Today we had a “check up” call from our bank to see if everything is going okay (probably want to flog us a credit card or something 
) I normally don’t bother picking up the phone if I don’t recognise the number so I don’t usually take the calls, though I do get worried about what they ask. To verify we are who we say we are (umm, hello, they’re the ones phoning us?!) they like to ask security questions. Nothing special, just DOB, mothers maiden name…Now, though I am suspicious, they really *are* our bank as they chat merrily about direct debits we have, bills, overdrafts etc, including information you couldn’t gain from snaffling a bank statements and the like. However, I think calling in this way is setting people up to be social engineered easily. After all, if your bank calls every 6 months or so asking for security info why should you be suspicious if someone else does? Lure them into a false sense of security with an 0800 number (heck, use the real one for the bank) and you’re away. Most people will happily give out all sorts of information with little encouragement.
) I normally don’t bother picking up the phone if I don’t recognise the number so I don’t usually take the calls, though I do get worried about what they ask. To verify we are who we say we are (umm, hello, they’re the ones phoning us?!) they like to ask security questions. Nothing special, just DOB, mothers maiden name…Now, though I am suspicious, they really *are* our bank as they chat merrily about direct debits we have, bills, overdrafts etc, including information you couldn’t gain from snaffling a bank statements and the like. However, I think calling in this way is setting people up to be social engineered easily. After all, if your bank calls every 6 months or so asking for security info why should you be suspicious if someone else does? Lure them into a false sense of security with an 0800 number (heck, use the real one for the bank) and you’re away. Most people will happily give out all sorts of information with little encouragement.
I’m not sure how they can get round this. Maybe we shouldn’t need to provided security info if the bank just wants a chat? Maybe a one time pad of some sort would work, though I suspect this would probably confuse most people
Makes you wonder how many people are being phished this way, it seems scarily easy to carry out…
