eSafety 101
Published on
Start hereDigital safety basics · Part 5

Trust, But Verify Separately

Quick read

For everyone

Main point

Main point: if a request is unexpected, verify it before trusting it. If a request is expected but involves money, bank details, identity documents, passwords, or account access, verify it before acting on it.

Verify separately means using a trusted channel that did not come from the message you are checking.

For example:

  • Open the company's app directly.
  • Type the website address yourself.
  • Call a number from an official website, card, statement, or saved contact.
  • Confirm bank details using a phone number you already know is correct.
  • Ask the person through a different trusted contact method.

The goal is simple: do not let one message provide both the request and the proof.

A little deeper

For curious readers

Context

In the earlier articles, we looked at the habit of pausing, why scams can work on anyone, what scammers usually want, and how urgency, fear, and greed are used to pressure people.

The next step is learning how to check safely.

Trust, but verify separately means you do not need to panic or assume everything is fake. It means you treat important requests carefully until you have confirmed them through a safer path.

Many scams start with something unexpected: a text about a failed delivery, a call from “the bank”, an email about a locked account, or a message from someone claiming to need urgent help.

In those situations, the rule is simple: unexpected requests should be verified before you trust them.

But there is another important lesson.

Some dangerous requests arrive when you are expecting them.

You may be waiting for payment instructions from a conveyancer during a property purchase. You may be expecting an invoice from a supplier, a deposit request from a contractor, or bank details from a real estate agent.

The timing may be right. The email may look normal. The name may be familiar. The amount may make sense.

But if the bank account details have been changed, intercepted, or faked, the money could still go to a criminal.

A safer habit:

  • Treat unexpected requests as untrusted until checked.
  • Treat high-risk expected requests as worth checking too.
  • Do not click links if you can reach the site another way.
  • Do not call a phone number that only appears in the message you are checking.
  • Do not rely on bank details from a single email or attachment.
  • Do not share passwords, security codes, or login approvals.
  • Do not send money until important details have been checked separately.

Instead, use a separate trusted channel.

For a bank or company: open the official app, type the website address yourself, or call a number from a card, statement, or official website.

For a person you know: call their usual number, message them through an existing chat, or ask another trusted person who can confirm the story.

For an invoice or payment request: confirm bank details using a phone number or contact method you already know is correct. Do this especially for first payments, large payments, changed account details, or urgent payment requests.

Verification does not need to be complicated. It just needs to be separate from the request.

Unexpected or high-risk, the safest habit is the same: verify separately.

Technical notes

For confident users

Technical

Separate verification is a defence against social engineering, impersonation, credential phishing, payment redirection, business email compromise, and account takeover attempts.

Many scams work by creating a controlled communication path. The attacker sends a message, provides a link, supplies a phone number, starts a chat, or keeps the victim on the call. This allows the attacker to guide the victim through the next steps without giving them time or space to check independently.

Out-of-band verification means confirming a request through a different channel from the one used to make the request.

For example, if a suspicious email asks you to update payment details, do not rely on replying to that email. Confirm the request using a known phone number, an existing supplier contact, a previously verified portal, or another trusted communication method.

This also applies when the message is expected but the action is high-risk. In payment redirection and business email compromise scams, the attacker may time the request around a real transaction. They may compromise an email account, monitor a conversation, alter an invoice, or impersonate a trusted party at exactly the moment a payment is due.

This is especially important for high-risk actions, including:

  • Sending money.
  • Making a first payment to new bank details.
  • Paying a large invoice or deposit.
  • Changing saved bank account details.
  • Sharing identity documents.
  • Resetting passwords.
  • Approving sign-in requests.
  • Providing multi-factor authentication codes.
  • Installing remote access software.
  • Granting access to email, cloud storage, payroll, banking, or business systems.

A useful rule is to separate the request from the verification path.

If the same message tells you there is a problem, provides payment details, gives you a link, tells you who to call, asks you what to install, or explains where to pay, treat that path as untrusted until confirmed independently.

Good verification reduces the attacker's control. It moves the decision away from the pressure of the scam and back into a trusted process.

Disclaimer: All content on this website is general in nature and is not in any way advice. While we strive to ensure the accuracy and relevance of the content, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to this website or the information, products, services, or related graphics contained on the website for any purpose. Therefore, any reliance on such information is strictly at your own risk.

In no event will we be liable for any loss or damage, including, without limitation, indirect or consequential loss or damage, or any loss or damage arising from loss of data or profits arising out of, or in connection with, the use of this website. Through this website, you can link to other websites that are not controlled by this website. We have no control over the nature, content, and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.