phishing, vishing, identity theft, social engineering, security questions
HOME
PAGE
MEMBER RESOURCES
ABOUT US
FORUMS
PARTNERS
PRODUCTS & SERVICES
FREE RESOURCES
LOGIN
HERE
JOIN
NOW!
You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community

To see the list of all blogs, including Scott Wright's Security Views Blog and the Streetwise Security Zone Podcast click HERE. You also can subscribe via an RSS reader, or check the "Watch This" box in the left column to receive news by email of new articles.


Watch this Blog Notify me by e-mail any time a new post is made to this blog.

Scott Wright's editorials on a variety of security issues for non-technical business managers and home computer users. Please feel free to comment and help spread the word that managers need to think about their information security risks.

The Virus Time Machine (e-Book)
Product ID: 00000007

... What You Need to Know (and Wish You Knew Before) About Removing Virus and Malware Infections Before you start down the path of trying to fix a virus infection on your computer, you should really understand what's invol ... More »

Non-Member Price: $4.99

January 2009 Posts

Archives
  Scott Wright's Security Views
Blog Entry

How should authorities prove they're legitimate when THEY call YOU?

Wednesday, January 21st 2009 @ 11:58 PM (not yet rated)    post viewed 2827 times

The other day I received a voicemail message from somebody claiming to be from the federal government, asking for me to call him back. All he wanted was to verify some statistical information about my business. It sounds innocent enough, right? 

But I became concerned because the person left a 1-800 phone number, and there was no way to verify that the caller's number actually belonged to a legitimate government organization. It could easily have been a fraudster, trying to collect personal information, or sensitive information about my business. Setting up a fake 1-800 number is pretty easy.

Sounds paranoid, I know. But what's the first thing an organization will do when you phone them about something personal or sensitive? They ask a few "security questions" to verify who you are.  This is fine, if YOU are calling THEM, based on a publicly verifiable phone number, listed in the phone book or on an official website.

But if THEY called YOU, and you thought they were a representative of a legitimate authority, they could easily collect your birthdate and social insurance number. So, in fact, YOU should be asking THEM a few "security questions". If somebody calls you from any organization, asking to verify their information, or for some urgent information to complete their records, first ask them to give you their PUBLICLY LISTED client service number.

Then, after they've given you the number, tell them you will call them back on that number. This way, if it is a fraudster, they will not be able to intercept your call to the legitimate organization's service line.

Sadly, it turns out that the call I received was actually legitimate. This is not the first time I've had calls from legitimate organizations that should know better, and did not provide a means of easily authenticating themselves to me.

Don't give any sensitive information to people who try to reach you by phone, email, fax, instant messaging, texting, etc. without first verifying exactly who they are. Ask them if you can get back to them through a publicized contact point. If they don't like it when you ask that, you should ignore them. No legitimate organization should handle sensitive information without being able to authenticate themselves.

If you have a comment on this article, please visit The Streetwise Security Zone, log in and let me know what you think.

I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn't mean you can't have an economical way to address human security risks. Please call or email me at the coordinates below...

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

 

 

Site Meter

 rate this post: very bad poor average good fantastic!
Comments