How should authorities prove they're legitimate when THEY call YOU?Wednesday, January 21st 2009 @ 11:58 PM (not yet rated)
The other day I received a voicemail message from somebody claiming to be from the federal government, asking for me to call him back. All he wanted was to verify some statistical information about my business. It sounds innocent enough, right?
But I became concerned because the person left a 1-800 phone number, and there was no way to verify that the caller's number actually belonged to a legitimate government organization. It could easily have been a fraudster, trying to collect personal information, or sensitive information about my business. Setting up a fake 1-800 number is pretty easy.
Sounds paranoid, I know. But what's the first thing an organization will do when you phone them about something personal or sensitive? They ask a few "security questions" to verify who you are. This is fine, if YOU are calling THEM, based on a publicly verifiable phone number, listed in the phone book or on an official website.
But if THEY called YOU, and you thought they were a representative of a legitimate authority, they could easily collect your birthdate and social insurance number. So, in fact, YOU should be asking THEM a few "security questions". If somebody calls you from any organization, asking to verify their information, or for some urgent information to complete their records, first ask them to give you their PUBLICLY LISTED client service number.
Then, after they've given you the number, tell them you will call them back on that number. This way, if it is a fraudster, they will not be able to intercept your call to the legitimate organization's service line.
Sadly, it turns out that the call I received was actually legitimate. This is not the first time I've had calls from legitimate organizations that should know better, and did not provide a means of easily authenticating themselves to me.
Don't give any sensitive information to people who try to reach you by phone, email, fax, instant messaging, texting, etc. without first verifying exactly who they are. Ask them if you can get back to them through a publicized contact point. If they don't like it when you ask that, you should ignore them. No legitimate organization should handle sensitive information without being able to authenticate themselves.
If you have a comment on this article, please visit The Streetwise Security Zone, log in and let me know what you think.
The Streetwise Security Coach
Twitter ID: http://www.twitter.com/streetsec
LinkedIn: http://www.linkedin.com/in/scottwright (please send a personal message first on LinkedIn if you'd like to connect, to ensure that you're not a spammer)
Did you find this post interesting?
If so, why not find out more?...
To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.
Join the Streetwise Security Zone, or learn more about mobile security risks through the Honey Stick Project.
If your organization is looking for innovative ways to make its security investments more effective right now, CLICK HERE to learn more about Streetwise Security Awareness solutions.