This one isn’t about security online but rather over the phone. The same concept could be applied to the online world. In fact, it’s not about a scam but about how some organisations carry out legitimate work without realising how it affects the security of their customers.
From time to time some organisations contact their customers to confirm their details and just to ask if they’re happy with the service. The phone call is often from a call centre (whether internal or outsourced), and the originating phone number is often not provided.
The operator introduces themself, asks if they’re speaking to the correct customer, etc. Then the operator, following their script, goes and asks the customer to verify they’re the real account holder (or other relationship to the organisation).
The operator asks something along the lines of “to confirm you are <yourname>, can you tell me your street address?”, or asks for some other private information such as your password, date of birth, etc.
In most cases there is nothing fraudulent happening here, and I suppose most people would carry on the conversation by providing the correct information. There may even be an incentive such as a prize for completing the phone call. But what just happened here?
The customer received an unsolicited phone call from a private number asking for their personal details.
While this situation (which happens often) may be legitimate, the organisations are asking their customers to throw caution to the wind and to compromise the security of their accounts.
There are two major points to raise here:
- People should never divulge private data (passwords, dates of birth) to someone they can’t be 100% sure is a legitimate representative of the organisation.
- Companies should never ask their customers to do so.
I have received such phone calls from large service providers and even from the local tax office (government department). When I refused to provide my details the person on the phone was at first surprised, then eventually said they can’t help me any further without following their script.
Now I have no way of knowing whether these phone calls were really from who they said they represented, but I believe they were because in both cases I had recently made significant changes to my account. But I refused to provide this information in this scenario, and anyone who values their privacy (and their money) should also refuse.
What if there’s a good reason to continue with the call? Here are a few suggestions,
- Ask for the caller’s name and the department they’re calling from. Then find their phone number from a directory service and call them back. Don’t ask them directly for their phone number, this doesn’t prove very much. You need to go to a trusted 3rd party for their phone number (such as a phone book, directory assistance, the company’s web site).
- Ask them to provide the information in writing.
- Ask them questions that you consider private and that they should have available in their computer system. Questions along the lines of when and where did you open the account, how much was your last bill, your password. (In my examples above the operator wasn’t allowed to tell me because of their security policy, after which I politely ended the call).
- And most of all let them know that you have no way of distinguishing them from a scammer and that their phone call sounds suspicious.
It’s up to everyone to be vigilant about security, both you and the service providers.