This. If my bank contacts me I want it to be legitimate and honest. If I started getting phishing attempts I'd start ignoring my banks contact attempts completely. So when someone skims my card, makes some purchases and they try to ask me about it, I'll ignore them. Not good.
I remember thinking I received a scam call from my bank over an account, and I very nearly hung up on the lady (normally, I'll say something mean/hilarious, but I thankfully refrained from it this time).
The ironic thing is what made me realize it was legitimate: She was initially asking me about my physical address; I didn't give her the information but asked what she had on file. Two numbers were transposed. When I realized it was probably legitimate was when she was trying very hard to send me a bill for a statement they mailed to the wrong zip code, and she was insisting that I must have lived in that town at some point.
I told her I wasn't going to pay them a cent for a mistake on their part, and that I needed to talk to my local branch. So I hung up, called them, and found it it was legitimate. One of the employees transposed two digits on an account I'd just set up about a month prior.
But holy crap do you have to be careful about giving any information out. I can't imagine if this had been a phishing attempted from the bank itself. I think I would've dumped them to be sure!
Running managed phishing campaigns against your internal staff erodes trust too. It’s a widely implemented practice but I’ve never seen evidence that it actually improves security or whether the negative impacts of trying to trick your own staff are actually worth the tradeoff. My sense is it’s really only useful for measuring how porous your organization is to phishing to decide how to invest in training/other security efforts.
I suppose with internal users you can theoretically target test-failures for individual training or performance intervention - for customers you can’t do that.
That's a really good point, and its a tough needle to thread.
So my train-of-thought goes something like: If my customers are going to get hacked, its better they get hacked by my good-guys than actual criminals. If they're more suspicious about clicking on links from my bank (or links that LOOK like they're from my bank) - it isn't necessarily a bad thing.
scaryclam|1 year ago
Zancarius|1 year ago
The ironic thing is what made me realize it was legitimate: She was initially asking me about my physical address; I didn't give her the information but asked what she had on file. Two numbers were transposed. When I realized it was probably legitimate was when she was trying very hard to send me a bill for a statement they mailed to the wrong zip code, and she was insisting that I must have lived in that town at some point.
I told her I wasn't going to pay them a cent for a mistake on their part, and that I needed to talk to my local branch. So I hung up, called them, and found it it was legitimate. One of the employees transposed two digits on an account I'd just set up about a month prior.
But holy crap do you have to be careful about giving any information out. I can't imagine if this had been a phishing attempted from the bank itself. I think I would've dumped them to be sure!
jameshart|1 year ago
I suppose with internal users you can theoretically target test-failures for individual training or performance intervention - for customers you can’t do that.
Atotalnoob|1 year ago
That annoyed me to no end.
Literally the email domain, address, company, etc would match something in real life (I checked).
Is that phishing or just being a dick?
jwally|1 year ago
So my train-of-thought goes something like: If my customers are going to get hacked, its better they get hacked by my good-guys than actual criminals. If they're more suspicious about clicking on links from my bank (or links that LOOK like they're from my bank) - it isn't necessarily a bad thing.
reportgunner|1 year ago
Yeah but they are not mutually exclusive.