My mobile phone rang this morning. By the time I reached it, the caller (with blocked caller ID) hang up. A minute later my (ex-directory!) home number rang. I picked up the phone.
The person on the other end of the line told me he was from Barclaycard's fraud investigation department and wanted to verify some transactions (Barclaycard does indeed makes such calls from time to time).
I joked that I cannot be sure he was indeed calling me from Barclaycard to which he replied he would not be asking me for any personal information.
The very first question was: "Who do you bank with?" - "Hm, Barclays, obviously..." - "And apart from Barclays?" - "Why do you need to know?"
He told me again he was there to help me. Did I ask for any help?
"What is your email address?" - "Tell me what address you have on file and I will confirm whether it's the right one." (I have two work addresses and three private ones.)
At that point the guy realized he is not getting anywhere and suggested I called Barclaycard myself "to verify those transactions". Which I did. There were no transactions to verify, and their fraud investigation department had no scheduled outgoing calls
in the system in respect of my account.
Social engineering is the key part of spearfishing fraud. It can penetrate even two-factor authentication security to play the classic "man in the middle" attack. To protect consumers, banks need to ID themselves first so that consumers know who they are
dealing with. How can that be done in a secure way? That's a million dollar question. Any answers?