So I’m at this year’s Computers, Freedom, and Privacy Conference here in Washington, D.C. where I was chatting briefly with author Rob Hamadi and law prof Daniel Solove about how some businesses’ practices effectively train their customers to be ripped off.
Here’s an example: A while back, I lost a credit card and needed it replaced, as a result of which the number changed slightly. I forgot to register the change with my cable company, which meant my monthly automatic billing didn’t go through. So they called to ask if I wanted to give them a new credit card number to make a payment. Now, I was pretty sure it was them since, after all, they were calling in response to a card number change that your average scam artist couldn’t know about. Still, being a good paranoid, I politely declined and said I’d either call them or change it on their website.
The problem is this: If it’s the practice of actual, genuine represenatives of the cable company (or any number of other businesses) to phone you up and ask you to give them a credit card number to resolve some alleged billing problem, then it’s not going to send up any red flags for the average person if some scammer calls and says: “Hi, this is Comcast, we had some trouble processing your last payment; would you like to make a payment now?” In other words, they’re training their customers to be phished. You can cross-apply the idea to the more familiar sort of e-mail phishing. It seems, I have to say, like a profoundly silly thing for any company to do. I expect the motivation is that with this sort of issue in particular, the customer is more likely to actually make the payment if you can get them to do it in one call, rather than relying on them to go out of their way to make a separate phone call or web visit. But it certainly also seems to make things easier for flim-flam men.