How Companies Help Phishers and Fraudsters

Daniel Solove
Founder of TeachPrivacy

Privacy Choice forms

A friend of mine recently received in the mail a letter purporting to be from Citibank.  It contained a sheet of paper saying: “Please see the enclosed for information regarding your Citi Mastercard Customer Credit Card account ending in [last four digits] issued by Citibank USA, N.A.”  Inside the letter were two little brochures – a notice of change to Citibank’s policies; and a complete privacy policy with an opt out form at the end.

She went to Citibank’s website and downloaded their privacy policy and noticed some suspicious differences between the opt out form in the letter [on the left] and the one from Citibank’s website [on the right].

Two notable differences are: (1) the form from Citibank’s website has a toll free phone number you can call to opt out; the form in the letter does not; (2) the addresses of the processing centers where the opt out forms are to be sent are different.

So my friend then called Citibank to find out what was going on.  Had a fraudster acquired a card in her name?  Was the letter an elaborate fishing scheme?

My friend recounted the conversation the best she could so I could recreate it on this blog.  This is reconstructed from her memory, so it’s not exact.  Although the transcript below doesn’t contain the precise words spoken, it hopefully will capture the gist of the conversation.

Click on the continuation to read more.

CUSTOMER SERVICE REPRESENTATIVE #1 (REP):  Hello.  May I have your account number?

MY FRIEND (F):  No, I’m sorry, I don’t have an account with you.

REP:  Oh.

F:  I’m calling because I got this piece of mail yesterday that’s supposedly from Citibank, but it looks suspicious to me.

REP:  OK.

F:  First of all, it refers to a Citi Mastercard account that I don’t have.  So my first thought was maybe someone else opened a credit card account in my name.

Second, the letter included a Privacy Notice saying that if I want to limit who my personal information goes to, I should write down my credit card numbers — there are spaces to write two of them — and  send them to this processing center in Des Moines, Iowa.  The notice says I can do this over the phone, but doesn’t give a phone number. It says I should call the number on my bank statement or on the back of my credit card — neither of which I have, of course, since I don’t have this credit card account.  So then I started wondering if someone posing as Citibank might have sent me a fake notice to try to get me to reveal my credit card numbers.  If that’s the case, I thought you might want to know that somebody’s doing that in Citibank’s name.

A third option might be that this mail actually is from Citibank, and there’s some sort of mistake in your records about this account that I’ve never opened.  If that’s what’s happened, I should fix that.

I did some looking around online this morning to try to figure out whether this letter was really from Citibank or not.  I Googled the processing center address on the Privacy Notice, and wasn’t able to find any reference to this P.O. box in Des Moines.  I also found the Citi Mastercard Privacy Notice on the Citibank website, which I compared to the one I got in the mail.  [Explains differences in the form.]

[long pause]

REP:  Well, you don’t have to fill out the Privacy Notice, m’am.  You could just throw it away.

F:  I’m definitely not filling it out — I don’t have an account with you.  But can you help me confirm whether this mail is actually from Citibank?  Could you tell me, for example, whether you’ve got a processing center at this address in Des Moines, Iowa?

REP:  Just one moment.  [Clicks away on computer.]  M’am, it doesn’t look like we have a processing center in Des Moines.

[long pause]

REP:  Can I have your name?

F:  My name is [name]

REP:  Just a moment.  [Clicks away on computer.]  M’am, we don’t have you on record as having an account with us.

F:  Right.  That’s because I don’t have an account with you.

[long pause.]

F:  So, if this letter didn’t come from Citibank, maybe I should make some sort of complaint or let someone know?  Can I do that through you, or can you direct me to someone else I should talk to?

REP:  Maybe you should talk to someone in the credit card department.  Hold on just a moment and I’ll transfer you.

[He puts me on hold for a few seconds.]

CUSTOMER SERVICE REPRESENTATIVE #2 (REP):  Hello.  May I have your account number?

F:  I don’t have an account with you.

REP #2:  Oh.  May I have your Social Security number, then?

F:  No, you don’t need my Social Security number.  I don’t have an account with you.  I’m calling because I received a letter in the mail from Citibank yesterday about a Mastercard, but like I said, I don’t have a credit card with you —

REP #2:  M’am, I’m sure you probably do have a credit card with us.

F:  No, I’m pretty sure I don’t.

REP #2:  Yes, you probably do.

F:  No.  I have one major credit card, and it’s not through Citibank.

REP #2:  Oh?  What kind of credit card is it?

F:  It’s a Mastercard —

REP #2:  Uh-huh.  What bank is it with?

F:  National City.

REP #2:  Yeah, well, we own parts of National City.  So I’m sure your credit card is with us.

[pause]

F:   Um, all right, then.  Can you tell me whether you’ve got a processing center in Des Moines, Iowa?

REP #2:  [impatiently] We sure do, m’am.

[pause]

F:  OK.  Thanks for all your help.

REP #2:  You’re welcome.

There are many morals to this story:

  1. This conversation is indicative of the kinds of conversations that we have with customer services representatives with banks and other businesses.The representatives read from a script and can’t seem to respond without it.  They contradict each other, don’t seem to know what’s going on, and have little authority to do much of anything.  Increasingly, we’re having these frustrating encounters that are wasting our time.
  2. Citibank’s customer service representatives seem nonchalant at the fact that a person, without a Citibank credit card, has called up and said she received something in the mail making reference to her Citibank credit card account number.Shouldn’t Citibank be concerned about this?  It could be a case of credit card fraud or an elaborate phishing endeavor.  Citibank should investigate this.  Instead, they don’t seem to give a damn.
  3. Companies contribute to phishing because they don’t establish with their customers clear protocols for valid communication.This allows phishers to send fake emails and other communications falsely pretending to be from particular businesses.  If businesses established very clear rules about how they contact their customers, fraudsters would be less able to trick people.

A personal example: I recently got a call from a computer which told me that there might be fraudulent charges on my credit credit card.  I was to call the number the computerized recording gave me.  This phone number didn’t match the phone number on the back of my card.  It could have been from a phisher.  So to be safe, I called the regular number on the back of my card, and the representative said that the computerized recording was bona fide and connected me to the fraud department.  Of course, the problem here was that my credit card company should not have given me a new number to call different from the one it had already given me on the back of my card.  This would assure me that I wasn’t calling some bogus number and giving out my credit card info to a fraudster.  The epilogue – there was no fraud.  I bought gas for my car and groceries in the same day, which apparently triggered the system.  Go figure!

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
*
LinkedIn Influencer blog
*
Twitter
*
Newsletter

TeachPrivacy Ad Privacy Training Security Training 01