Tag: Phishing

  • Confirming a caller’s identity

    The ATO called me last week and asked for my middle name and date of birth to confirm my identity. I told the operator that I wasn’t in the habit of giving out my personal details to incoming callers.

    Rather than try to convince me that anyone could answer my mobile phone, the operator agreed it would be foolish to give out such details. He gave me his extension number, and a phone number where I could verify he was from the tax office.

    Being the cynical sort, or paranoid (I’ll let you decide), I googled the ATO’s website to confirm the number. It was legitimate. I called back and reconnected to the operator immediately. The entire process took less than 30 seconds.

    It got me thinking: Googling ‘<number> site:ato.gov.au’ in hope the ATO had slipped up and the non-public number was on their website was an inefficient step.

    A more efficient way to confirm the number would be for the operator to give out an ATO URL: ato.gov.au/<number> being the logical choice. At the URL, there could be a short message informing the visitor that the number is an ATO phone number. Robots.txt would be used to exclude search engines from indexing that URL.

    It’s a simple fix that costs the ATO very little and protects them and their tax payers.