I was particularly tickled by the following User Friendly comic today:
http://ars.userfriendly.org/cartoons/?id=20080612
I have actually received such a call (purportedly) from Sprint, asking me to verify my social security number. When I told the caller that I had no way of knowing whether he worked for Sprint, he was quite dumbfounded. Perhaps he did work for Sprint, I’m not sure, but companies need to stop making such calls. Otherwise, they just train users to get phished. The same argument applies to emails with links that take you to a page with the ability to login.
Moral: Don’t trust the other end with personal information unless you make the phone call yourself.
Sergey Bratus, a colleague, has a nice discussion on this issue and how it translates to behavior in the online world: see the section on “Making the Call” in his recent article [1].
References
[1] Bratus, Sergey; Masone, Chris; Smith, Sean W., “Why Do Street-Smart People Do Stupid Things Online?,” Security & Privacy, IEEE , vol.6, no.3, pp.71-74, May-June 2008.
