Funny you should say that, I've had several calls from my bank - HSBC UK - who have then asked me for information to 'prove my identity. When I've said "you phoned me, you could be anyone, I'm not doing that", they got pretty annoyed, and didn't see why I was saying that I wouldn't give away the information. I phoned them back and then it was OK - when I spoke to the same person (she'd given me an extension to give once I'd phoned the main, publicly verifiable number), she seemed surprised that I'd take such steps.
It's not just banks - I get the same spiel from my insurers, who say they have to check the information "for data protection" - oblivious of the fact that them regularly doing this means that they're setting the scene for people inadvertently leaking the information they take as sacrosanct!
I'm with HSBC too and they seem to be a bit too cautious with their debit card fraud. I get my card blocked a couple times a year.
Whenever they've phoned me and I've told them I don't want to give out my info they just tell me to call the number on the back of my card. Never had anyone act annoyed towards me. Maybe it's because I never act annoyed or accusatory towards them, so they don't act the same towards me. I just tell them that I'd rather not give my info out to someone who's phoned me
That they do this shows that they have been getting bad publicity by calling the wrong number and give private information to the wrong person. Now and then you see articles about this or that hospital sending faxes with patient data to some company fax by mistake. I'm sure this also happens with phone calls so they are just trying to cover their back, has nothing to do with your security. They get annoyed when it means more work for them.
I regularly make outgoing phone calls where I need to request payment details. Out of all of those calls, only one person expressed concern about providing said information so I provided them with three options: pay in person, pay online, or look up our phone number and call me back. Apparently that was enough verification for them, so they provided the information right after I finished the sentence.
Is it any surprise that institutions would not know how to handle their customers seeking verification when it is rare and at least some of the people who claim to want verification have a very low standard for evidence?
I suspect part of the problem is the minimal effort put into most scams, which is where this story is sobering. The people involved in this scam were clearly willing to lay down the framework to take a smaller scale crime and escalate it into something more profitable. While many of us may seek solace in our own practices being able to filter out the type of scam described in this story, the real question is when (rather than whether) these people will find an approach that exploits our own vulnerabilities.
Exactly. Banks need to be aware that data protection goes both ways, and they should teach their customers to check the identity of any bank employee calling them. Training users to give out personal details to people calling them is exactly the wrong thing.
It's not just banks - I get the same spiel from my insurers, who say they have to check the information "for data protection" - oblivious of the fact that them regularly doing this means that they're setting the scene for people inadvertently leaking the information they take as sacrosanct!