Real life phishing

Charlie Stross has just written about an attempt to steal his bank security details not via email, but over the phone:

Some bastard just tried to steal my bank account. I have no idea how they decided to target me, but from the sound on the line they’re running a call centre, and from the accent, they may not be based in the UK at all. If I had taken it on trust that my caller was from my bank and answered their questions, I would be in a world of hurt right now. I’m pretty sure they don’t have my bank details (I don’t leave statements lying around) but there’s one due real soon now that hasn’t arrived yet … and you can never be sure what’s happened to the mail that you haven’t received. Barclays aren’t a major high street presence in Scotland (they’ve got three branches in the whole country) and my phone number has the Edinburgh dialing code, so to be targeted that way implies that they knew beforehand that I am a Barclays customer and were just looking to fill in the gaps they need. Which is worrying. It implies they know more about me than they’d get by just sticking a pin in the phone book.

Something similar happened to us last year, but I’m not sure if it was an actual con, or just clueless behaviour on the part of Ikea. We had just bought our new kitchen, and paid for a large chunk of it with a new Ikea store credit card (to get the 15% discount). The following week, someone called us one evening claiming to be from a company representing Ikea, and wanting to gather some extra information to complete our “customer profile”. Sure. The conversation went something like this:

Them: So, to start with, could I take your Mother’s maiden name?

Me: No.

Them: Uh…we need that information to verify your identity.

Me: But you’re calling me. Surely you know who I am. Or are you just calling people at random?

Them: I understand, but we’re dealing with your personal information here, and the data protection laws won’t allow me to proceed unless I can confirm who I’m speaking to.

Me: Okay…so how do I know who I’m speaking to? You could be anyone.

Them I’ve already explained that we’re a company working on behalf of Ikea to help them complete their store card customer information records.

Me: And…?

Them: (Getting frustrated) Look, if you don’t believe me, I can put you through to my supervisor, and you can take it up with him.

Me: So what on earth is that going to prove? He could just be some bloke you’ve pulled in off the street. If I have no idea who you are, how am I supposed to know who he is?

Them: How about I give you our phone number then, so you can call us back.

Me: And that phone number could just be pulled out of a hat, too. I’d prefer to just call Ikea’s head office and ask them to put me through to you.

Them: But we’re not part of Ikea–we’re an external company acting on their behalf.

Me: We’re not going to get any further here are we? You have no way of proving who you are, and until you do I’m not going to give you any personal details. In fact, I’m going to hang up now.

There was something fishy about the call right from the start, and I tend to be pretty belligerent about companies calling us in the evening anyway. It might have been for real. We had just got an Ikea store card, and it’s plausible that Ikea (or an agent of theirs) would to do a follow-up call to pad out their customer database. But:

  • …even if it was legitimate, I had nothing to gain by handing over information to them for free. Companies pay good money for targeted marketing details. (You can even use an on-line calculator to figure out exactly how much.) What was I getting in return? An interrupted dinner.
  • …even if by chance I had missed the small print in the store card’s contract that said I was obliged by law to fill out a dozen marketing questionnaires, and that I would be in deep trouble if I failed to oblige, I’m sure they would have found some other way to contact me afterwards.
  • …even if they had been able to reel off details like the store card number, its credit limit, and how much my current balance was, this is information they could have acquired from a single intercepted statement. How many bank and credit card statements would a single stolen post bag yield? Lots, probably. How many people would notice if they didn’t get their statement one month? Not so lots.
  • …even if the whole thing was legitimate, Ikea deserve a good smack for not having a clue about this whole “authentication” thing. They want me to prove who I am, but I have to take their identity on trust? Aye, shining.

The best advice for a situation like this is what Charlie says at the end of his article: never disclose secret information — like your banking details or passwords — through a communications channel which you did not initiate for yourself.

The bad guys really are out there, and it pays to be on your guard when it comes to your money and identity at all times.

2 Replies to “Real life phishing”

  1. I have a car loan with a large UK company and every couple of months, they call me with an “important customer service call”. I ask if it is marketing related and they tell me no.

    They then want all my security details (even though they called me). After which, they tell me that all my payments are up-to-date and did I want to borrow any more money on their new, super special rate?

    So, I have just given them security details in order to get a marketing call!!!!!

    I have asked to be taken off the marketing list _several_ times, but the calls keep coming….

  2. Time to do a Martin and refuse to give them your details since they called you. Get mulish and question their right to have that information.

    It’ll either stop the calls or make them more fun.

Comments are closed.