The irony of the Fraud Detection department
Today someone called the office number and asked for me by name. Given that I own the company and my name is on the About Us page, along with our phone number, it’s not unusual.
Anyone can do this.
They then identified them self as being from the American Express fraud department.
Anyone can do this.
They then asked me to prove my identity by answering some security questions, starting with my date of birth.
Anyone can do this!
But can you see what has just happened:
A total stranger has called me and asked me to provide the security information to access my American Express account.
Imagine if someone had called, asking for the PIN number to your bank account!!! But that’s what effectively is happening.
This is the fraud department calling me to reveal my security information before they will talk to me.
And then it gets worse
I refuse to answer her questions.
I’m informed that I have to answer the questions before she can talk to me. It is my responsibility to answer her questions to ensure that my account is kept safe and for her to know she is talking to the account holder.
I inform her that she called the number on my account (though why she didn’t ring my mobile is odd) and asked for me by name. At this stage I think she has more reason to trust me then for me to trust her.
Also, I have a reasonably good idea as to why she is calling, and it is for a failed transaction the day before that was actually legitimate.
So I ask her to say which country the suspect transaction occurred in.
She refuses to answer because that is providing privileged information. I need to prove my identity first.
I then tell her the amount of the transaction, rounded down to the nearest hundred dollars. I ask her to say the last two digits. She refuses again, saying I need to prove my identity.
Now if she is legitimate (which I am fairly sure she is), I have now provided proof that I have seen what is in front of her right now. All she had to do was say those last two digits, and then I would answer her questions.
But she refuses and expects me to answer her questions.
They are grooming me to be scammed in the future.
Then it starts to get better until they totally bomb out…
A momentary hope
Once it became obvious that we were at an impasse, she said I could call the number on the back of the card and ask to be transferred to the fraud department.
Why didn’t she just suggest this when I refused to answer the security questions with a total stranger?
But the bigger question is:
Why isn’t this their normal practice?
Or have a message in the phone app confirming that they are contacting me.
But not an email. They are easily faked.
And not an SMS because they are also faked.
Hope dashed
I call the number on the card and I speak to an operator. I inform the operator that I have been contacted by a person pretending to be from American Express. I am calling American Express informing them that I am being scammed.
The response from the operator is that American Express will contact people when there has been suspicious activity on their cards, and they will ask for security information like date of birth to be provided.
I am calling to report a possible scam and I am being told that what is happening is acceptable and normal, and to trust them.
I am being massively trained to be scammed.
But it is not limited to American Express
Last week in a Practice Manager’s Facebook discussion group, there was a discussion about how a very common IT support organisation would call GPs and ask for TeamViewer access and just expect it. They are training GPs that they should provide complete access to their computer network to total strangers.
I have also received an email from a bank that had a link to the login page for my online account. How easy would it be to modify that email template and turn it into a scam email. The only way to tell that it was legitimate was the fact that it stated my account number, but I could easily remove that bit and who would notice it missing.
My theory as to why
These organisations are so big into branding and trying to win customers that they only want a single message out there – “you can trust us”.
As an extension of that, they want us to trust their staff. They want us to trust their brochures. They want us to just trust them.
And the problem is saying “don’t trust people pretending to be from XYZ” is too close to saying “don’t trust people from XYZ” and that is too close to saying “don’t trust XYZ”.
It is better for business for them to have unquestioning trust in anyone calling from or pretending to call from their organisation than to have consumers who fundamentally question.
The take home message for all
If anyone calls you saying they are from any business, assume they are not until they can prove that they are.
And the proof needs to be good. It can’t be something that is found on your statement or on the company’s web site.
If you call them back, it needs to be on a number that you have found from an independent method. These would include:
- on the back of the card,
- on the official web site,
- on a statement or similar
and NOT the one that they tell you over the phone.
And tell them that their security sucks and they should stop training consumers to be scammed.
How we do remote support
We do use TeamViewer for remote support, and we do have some cloud based systems that we have access to.
If you call us, then obviously you know it is us.
As as a general rule of thumb, we don’t contact our customers out of the blue. If we do call you, it is generally because you contacted us first.
The exception to this is with our CleverLogger wireless temperature logging system.
We will call you a couple of days after you have ordered it. This is to make sure you have received it, and to find out if you need any help.
With CleverLogger we have access into your system. We don’t need your password.
In fact, CleverLogger is actually designed so that there is no password.
You will NEVER receive a phone call from us asking for TeamViewer access so that we can do an upgrade.
And if you are ever in doubt, just call us back on 02 9614 6417. We aren’t that big that you will be lost between 15 departments!
Add Your Heading Text Here
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.