Verifying the Verifiers
It’s easy to forget in these days of sophisticated scams that still the easiest way to get your personal data is by asking you for it. I just got a call this morning from a guy who claimed to be from my bank’s verification department. Without further ado he asked me to confirm my name and other details, and declined to give me a telephone number I could call to confirm his identity. He seemed somewhat upset that I wouldn’t even confirm that I was me, if you know what I mean.
Eventually I reached someone who said they would check it out and call me back. Then I had to remind them to give me a name or something so I knew it was them calling and some other scammer. I could see us getting caught in a cycle of confused identity:
– Hi. Is this Wagstaff Jeremy? (for some reason that’s what my bank calls me. I must have filled out a form wrongly somewhere down the track)
– Who is this?
– We’re calling from the verification division of your bank. We want to verify your details.
– How do I know you’re the Verification Division? How can I verify that?
– You can’t. Not until we verify that you’re Wagstaff Jeremy.
– I’m not going to tell you something like that!
– Oh. A moment’s silence.
– Are you the people I called to verify that it was the Verification Division?
– You mean the Verification of Verications Division?
– That’s what you call it?
– Geez. Yes, I guess so.
– We can’t verify that until we verify you.
– Ah. Long silence ensues.
– How about I call you back?
– We can’t give out our telephone number. It’s confidential.
– Well, so is mine.
– No, it’s not. We have it.
– So you don’t need to verify it.
– Er… Pause. Sound of head being slapped. Yes, we do, because we still don’t know whether you’re Wagstaff Jeremy or not.
– True. Do a lot of your calls to people end up like this?
– Yes. You wouldn’t believe how suspicious people can be. It’s shocking.
– I can imagine. What’s your name?
– I can’t tell you that. But you can call me Bob.
– OK, Bob. Bye.
Admittedly this was an Indonesian bank; perhaps it wouldn’t happen if it was one of the big ones. But somehow I doubt it, whether in banks or elsewhere. Social engineering is still the easiest way to extract information. It’s not natural for people answering a phone to be suspicious when people start asking questions — most of us want to be helpful, especially if it may fix a problem with our bank account.
Banks: don’t encourage customers to be cavalier with their own personal information. Never call them up without giving them an easy way, via a switchboard and code, to confirm it’s an employee and not a scumbag they’re talking to.