Back to all blog posts

Know who is calling

Thanksgiving has always been a good time to catch up with family and friends. One of the themes at our Thanksgiving table this year quickly became privacy.

“This is the IRS calling…”

Several of the people I spoke with, including my oldest son, had gotten a call from someone purporting to be from the Internal Revenue Service. In each case the caller said there was a tax problem and a warrant had been issued for the call recipients arrest. Only by sending money immediately could the problem be resolved.

My oldest son played along for a while finding out that he “owed” over $3,000. By electronically transferring the amount to a fund, all would be cleared up. A check or credit card would just not do.

Generally, my son answers his phone saying “hi” and then introducing himself. Using this and the dialed phone number, the caller was able to obtain my son’s address. At this point this phishing attempt had gone far enough, so my son hung up the phone. He called his wife to make sure she was OK, and then called the IRS to verify it was a scam and report the event.

The phishers were persistent. They called my son back three times threatening arrest.

“There is a package waiting for you at our retail store”

On Black Friday emails started appearing which seemed to be from various retailers stating that a product that was ordered was ready for pickup at the retailer’s brick and mortar store.

The emails did not contain specific information such as order number, product ordered, or pickup location, however the emails were very convincing. Simply looking at the links or in some cases the sender’s email address revealed these emails to be a phishing attempt.

A business needs to help their customers to protect themselves

Phishers are becoming more sophisticated. It is becoming easier to construct an official looking email from a company and, due to data breaches and the revealing of information on social media, it is also becoming simpler to collect personal information to make a phishing telephone call or email seem like the caller knows you.

Businesses need to help their customers to protect themselves from scams that impersonate the business. I am suggesting a two step approach to address this: Cross identification and Notification.

Cross identification

Today most businesses use some information known only to the business and their customer when confirming the identity of customer. For example, when I call my bank or my credit card company they may ask me for the amount of a recent transaction. A customer should have the ability to ask a similar question of a business.

The protocol would be interesting for this to work. Details such as what are legitimate challenge questions and who gets to be identified first will need to be worked out. I can see a dialog going something like this after the identity of the Customer or their account number has been provided:

Customer: Can you tell me the pass phrase I provided to you?
Business: Yes, it is “The owl hoots at midnight”. Can you tell me the amount of a recent transaction?
Customer: Yes, it was about $53.
Business: That happened on November 28.

Aside from the 60’s spy movie similarity, the Customer now knows it is the Business from their providing the predetermined pass phrase and the date of the recent transaction. The Bank knows it is the Customer from the provision of the identity and the amount of a recent transaction.

Notification

To help customers, it would be wise for businesses to periodically send reminders of some of their privacy protecting practices. For example, letting customers know periodically that the business will not be asking for personal information on the phone. Alternatively providing notification that the business will be calling would also be helpful to consumers.

Many businesses have routine communications in non-electronic, non-telephonic form with their customers such as sending monthly bills.Utilizing this vehicle to send a privacy protecting message to customers is a verifiable method of communication that may be utilized so that the customers know that the notification itself is not a phishing effort..