the details I indicate is perfectly safe, and is all an employer needs. – Gregory Currie Jul 15 '19 at 13:58
  • 2
    I would add that the OP should make sure that they request clarification from a different person using a trusted phone number, not whatever contact information was in the email. Just because OP happened to have an interview with this bank doesn't mean this specific email is legitimate (or that there isn't a bad actor working at the bank itself). – BSMP Jul 15 '19 at 16:15
  • 4
    At my place of work, accounting asks for a photo or scan of the bank card of a new employee. This happens as a bunch of people have proven to be unable to write legible. They only want the front for the IBAN, though. – Hermann Jul 15 '19 at 21:22
  • Downvoted for reasons explained in Gregory Currie's answer – Darren H Jul 16 '19 at 07:12
  • What do you mean by "provide appropriate information"? I think you could argue that sending them a picture of your card is never really appropriate information; but this answer seems to completely gloss over that. – JMac Jul 16 '19 at 12:10
  • @JMac, I clarified what would be okay to send. Thanks. – Jay Jul 16 '19 at 12:19
  • 3
    @Jay it is also possible that OP is not the one confused but the person on the other side is new and confused. I definitely agree to not send any thing like the CVV, but I think you bring up a good point that clarification should be sought. – Captain Man Jul 16 '19 at 14:23
5

Don’t do this, some cards have the 3 digit confirmation code on the back .

Sending the account number which can also be the IBAN number and a sorting code should be sufficient.

Solar Mike
  • 17,891
  • 9
  • 48
  • 59
3

I have seen similar silly request several times.
The real reason is the employer assumes you are not able to 'spell' your IBAN and BIC without making an error, so your salary would go into the wrong account, and the you'd whine and complain, and they have to run after it.
In the US, employers and banks typically insist to get a voided check, for the same reason - the numbers are printed on it.

[Working in IT, I can confirm that half the people are sloppy or dumb enough to really 'misspell' their account numbers]

So there is probably nothing bad going to happen, but it is still a silly rule. Just make sure you don't give them accidentially the wrong number...

Aganju
  • 2,864
  • 1
  • 13
  • 18
1

As others have pointed out, this does sound very suspicious. I certainly wouldn't do this, however what I could consider is sending them scans of front and back of the card with the card number on the front and CVV and signature on the back blacked out. This way they'll only get your name and account details (account number, branch/sort code, and name).

I would further encrypt the images before emailing and only disclose the encryption password over the phone to the person I have personally dealt with.

Aleks G
  • 317
  • 2
  • 9
  • Or print the photos and send them by snail mail. – Keith Thompson Jul 15 '19 at 22:20
  • @KeithThompson yes, that works with too. With the right bits blacked out. And send by registered post with proof of delivery required. – Aleks G Jul 15 '19 at 22:31
  • 1
    And if you send a photo by email, some methods of blacking out parts of it can leave information that can be recovered. – Keith Thompson Jul 15 '19 at 22:36
  • True, although the simplest one of scanning to an image, then painting black pixels will usually work. – Aleks G Jul 15 '19 at 22:37
  • Or, just go there in person. – Gregory Currie Jul 16 '19 at 01:16
  • @AleksG ... and with proper covering so that you can't see the card through the envelope (there's special noisy covers just for that purpose). – Luaan Jul 16 '19 at 08:24
  • @AleksG Certain formats, such as JPEG, allow a thumbnail to be stored as metadata. So while you may be confident that you have scrubbed those pixels clean, there may be cached metadata that will trip you up. (As it did one celebrity who attempted to crop out nudity from a photo they posted, unsuccessfully) – Gregory Currie Jul 17 '19 at 08:31
1

3 EASY SOLUTIONS
IF it's a job that one CANNOT afford to loose, and (as the OP stated), they insist with the so called "regulations", forcing you to give up those card photos (which i ABSOLUTELY DON'T RECOMMEND, because it's INSANE no matter how you look at it), you could do the following:

  1. Simply tell them that you do NOT own a credit card. You have a bank account, but you... "were scammed once" or something alike, and didn't get one after. It's your word against their's, and its very possible they will offer the alternative below.
  2. If you already told them you own a credit card (...well, you can't undo it), or you said you don't own one, and they still make it a requirement, even with their regulations, you should strongly express your concerns, politely refuse, AND, since it's a bank we're talking about, offer them an alternative, to open an account with them. Whatever information they are after, they would now own, and you would not be required to give it anymore.
  3. by using solution 1 or 2, you are technically covered, because you are complying with their regulations, and should they deny you the job, or they still insist that you give them a copy of your card, go and buy a prepaid card, never put money on it, and you should be safe. But if you come down to doing this, then surely (100%), something else is going on, and you should refuse all together. Banks should not require that info on the first place. It's illegal and should be reported.

P.S. IMPORTANT!!! - take note, that there are still "places" in the world (maybe not Austria) that can charge your credit card with ONLY the 16 digits on the front and the expiration date (no need for CVV). FYI, just as a(nother) side note, why giving up even half that info could be dangerous.

I have a feeling the OP is going to give up those photos one way or another, because i know what a job at a bank means, at an early age, and the opportunities that present with itself. Furthermore, the friends, HR and the bank will seem a more reliable source, and eventually he will give in... though he shouldn't,...no matter what.

user106928
  • 11
  • 2
0

Based on your edits it sounds like HR requested photos of the card in your best interest.

One

They have had too many people typo their banking information so direct deposit was messed up or delayed.

If they get a picture with numbers then the blame would be 100% on them if something goes amiss.

Two

HR departments deal with direct deposit fraud. It is very likely that they have encountered people that try to intercept someone else's direct deposit by providing their account information instead.

If they get a picture of your card with your numbers and your name then they can rest more assured that their not being phished.

If you're worried about the CVV code then cover it up before taking the picture.

Personally, I always supply them with a physical check which has VOID written on it with permanent marker in several locations.

MonkeyZeus
  • 13,479
  • 1
  • 26
  • 61