Why do some banks train people to ignore best practice cyber security?

Last week my bank rang me and told me to ignore one of the most golden rules of cyber security.

The story goes like this…….

• My mobile rang from an unknown number.

• The caller was polite and professional. There was no lag time in the call and she had an Australian accent, so it didn’t sound like an offshore scammer. But as someone who regularly helps clients with cyber security and data breaches, my radar is always on.

• Before she told me why she was calling she said “can I first ask you to verify your details” then proceeded to ask me questions about my identity.

“Are you kidding me? You called me. Of course I am not going to give my identity to an unverified random caller. Why would you even ask me that?”

“I understand”, she said. “You can always call back on the verified number on our website if you are concerned.”

“Of course I’m concerned, but I don’t want to spend an hour on hold, can you at least tell me what you are calling me about?”

“No,” she said.

“Thank you. Goodbye.”

At that point I should have got on with my day. Instead, I wanted to get to the bottom of this infuriating practice.

I called the bank back on their publicly listed number and was informed “we are currently experiencing a high volume of calls” and that my call would be answered in 60 minutes.

Easy decision….hang up.

Yesterday, a week later, I called again. It took me 45 minutes and 5 different operators until I finally I reached Josh who confirmed it was a legitimate call to remind me to square up my credit card.

Thanks Josh, I did it five days ago.

Sadly Josh couldn’t do anything about this cold calling practice. He said it was “policy” to confirm people’s identity before talking to them about their account details…….despite the fact that they initiated the call….. just in case someone else answered my phone.

Seriously?

Now it might sound like a small thing to get riled up about, but here is my concern.

On one hand, the Federal government and the banking sector spends millions of $$$ warning us about cyber criminals who run elaborate phishing scams to steal and misuse our personal data. On the other hand, some banks are cold calling people and actively training them to ignore such warnings.

I am particularly concerned about vulnerable people with low levels of cyber awareness.

The banks wouldn’t ask customers to send a postcard to change their PIN. Or suggest they leave their front door open when they go on holidays.

So why are they setting up customers to fail such a basic cyber security measure?

I intend to take this up with the banks to find out how wisespread this problem is.

In the meantime, it would be helpful to understand the full extent of this problem. If you have received a call like this, let me know via my LinkedIn post here.

Stock photo (this isn't actually Josh from my bank)