Scams: why you should stop printing ATM receipts

A receipt left at the cash dispenser and scammers are on their way: it only takes little data to make a fake call from your bank believable.

That little piece of paper coming out of the ATM looks as harmless as it is insignificant. You pick it up, fold it badly, slip it into a pocket or it ends up in the garbage can right next to the machine, lying on top of other identical receipts. And yet, it's precisely there, amidst the fading paper, the truncated figures and the timetables printed to the minute, that the scam can begin.

The ATM receipt scam works like this: someone picks up a ticket we've left lying around after a withdrawal and uses these details to arrange a believable phone call. No spy movie, no hooded hacker in front of seven green screens. But a much simpler operation. A piece of paper, a telephone, a sufficiently confident voice and the eternal urgency disguised as benevolence.

Depending on the ATM and the bank, the receipt may include details such as the date and time of the transaction, the location of the withdrawal, the amount withdrawn, the last digits of the card and sometimes even the available balance. Taken in isolation, these elements seem harmless. Put together, they set the scene. And when it comes to banking scams, the scene is very valuable.

The piece of paper that lends credibility

The scammer needs one thing, even before obtaining your codes: credibility. If he or she calls and says "I'm your bank", our mistrust can still hold out. If he or she adds "I'm contacting you following the withdrawal made today at 3.12pm from the ATM on your street...", our posture changes. The brain lowers its guard. This information is true, so the rest can be too.

This is where social engineering comes into play, i.e. the ability to manipulate a person using real information, combined with emotional pressure and very tight deadlines. The ATM receipt then becomes a kind of script. The fake bank advisor mentions suspicious movements, urgent checks, temporary blockages or security procedures. Everything sounds sufficiently technical. Everything seems designed to protect us.

Then comes the request that must imperatively trigger the alert: password, PIN code, OTP code (received by SMS), validation in the app or immediate authorization of an operation. The Italian Banking Federation, in its recommendations against scams, reiterates a very clear rule: when contacting a customer, a bank should never ask for personal access codes. It warns against urgent requests for codes or sensitive data. At this point, the receipt has already done its dirty work: it has made a foreign voice familiar.

Small piece of paper, big risk

The distributor's receipt belongs to that annoying category of documents that seem too trivial to merit our attention. Yet the Federal Trade Commission (the American consumer protection agency) explicitly lists it among the documents to be destroyed before throwing them away, along with any other paper containing personal or financial information. The advice is simple: when a document contains economic or identifying data, it must be destroyed. In the absence of a document shredder, it should at least be torn into small pieces.

From a practical point of view, it's even clearer: paper receipts are rarely useful. Today, almost all transactions can be consulted via the bank's application, online customer space or account statements. Printing the receipt and then leaving it on the spot, next to the cash dispenser, is doubly light-hearted: it produces unnecessary waste and offers valuable details to those who know how to exploit them.

Of course, an abandoned receipt alone isn't usually enough to empty an account. The damage is done when this document is combined with other elements: an already accessible telephone number, an e-mail address from an old data leak, a chatty social media networking profile or a well-crafted phone call. Modern scams make a living from all these combinations. They pick up crumbs and turn them into a plausible story.

The simplest rule is also the safest

The first defense is to stop printing. If the receipt only serves to reassure us for ten seconds, it's better to check the transaction on the app or find it in the digital account statement. The less paper circulates, the less data is left dangling at the mercy of our inattentiveness.

On the other hand, if the receipt is useful in the event of a check, take it with you. Never leave it in the dispenser basket, never put it on the edge of the machine, never throw it in its entirety into the next-door garbage can. Once the operation has been verified, destroy it. Cutting it in half with a vaguely symbolic gesture isn't enough. It's better to tear it into small pieces, especially the part that shows the place, time, amount and numbers on the card.

And if a suspicious call comes in, hang up. No long explanations, no guilt trips, no getting caught up in their emergency scenario. Then we call our bank back, using the official number - the one on the app, the website or on the back of the card. Someone who really works to protect us can wait those thirty seconds. Someone who is being hasty is usually trying to prevent us from thinking things through.

Source : ABI