Work with the system rather against it. I have always been a big fan of this approach as it proved to be successful every time it was put into practice.

So you receive one of these phone calls. The girl on the other end presents herself as Jessica Smith. The company has to do something with financing. The conversation goes as usual. She explains that she is calling in regards to a recent well known court case in UK in which major banks were made to return to their customers various service charges they have collected over the years, plus the reflective 8% of interest for up to £1000. She will send you the forms, which you have to fill in and send back. The background noise from her side hints a busy call center. It feels legitimate. In fact, it feels like you are getting a call from your bank. All that you have do is to give away just your address and full name and this is only because of the data protection act as you are kindly informed on the phone.

Most people will happily give away all the information. A reasonable person should ask for confirmation that the person on the other end is in fact entitled to receive personal information. Unfortunately, most of the time you cannot get such confirmation because in order to confirm that they need to get your details to unlock your details even though the organization that is calling you is completely legitimate and they already have your details. Complicated! So you get into this very awkward, twisted situation where there is no way out.

The best way to deal with it is to ask the person on the other end to give you their details. Then you have to do some research and if all looks good you can pretty much trusted them to a degree, depending on your likings. It is not very convenient, is it?

The problem here is in the process. Situations like the one described above happen every day and this is the problem. We get used to the process in the system. Obviously the system is flawed and as such it can be used for illegitimate purposes quite easily. I imagine a typical identity theft attack may unfold like this:

  1. Ring a random number. Simulate background noise from call center. Tell the victim whole a lot of crap about the data protection act and how you really care about it but unfortunately you have to get their name and address.
  2. Send them mail. This stage softens the next cold call.
  3. Ring them again. Get more information.
  4. Repeat all steps until you are satisfied!

Nigerian scammers are way behind similar attacks, which imho should be a lot more successful.