Phishing by Cell Phone
From an alert reader:
I don’t know whether to tell you, or RISKS, or the cops, but I just received an automated call on my cellphone that asked for the last four digits of my Social Security number. The script went:
Hello! This is not a solicitation! We have an important message for J-O-H-N DOE (my first name was spelled out, but the last name was pronounced). If this is J-O-H-N Doe, Press 1 now!
(after pressing 1:)
For your security, please enter the last four digits of your Social Security Number!
I have no idea who it was, because I’ll be—damned—if I’d give out ANY digits of my SSN to an unidentified party. My cell’s display is broken so I’m not sure whether there was any caller ID information on it, but I also know that can be forged. What company expects its customers to give up critical data like that during an unidentified, unsolicited call?
Sadly, there probably are well-meaning people writing automatic telephone scripts that ask this sort of question. But this could very well be a phishing scheme: someone trying to trick the listener into divulging personal information.
In general, my advice is to not divulge this sort of information when you are called. There’s simply no way to verify who the caller is. Far safer is for you to make the call.
For example, I regularly receive calls from the anti-fraud division of my credit card company checking up on particular charges. I always hang up on them and call them back, using the phone number on the back of my card. That gives me more confidence that I’m speaking to a legitimate representative of my credit card company.
piglet • December 7, 2004 3:35 PM
It’s anyway a bad idea to use any digits of SSN for any authentification purposes. It’s unsafe, SSNs are not secure and cannot be kept secure. And the insanely widespread use of SSNs make them such a nice target for all kinds of attackers. If any company asks you for SSN without a good reason, at least try to explain to them that what they are doing is stupid, if possible, withhold the information or don’t do business with them. In Canada, as of January 1 2004, custumers now have the right by law to withhold their SIN except in clearly defined cases where it’s legitimately needed. Sadly, many Companies haven’t yet noticed. I’m about to complain to the privacy commissioner about my bank.
http://www.privcom.gc.ca/fs-fi/02_05_d_02_e.asp