In my area, there has been a rash of phishing calls targeting bank customers. Coincidentally, today’s WXP News (Vol. 8, #59 – Feb 24, 2009 – Issue #367) addresses the same issue:
You might never click a link in an email purporting to be from your bank, but what if someone from the bank called you on the phone and informed you that your account may have been compromised, and asked for your credentials? The best of these scammers will express concern for “security” and insist that you call them back to “verify” that the call is legitimate. And of course, the number that they give you to call is answered with the bank’s name. Some even go so far as to spoof the caller ID information so your phone displays the name of the bank when they call.
The countermeasure to this is to hang up, dial the bank’s main, published phone number and ask to speak to someone in their security department (some banks call it their “Bank Protection” section). Tell them you believe you may be the target of fraudulent activity. Most banks adhere to some variation of this policy: [XYZ Bank] does not contact customers via email, phone or mail to request or verify security information about passwords, personal identification numbers (PINs), credit card numbers or Social Security numbers.
Check your bank’s website for more information and current security alerts. And don’t give out any information over the phone unless you are absolutely sure who is on the other end.