‘Just give me your date of birth, mother’s maiden name and post-code …’

0

When my credit card provider telephoned me some weeks ago, it was not entirely a surprise.  I had, after all, contacted my provider just days earlier both by telephone and by post to alert them to an erroneous (though not fraudulent) charge that had appeared on my most recent statement.

Picture the scene now, if you will.

The telephone rings and I answer it.

‘Is that Mr Cohen?’ the caller asks.

‘Who’s calling?’ I respond cautiously – I am a naturally cautious person when taking unsolicited calls.

‘My name’s Sally,’ says the caller, ‘and I’m calling from the Customer Relations Department at …’ and she announces the name of my credit card provider.  ‘Are you able to talk?’ she asks.

‘That depends,’ I reply, still vigilant.

And then Sally asks me the question that I know will result in my ending the call.  ‘I just need to ask you some security questions before we continue,’ Sally informs me.  ‘Please can you confirm your date of birth?’

“As if!” I think to myself.  But I keep my thoughts to myself and I politely inform Sally that I never divulge personal information to unsolicited callers.

“Well I can’t continue this call unless I’m able to verify your identity,” Sally advises, as if exerting this pressure will prompt me to part with my date of birth and any other such personal information her script tells her she needs.

I tell Sally that the call is therefore over though I do take her full name and department before ending the call and I promise I will call her back within the next ten minutes through the credit card provider’s main switchboard number, (which, of course, I locate for myself).

Ordinarily, following a call of this nature I would take no further action but on this occasion, because I had cause to contact my credit card provider some days earlier, I am sufficiently curious to call the provider’s switchboard around half an hour later.  I am eventually connected to Sally and at this point, because I have initiated the call myself, I am happy to answer her security questions and we move on to resolve the outstanding erroneous charge on my account.

But the initial call from my credit card provider is not an isolated incident.  I have lost count of the number of times I have been contacted by my bank, my telecoms provider, various savings account providers, utilities providers and the like regarding issues that vary from responding to correspondence I have sent them to wanting to conduct a periodic review of my account activity and future requirements.

What each of these calls has in common is that in every case, the caller naturally requires me to answer a series of security questions which typically involve me revealing, at the very least, my date of birth, my mother’s maiden name and my postcode, not appreciating for a moment that these are precisely the kinds of questions criminals ask when they are ‘Vishing’ for personal information.  When I refuse to divulge my personal information I am met with complete astonishment, even from those callers who, after I have called the provider’s main switchboard number, turn out to be perfectly legitimate.  Legitimate callers patiently explain to me that they are not asking for my credit or debit card details, bank account details, PIN numbers or passwords, and they are dismissive when I point out to them that the personal information they require from me is precisely the information that scammers value and therefore harvest in order to build the identity of their targeted victims.

So why is it when frontline employees make outbound calls, they regard it as reasonable that consumers should disclose to them their personal information such as date of birth, mother’s maiden name and postcode in order to verify their identities?  A search of some UK financial services firms’ websites suggests frontline employees may not be aware of the advice their websites give consumers.  Most firms on their corporate websites, for example, define ‘phishing’ variously as:

‘a way of attempting to get your personal information and Internet Banking credentials in order to access your account fraudulently’;

and as a way of luring:

‘victims, by email, text or phone, into handing over valuable information such as credit card and bank account numbers, passwords and log on details, which can be used to commit fraud’

They also clearly indicate they will:

  • never ‘ask [you]for your personal information [when we call you]’; and
  • never ‘ask you to email or text personal or banking information’;

and many firms advise consumers quite simply to ‘keep your details to yourself’.

However, ‘personal information’ appears not to be consistently or coherently defined and ‘valuable information’ appears to encompass only bank details, passwords and logon details’.  Action Fraud goes a step further since their site provides examples to help consumers define what is meant by personal information:

‘Vishing involves a fraudster making a phone call to a potential victim, posing as someone from a bank or building society fraud investigation team, the police or another legitimate organisation such as a telephone or internet provider.  They attempt to obtain financial information which often includes credit / debit card details (including PIN), bank account details and personal information such as full name, date of birth or address.  This information is then used by the fraudster to gain access to their victim’s finances.’[1]

Action Fraud further advises people ‘not to assume a caller is genuine just because they hold some information about them.’

The unintended consequence is that financial services firms inadvertently expect consumers to judge in an instant whether callers are legitimate

Sound advice indeed; but when financial services firms call their customers and ask them to disclose their dates of birth, post-codes and mothers’ maiden names in order that their identities may be verified, they unintentionally adopt the self-same tactics scammers use to persuade their victims to part with their personal information; they sound authoritative, they sound plausible and they put pressure on the person they are calling, (‘we cannot deal with your issue / complaint / concern unless you answer these security questions).  The unintended consequence is that financial services firms inadvertently expect consumers to judge in an instant whether callers are legitimate, or whether they are scammers trying to build the identities of their victims.  These are, of course, snap judgements that are impossible to make; consumers ought to err on the side of caution and follow the advice of Action Fraud and not automatically assume the caller is genuine.  But most important, we need to recognise that when frontline employees make outbound calls to consumers requesting that they disclose their personal information in order to verify their identities, they seemingly endorse and promote the very behaviour all the advice is aimed at discouraging.

Instead of expecting consumers to instantly distinguish between legitimate calls from financial services firms and calls from scammers, imagine if you will, a time in the not too distant future when consumers receive a different type of unsolicited call from their banks and building societies that go something like this ….

The telephone rings and I answer it.

‘Is that Mr Cohen?’ the caller asks.

‘Who’s calling?’ I respond cautiously – I am a naturally cautious person when taking unsolicited calls.

‘My name’s Sally,’ says the caller, ‘and I’m calling from the Customer Relations Department at …’ and she announces the name of my credit card provider.  ‘Are you able to talk?’ she asks.

‘That depends,’ I reply, still vigilant.

‘Your recent communication has been passed to me to deal with and I would like to talk with you about it,’ Sally tells me politely.  ‘In order to maintain strict security, please would you telephone the number on the back of your credit card and ask for me on Extension nnnn?

‘Why should I call you back?’ I ask.  ‘Can’t we just talk now?’

‘I’m sorry,’ says Sally.  ‘In order to talk with you about your account, I need you to answer some security questions and we are conscious customers should never disclose personal information to any unsolicited callers.  Because we take the protection of your personal information so seriously, we never ask you to disclose personal information in a call we initiate; we only ask you to disclose your personal information when you make calls to us.  If you prefer not to call back, I am happy to write to you at the address we have on file for you….’

This approach may take a little longer and it may be slightly less convenient but it promotes consistent behaviour amongst employees and consumers; and in any case, isn’t it about time convenience stopped trumping security?

[1]Quarter of people in UK at risk of “Vishing”, Action Fraud, 29 August 2013

Share.

About Author

Leave A Reply