I opened a new bank account recently, and also applied for a VISA card. The credit card department this morning called me to verify some personal data. When the person started asking her questions, I stopped her. I told her I would have to verify who she was before I could give her any such data. She agreed, and gave me a number and extension to call back. But how could I tell that number was not just some fancy scam line?
I hung up and tried to verify the number she had given me on the bank’s website. No phone numbers were available. Fortunately the phone number was in the yellow pages (among 70 other numbers for the bank in question), which is good enough for me. But it still raises some questions:
- How many customers would think to do this?
- Banks are always telling us not to give out our information away online, but if that’s the case, why do they call us up out of the blue and ask for it without any easy way for us to verify? To me it would be easy enough to avoid this problem by either having a personal security code the employee can cite to prove they are who they say they are, or else the bank could provide a telephone number on the bank’s website that customers could call back on. An employee calling a customer to verify personal data could then give a code/extension on that number for the customer to call back on so the customer could verify that the person they were talking to was a bona fide employee.
Fraud is as much about social engineering as it is about technical wizardry. Calling customers up and asking them to provide personal data without any easy way for the customer to verify who they are is not just poor business practice; it continues to send a message to customers that somehow giving out data to strangers is OK.