A recent phone call I received about a financial account tested my “pay-dar” — my internal warning system for scammers out to make me pay by stealing my personal information — and taught me a new lesson about how to protect my Social Security number.
The caller identified himself as an employee at a bank where my husband and I have a mutual fund. He said he had a question about a recent transaction. Caller ID showed the name of my bank, so when he asked for my date of birth and the last four digits of my Social Security number, I started to rattle them off. But then I hesitated.
I happened to have been working on a story about identity theft, and the call set off alarm bells. I knew that fraudsters could spoof a phone number — making it appear they’re calling from a recognizable number. I also knew not to give my personal information out unless I had made the call.
I asked the caller to give me a number where I could call him back. He did, and also gave me a case number to reference. I hung up and checked my bank statement. The phone number he gave was not listed, so I called the number on the statement and told the person who answered about the situation, including the case number my caller gave me.
Turns out the call was legitimate. A transaction regarding automatic deposits that I’d thought was completed four days earlier by phone wasn’t, in fact, done. The agent on the phone helped me finish the transaction and all was fine. It took about five minutes longer than if I had just given out my information to the caller.
Was I overly cautious or rightly concerned? The latter, says Steven Weisman, of Amherst, Massachusetts, author of “Identity Theft Alert” and writer of the blog Scamicide.
He says I was wise to withhold information from the caller and instead call a phone number I knew was connected to the account. “Your caller ID can be spoofed so it can be made to appear legitimate,” Weisman says. “My rule of thumb is anytime anyone calls you on the phone or sends you an email and requests information, you shouldn’t give it because you can’t be sure.”
Last four can reveal more
One of the things that had made me question my suspicion was the fact that the caller had only asked for my date of birth and the last four digits of my Social Security number — not all nine digits.
My sense of security was misplaced, Weisman says. “For most of us, the first two sets of digits deal primarily with where you were born and when you born,” he says.
He pointed me to a study by researchers at Carnegie Mellon University that showed that predicting the first five digits of a person’s Social Security number is fairly easy. Before 2011, Social Security number assignments were based on where and when people were born. So, for example, the Social of someone born in Virginia begins with 225. Guessing the second two digits takes a bit more research, but it can be done if you know the person’s date of birth.
Using data available from online social networks, government sources and commercial data, researchers found they could identify in a single attempt the first five digits for 44 percent of deceased people born between 1988 and 2003. For others it took longer, but fraudsters have computer programs to simplify the task.
The Social Security Administration switched to random number assignment in 2011, but for those of us over the age of 4 it’s still risky. If a fraudster knows your state and date of birth and the last four of your Social, he’s in business. “If someone asks for the last four digits, you’re basically turning over the keys,” says Weisman. “If it’s a sophisticated criminal, that’s all they need.”
I gave myself a little pat on the back for ignoring the constant prompting from Facebook to complete my profile by adding where I am from.
My take-away from the whole event: Even though this particular caller actually was who he said he was, being cautious is wise. That extra five minutes finding my statement and calling the bank was time well spent. Getting my identity stolen would have created countless hassles and eaten up a lot more time.