Real. Or. Phish? Part 2

Steve mentioned the email he received yesterday from one of the companies that was compromised by the Epsilon attack and how difficult it was to determine if this was a real email from Marriott or a phish.
It’s not just over email where the companies are doing badly. Citibank appears to be attempting to notify me about the breach, but are doing it in a way that is indistinguishable from someone trying to get me to give them my banking information.
This morning I received a recorded message purporting to be from Citibank.
The number they’re calling from appears to belong to an outsourced debt collector. Some of the links I’ve found online indicate this is a valid number used by Citibank to collect debts. It’s not unreasonable they’d use current contractors or employees to make calls.
But, if I was a phisher trying to use the compromised data, I’d make sure my outgoing caller ID actually looked like a number Citi calls from. This might be real or it might not.
The message alerted me to a “problem with my credit card” and asked me to call a 866 number as soon as was convenient for me. The problem is that the number they asked me to call is not listed anywhere as belonging to Citibank. It’s not on their website nor not on the back of my credit card. This is suspicious at best, and anyone with any sense will not call that number, instead calling a number Citi publishes as belonging to them.
I could also visit a website to get more information. This site is different
from the website I use to do online banking but does redirect to what appears to be a valid Citibank website, complete with SSL certificate. This is better than an unrelated phone number.
About 30 minutes later I received a second phone call from the same Irving, TX phone number. This time someone was on the other end. She asked for Steve. As I normally do when I get a call on my phone for Steve I asked her what it was about.
She told me that it was about our credit card and she needed to talk to him.
I informed her we had been informed by our bank that our personal information had been compromised and that we would not be discussing anything related to banking over the phone. I also said if they needed to contact us they could use the physical address on the account.
Then the caller asks, “Are you his wife?” I explained, again, that I was not going to answer any questions and that all requests should be sent to us by mail.
“But I need to know so I can stop you from being called!” she says. This is exactly the kind of thing someone who was trying to social engineer information from us would say. I repeated my statement of not wanting to talk to anyone about our financial information and hung up.
The thing is, I really do actually think this was a legitimate call from Citi attempting to protect us. But, as with many things banks do, they are encouraging poor security on the part of the consumer. They’re sending me to a short website, which is similar to a what phishers do. They’re calling from random numbers, which is what phishers might do. They’re calling and asking for information over the phone, which is very bad. They’re training users to compromise security information.
Other people have received the Citi call, and have noticed how Citi is training customers to be victims.