A recent phone call I received about a financial account tested my “pay-dar” – my internal warning system for scammers out to make me pay by stealing my personal information – and taught me a new lesson about how to protect my Social Security number.
The caller identified himself as an employee at a bank where my husband and I have a mutual fund. He said he had a question about a recent transaction. Caller ID showed the name of my bank, so when he asked for my date of birth and the last four digits of my Social Security number, I started to rattle them off. But then I hesitated.
I happened to have been working on a story about identity theft, and the call set off alarm bells. I knew that fraudsters could spoof a phone number – making it appear they’re calling from a recognizable number. I also knew not to give my personal information out unless I had made the call.
I asked the caller to give me a number where I could call him back. He did, and he also gave me a case number to reference. I hung up and checked my bank statement. The phone number he gave was not listed, so I called the number on the statement and told the person who answered about the situation, including the case number my caller gave me.
Turns out the call was legitimate. A transaction regarding automatic deposits that I’d thought was completed four days earlier by phone wasn’t, in fact, done. The agent on the phone helped me finish the transaction and all was fine. It took about five minutes longer than if I had just given out my information to the caller.
Was I overly cautious or rightly concerned? The latter, says Steven Weisman, of Amherst, Massachusetts, author of “Identity Theft Alert” and writer of the blog Scamicide.
He says I was wise to withhold information from the caller and instead call a phone number I knew was connected to the account.
“Your caller ID can be spoofed so it can be made to appear legitimate,” Weisman says. “My rule of thumb is anytime anyone calls you on the phone or sends you an email and requests information, you shouldn’t give it because you can’t be sure.”
Last four can reveal more
One of the things that had made me question my suspicion was the fact that the caller had asked for my date of birth and only the last four digits of my Social Security number – not all nine digits.
My sense of security was misplaced, Weisman says.
“For most of us, the first two sets of digits deal primarily with where you were born and when you born,” he says.
He pointed me to a 2009 study by researchers at Carnegie Mellon University that showed that predicting the first five digits of a person’s Social Security number is fairly easy.
Before 2011, Social Security number assignments were based on the ZIP code of the mailing address shown on the SSN application. So, for example, the Social Security Number of someone in Virginia requesting a SSN begins with 225. The second set of numbers in a SSN is the Group Number and it ranges from 01 to 99.
Using data available from online social networks, government sources and commercial data, the Carnegie Mellon researchers found they could identify in a single attempt the first five digits for 44 percent of deceased people born between 1988 and 2003. The researchers’ percentage of success identifying all nine digits slipped to 8.5 percent in 1,000 attempts, but fraudsters have computer programs to simplify the task.
The Social Security Administration switched to random number assignment in 2011, but if a fraudster knows where your SSN was requested (which could be where you were born, the location of your first job, etc.) and the last four of your Social Security number, he’s in business.*
“If someone asks for the last four digits, you’re basically turning over the keys,” says Weisman. “If it’s a sophisticated criminal, that’s all they need.”
I gave myself a little pat on the back for ignoring the constant prompting from Facebook to complete my profile by adding where I am from.
My takeaway from the whole event: Even though this particular caller actually was who he said he was, being cautious is wise. That extra five minutes finding my statement and calling the bank was time well spent.
Getting my identity stolen would have created countless hassles and eaten up a lot more time.
* Correction: The first three numbers of a Social Security number issued prior to 2011 are based on the ZIP code of the mailing address shown on the application for a Social Security number. This blog post originally incorrectly stated that SSN assignments were based on where and when people were born. See CreditCards.com corrections policy.