Here’s an example of a phone call I receive every now and then:
At this point, I’m wondering if the company has a picture of a donkey on my file, seeing that I’m being treated like an idiot. Only an idiot would just give out personal details without being 100% sure who the entity on the other end is. And guess what, the only way to be sure that it’s your bank you’re talking to, is to call them yourself. Period.
Some callers tell you details of your account as a way of identifying themselves. Ridiculous. You know why? Because it’s ridiculous. Anyone can get hold of such details. In fact, if I hear the caller telling me personal details about myself, I hang up even faster. A good analogy is if I asked you for the second half of your password, having told you I knew the first half.
So listen up St. George Bank, GE Money, Debit Success and any other organization that call their customers: don’t call me (or anyone) up and ask for personal details. Just don’t do it. I’m not giving them to you. Not only you’re insulting me (see above) but you’re also portraying yourself as incompetent and inexperienced in implementing security conscious practices. And you, being the giant entities you are, ought to do better.
Here’s how you should do it:
Call the customer and give them a reference/ticket number and ask them to call you back quoting that number.
That’s it! And don’t give the customer the callback number either, that defeats the whole purpose. State the name of your organization/company and that alone. It takes a 10 second google search to find contact numbers. In case yours cannot be found in 10 seconds, you’re doing something wrong. You need to put your primary contact number on the homepage of your website in bold and somewhere obvious, not burying it in the Contact us page, link of which itself is buried further down at the bottom of the page, waiting for Captain Cook to discover it.
And if the customer doesn’t have access to the Internet or isn’t computer literate, including the contact number on the back of all bank issued debit/credit cards should mostly solve the problem. Banks do already print their phone numbers on their cards, so they could just add a new option to their automated voice system for callback calls.
Also note that the bank still needs to verify the customer’s identity when they call back but at least the customer is now comfortable in helping the bank do that.
Some alternative methods proposed by HN readers and comments here:
- Instead of giving the customer a ticket number, the organization simply asks the customer to call back. Customer’s identity is his ticket number.
- Bank uses customer’s caller ID as ticket number. Since customer’s identity verification is still required, a spoofed caller ID will not be an issue.