How should authorities prove they're legitimate when THEY call YOU?Wednesday, January 21st 2009 @ 11:58 PM (not yet rated)
The other day I received a voicemail message from somebody claiming to be from the federal government, asking for me to call him back. All he wanted was to verify some statistical information about my business. It sounds innocent enough, right?
But I became concerned because the person left a 1-800 phone number, and there was no way to verify that the caller's number actually belonged to a legitimate government organization. It could easily have been a fraudster, trying to collect personal information, or sensitive information about my business. Setting up a fake 1-800 number is pretty easy.
Sounds paranoid, I know. But what's the first thing an organization will do when you phone them about something personal or sensitive? They ask a few "security questions" to verify who you are. This is fine, if YOU are calling THEM, based on a publicly verifiable phone number, listed in the phone book or on an official website.
But if THEY called YOU, and you thought they were a representative of a legitimate authority, they could easily collect your birthdate and social insurance number. So, in fact, YOU should be asking THEM a few "security questions". If somebody calls you from any organization, asking to verify their information, or for some urgent information to complete their records, first ask them to give you their PUBLICLY LISTED client service number.
Then, after they've given you the number, tell them you will call them back on that number. This way, if it is a fraudster, they will not be able to intercept your call to the legitimate organization's service line.
Sadly, it turns out that the call I received was actually legitimate. This is not the first time I've had calls from legitimate organizations that should know better, and did not provide a means of easily authenticating themselves to me.
Don't give any sensitive information to people who try to reach you by phone, email, fax, instant messaging, texting, etc. without first verifying exactly who they are. Ask them if you can get back to them through a publicized contact point. If they don't like it when you ask that, you should ignore them. No legitimate organization should handle sensitive information without being able to authenticate themselves.
If you have a comment on this article, please visit The Streetwise Security Zone, log in and let me know what you think.