Phishing

So with all the buzz regarding phishing scams lately (http://www.neowin.net/news/main/09/10/05/thousands-of-hotmail-passwords-leaked-online), and reading some people commenting on ways to avoid phishing attacks, one of them was interesting to me. A very common recommendation is to not click on links in emails that purport to be a bank or other site where you would have to type in login information. Similarly, it's a good idea to not call phone numbers that are sent to you in email or left on voicemail, as they may also be fake. However, the banks and other institutions make this very difficult for users!! The other day I received a call from Chase Bank (where I do have an account) stating that it was a call from the Fraud department and they wanted to verify some charges. Knowing that I had just recently used my card and had received a new card due to actual fraud on my account, I figured it a good idea to call. Now, when I called, it went directly to the Fraud department and they began asking for personal information (card number, last 4 of SSN, address, etc.) Now since I was pretty sure this was actually Chase, I went ahead and gave them the info. But think about it.....this could easily have been a scheme to get plenty of my personal information! Anyone can call and leave a message saying they're from so-and-so bank. Ok, so they'd have to get an 800 #, but that's not too difficult either (maybe expensive, but hey it's an investment for them). What's worse, I can't find the phone number I was asked to call anywhere on Chase's website! So I can't even verify it's really them... though I could do a Google search and probably find it somewhere, the average card holder might not think of that, and that's still making it difficult.

I've also seen plenty of banks send me emails with links in the email, even though we're told not to trust that.

It's tough to educate users about proper security protocol when banks and other institutions can't follow it themselves...