the phishers are getting bold (a cautionary tale)
I got a surprisingly-slick call this weekend. The caller said he was
from my credit-card company (which he named) and proceeded to offer me
a deal intended for people who don't do math. I interrupted him to say no.
He kept talking and used the phrase "opt-out", implying that this
unrequested service (with accompanying monthly fee) was going to start
unless I took steps. That sure didn't sound like my credit-card company,
which has treated me well for something over 15 years. I interrupted him
again and played along:
Me: Ok, what do I need to do to opt out?
Him: I just need your city of birth.
Me: Whatever for?
Him: To verify that you're the account holder.
Me: You called me; don't you know who you called?
Him: I'm sorry, I need that to continue.
Me: I understand. It's important to protect customers from identity theft. Speaking of which, what's my mother's maiden name?
Him: Oh, I'm not allowed to reveal confidential information to strangers.
Me: You called me, remember?
Him: (babble)
Me: Ok. Topeka.
Him: Thank you. You've been opted out.
(No, I was not born in Topeka, nor have I used that response for any account.)
After I hung up on him I called my credit-card company. They do offer such an insurance plan (through a third party), but I was not scheduled to be called. I said I couldn't remember -- do they use my city of birth for a challenge question? No, they don't. The rep gave me the phone number of the company they use (which doesn't answer the phone on weekends), so tomorrow I will attempt to find out what they know about this. (Either they have an employee who stepped way out of bounds or it wasn't them.) Meanwhile, my company says they have noted that I declined this offer and if anything shows up on my account it will be squashed. Is there any place else I should report this? I don't have caller ID so we can't track the caller, but I'd kind of like to record somewhere that if someone tries to use my name plus a birth city of Topeka to open an account, it's fraud.
By the way, at no point in the conversation with the caller was my credit-card number mentioned. Hmm. (My company offered to change my card number, but that's a big hassle because of automated payments and they advised waiting to see if any suspicious charges show up. I am already in the habit of reading my statement carefully, so we'll catch it.)
I'm a little creeped out by this. It would have been pretty easy to be fooled, I think -- you can't "read back" on phone calls the way you can on suspicious email and the call went on for a while, so it would have been easy, I think, for people not especially fluent in phishing schemes to forget that credentials had not been established. This is not the Nigeria-style scam that plays on the stupidly greedy; this one could easily catch smart people who just aren't up on this stuff, I think.
Me: Ok, what do I need to do to opt out?
Him: I just need your city of birth.
Me: Whatever for?
Him: To verify that you're the account holder.
Me: You called me; don't you know who you called?
Him: I'm sorry, I need that to continue.
Me: I understand. It's important to protect customers from identity theft. Speaking of which, what's my mother's maiden name?
Him: Oh, I'm not allowed to reveal confidential information to strangers.
Me: You called me, remember?
Him: (babble)
Me: Ok. Topeka.
Him: Thank you. You've been opted out.
(No, I was not born in Topeka, nor have I used that response for any account.)
After I hung up on him I called my credit-card company. They do offer such an insurance plan (through a third party), but I was not scheduled to be called. I said I couldn't remember -- do they use my city of birth for a challenge question? No, they don't. The rep gave me the phone number of the company they use (which doesn't answer the phone on weekends), so tomorrow I will attempt to find out what they know about this. (Either they have an employee who stepped way out of bounds or it wasn't them.) Meanwhile, my company says they have noted that I declined this offer and if anything shows up on my account it will be squashed. Is there any place else I should report this? I don't have caller ID so we can't track the caller, but I'd kind of like to record somewhere that if someone tries to use my name plus a birth city of Topeka to open an account, it's fraud.
By the way, at no point in the conversation with the caller was my credit-card number mentioned. Hmm. (My company offered to change my card number, but that's a big hassle because of automated payments and they advised waiting to see if any suspicious charges show up. I am already in the habit of reading my statement carefully, so we'll catch it.)
I'm a little creeped out by this. It would have been pretty easy to be fooled, I think -- you can't "read back" on phone calls the way you can on suspicious email and the call went on for a while, so it would have been easy, I think, for people not especially fluent in phishing schemes to forget that credentials had not been established. This is not the Nigeria-style scam that plays on the stupidly greedy; this one could easily catch smart people who just aren't up on this stuff, I think.