the phishers are getting bold (a cautionary tale)

[cellio]

I got a surprisingly-slick call this weekend. The caller said he was from my credit-card company (which he named) and proceeded to offer me a deal intended for people who don't do math. I interrupted him to say no. He kept talking and used the phrase "opt-out", implying that this unrequested service (with accompanying monthly fee) was going to start unless I took steps. That sure didn't sound like my credit-card company, which has treated me well for something over 15 years. I interrupted him again and played along:

Me: Ok, what do I need to do to opt out?
Him: I just need your city of birth.
Me: Whatever for?
Him: To verify that you're the account holder.
Me: You called me; don't you know who you called?
Him: I'm sorry, I need that to continue.
Me: I understand. It's important to protect customers from identity theft. Speaking of which, what's my mother's maiden name?
Him: Oh, I'm not allowed to reveal confidential information to strangers.
Me: You called me, remember?
Him: (babble)
Me: Ok. Topeka.
Him: Thank you. You've been opted out.

(No, I was not born in Topeka, nor have I used that response for any account.)

After I hung up on him I called my credit-card company. They do offer such an insurance plan (through a third party), but I was not scheduled to be called. I said I couldn't remember -- do they use my city of birth for a challenge question? No, they don't. The rep gave me the phone number of the company they use (which doesn't answer the phone on weekends), so tomorrow I will attempt to find out what they know about this. (Either they have an employee who stepped way out of bounds or it wasn't them.) Meanwhile, my company says they have noted that I declined this offer and if anything shows up on my account it will be squashed. Is there any place else I should report this? I don't have caller ID so we can't track the caller, but I'd kind of like to record somewhere that if someone tries to use my name plus a birth city of Topeka to open an account, it's fraud.

By the way, at no point in the conversation with the caller was my credit-card number mentioned. Hmm. (My company offered to change my card number, but that's a big hassle because of automated payments and they advised waiting to see if any suspicious charges show up. I am already in the habit of reading my statement carefully, so we'll catch it.)

I'm a little creeped out by this. It would have been pretty easy to be fooled, I think -- you can't "read back" on phone calls the way you can on suspicious email and the call went on for a while, so it would have been easy, I think, for people not especially fluent in phishing schemes to forget that credentials had not been established. This is not the Nigeria-style scam that plays on the stupidly greedy; this one could easily catch smart people who just aren't up on this stuff, I think.

Comments

[sanpaku.livejournal.com]

When they start talking I simply interrupt and say, "thank you, I'm not interested, do not call me again, good night!" and hang up. If they could charge you just on the basis of having your phone number, they would just do that. I assume that, all nonsense about opting out aside (which nobody's going to allow as a business practice), they are trying to entice you to simply keep listening long enough that you'll change your mind and give them all that information that they don't have, so they can prove to someone you want it.

[http://users.livejournal.com/merle_/]

Plus, the city is no longer known as Topeka -- it's Google until the end of the month. So he should have known you were lying. ;-)

[dvarin.livejournal.com]

Did he ask for you by name?
I mean, there is a double-authentication problem here. If he were actually from your credit card company, he might still need some kind of information to prove that the person who answered the phone and claimed to be you is actually you. You don't have that problem when calling them, because you assume that no one has snuck into their office in order to answer their phones.

[siderea]

"Oh, I have several cards from that company. What are the last four of the card number you're calling about?"

[byronhaverford.livejournal.com]

Phishing is getting more tough in two ways: the scams are getting more robust, and the legit businesses are getting more stupid. I can't, based on your description, figure out which of the two is at work here.

I've had my bank call and demand info like that, and I called the bank HQ to confirm that the call was legit (and left a strongly-worded rebute with the HQ).

But I also recently encountered the best phish I've ever seen; it came from an email address in my IT department, and it noted that I was over my storage limit, and provided a link to apply for more storage space. The only reason that I didn't click it was that the precise amount of storage space listed in the email wasn't the amount I currently had on my account. (A large number of my colleagues took the bait.)

[ariannawyn.livejournal.com]

Another interesting and alarming scam is phishers who record phone conversations and edit them to make it seem as if you agreed to something you didn't. I read a story in AARP magazine about a man who fell victim to that. They had a recording of him saying "yes" to an offer, but he remembered the phone call and was certain that the only time in the conversation he said "yes" was when they asked "Is this [name]?"

Normally when a telemarketer starts a call by asking me to confirm my identity, I say something like "That depends, who are you?" Since I read that story, I make sure I NEVER say "Yes" to any question they ask - instead I'll say something like "Correct" or "That's right" but mostly I just say "not interested" and hang up.