A basic tenet of identity protection is to avoid providing any sensitive information on a phone call that you didn’t initiate yourself. Caller ID is easily spoofed, and you should not trust anything the caller says, no matter how charming and believable they might sound. If necessary, hang up and call the relevant party using a known phone number; then you can be confident about whom you’re talking to.
Today, I received an automated call from Express Scripts, the mail-order pharmacy. Before telling me why they called, they wanted to verify my identity by having me provide my date of birth.
Seriously?
If they’re using my DOB to verify my identity, then clearly that’s a sensitive piece of information. Yet, they invite their customers to provide it in response to an unsolicited phone call that could be from someone pretending to be Express Scripts.
Bad move, Express Scripts. Please buy a clue!
Update – October 9
I sent Express Scripts a pointer to this post and received a response that essentially glossed over the points I made. Below is an edited version of my reply. Express Scripts is in red, I’m in blue.
Appreciate your concern. Express Scripts has long provided an automated outbound call service to provide our members, particularly those without access to a computer, with an update on an order status.
That’s perfectly fine. What you could do is ask them to call the number on the back of their member ID card to get the information. They *should* call a number they look up in their own records rather than dialing a number you provide in the automated call.
As required by privacy laws, we need to conduct identity verification to release this information, hence why we request the person to put in their DOB before the order status is provided.
Here’s a security tip from the U.S. government’s identify theft web site:
• Don’t share personal information (birthdate, Social Security number, or bank account number) because someone asks for it.
You will get that same advice from any expert in identity theft.
When we call a member, the system identifies itself as Express Scripts before asking for this information.
Have you ever heard of phone scammers identifying themselves as Microsoft, Apple, Social Security, the IRS, etc.? Anyone can identify themselves as someone else, and scammers do exactly that. Anyone, with minimal investment, can spoof caller ID, and scammers do exactly that. Like it or not, Express Scripts is not doing anything different from what scammers do all day every day, including asking callees to provide personally identifying information (PII).
By conducting these automated calls in the manner you do, your company is conditioning your customers to provide PII to unsolicited callers, which can lead to identity theft. Is that really what you want to do?