Defending The Kingdom

Phishing, according to the Wikipedia entry on the topic, is a term that combines the words “password” and “harvesting”. Typically, phishing takes the form of a phone call or email where the perpetrator poses as a trustworthy source (your bank, for example) and uses this trust to request private and profitable information.

This post will provide advice on how to avoid getting phished over the telephone, but first I’m going to describe how it almost happened to me. If you get a call like the one I got, I hope it sets alarm bells ringing before any damage is done.

I almost got phished

In February 2006 I got a phone call from someone named “Mark,” who ostensibly works for Rogers Wireless, my cell phone provider. The conversation went something like this:

Him: “Hello, sir, this is a courtesy call from the accounts receivable department to confirm your personal information in our files. The credit card we have for you is no longer active.”

The first thing I think is: “that makes sense, because I lost my credit card about two weeks ago and cancelled the account. I just got a new credit card.”

Him: “I’d just like to confirm your name and address as well as some other information. Can you confirm your current address?”

Me: “Sure, it’s 5959 Glen Stree… Wait! Why are you asking for this information over the telephone? No reputable company would do that. I’m going to call Rogers with a phone number I trust to make sure that I’m not getting scammed.”

Him: “Uhh, Okay.”

I immediately called Rogers Wireless to find out if they really needed my information.

Anna, the woman I spoke with, said that Rogers had no way of knowing that my credit card wasn’t active because they hadn’t yet tried to charge it. She confirmed that it was likely a phishing attempt.

Whether the scammers knew that I had cancelled my credit card (perhaps by illegally purchasing a list of such cancellations) or they were just hoping that if they called a large enough group of Rogers customers (it may be possible to legally obtain a list like this) someone would take the bait, I don’t know.

Anyway, I immediately changed my banking passwords as well as most of my other online passwords in case the scammers knew more about me than just my telephone number, affiliation with Rogers, and credit card company (those items are scary enough).

I avoided the phishing attempt, but perhaps it was only because I was extra security conscious in the weeks following the loss of my credit card. Nonetheless, I would like to think I would spot this trick any day of the week. You should be able to spot it, too.

Never get phished by following this simple advice:

1. NEVER give out your personal information to a company or anyone else unless you have first called a phone number you trust. If they call you, hang up and call them back using a number from the phone book or company website.
2. If you are suspicious, trust your instincts. Many phishing victims later say they had a bad feeling about the encounter the whole time, but they ignored it.

What to do if you get phished:

1. Immediately change all of your passwords for bank accounts, email addresses, and any other online service you use. By the time the scammer attempts to access your account, none of the information you gave him will work.
2. If the phisher has already changed your passwords, call your service providers to notify them and request that they close your accounts. Then report what you can to the police.