Julian Sanchez header image 2

photos by Lara Shipley

Teach a Man to Phish…

May 4th, 2006 · 2 Comments

So I’m at this year’s Computers, Freedom, and Privacy Conference here in Washington, D.C. where I was chatting briefly with author Rob Hamadi and law prof Daniel Solove about how some businesses’ practices effectively train their customers to be ripped off.

Here’s an example: A while back, I lost a credit card and needed it replaced, as a result of which the number changed slightly. I forgot to register the change with my cable company, which meant my monthly automatic billing didn’t go through. So they called to ask if I wanted to give them a new credit card number to make a payment. Now, I was pretty sure it was them since, after all, they were calling in response to a card number change that your average scam artist couldn’t know about. Still, being a good paranoid, I politely declined and said I’d either call them or change it on their website.

The problem is this: If it’s the practice of actual, genuine represenatives of the cable company (or any number of other businesses) to phone you up and ask you to give them a credit card number to resolve some alleged billing problem, then it’s not going to send up any red flags for the average person if some scammer calls and says: “Hi, this is Comcast, we had some trouble processing your last payment; would you like to make a payment now?” In other words, they’re training their customers to be phished. You can cross-apply the idea to the more familiar sort of e-mail phishing. It seems, I have to say, like a profoundly silly thing for any company to do. I expect the motivation is that with this sort of issue in particular, the customer is more likely to actually make the payment if you can get them to do it in one call, rather than relying on them to go out of their way to make a separate phone call or web visit. But it certainly also seems to make things easier for flim-flam men.

Tags: Tech and Tech Policy



2 responses so far ↓

  • 1 Gil // May 4, 2006 at 8:56 pm

    Good point.

    Of course, most companies would rather get paid quickly than train their customers to avoid fraud, but perhaps there’s a good compromise.

    Maybe companies should let you enter a personal passphrase (that’s as secure as a password) that they could tell you over the phone to confirm that they are the actual vendor.

    Of course, they might not want to complicate their signup process with this hard-to-explain item, but if some companies did this and earned the good will of their customers, perhaps others would follow.

  • 2 Amanda // May 6, 2006 at 4:29 pm

    I recently tried to make this argument to the IT staff of a fine institution I won’t name. It’s their policy that, when you have a computer problem, you fill out a paper form with your username and password (in addition to a description of the problem), then leave it to be processed when a tech becomes available. They couldn’t understand why I might have a problem with that (“but we’re your tech staff! We’re not going to break into your account!”), apparently seeing nothing wrong with training users to write down their passwords and leave them lying around.