Teaching customers to trust cold-calls from random mobile numbers is not something we should be doing these days….

A few days ago I had a missed call from a mobile number I didn’t recognise. The caller did not leave a voicemail.

So, I called it back. I usually would not, but looking at reverseaustralia.com I could see that it may be my health insurance provider. The number is not listed anywhere that I could find on their website.

*“Hi, you’ve reached …. could I please have your policy number”*

At which point I asked how I can verify they’re who they say they are, and advised the general issue I had with this situation. They basically just insisted they are who they say they are… so I said I’ll call back on the listed number on the website.

Which I did, and sure enough it was actually the company who had called me. I asked about this mobile number and said my piece about how this feels dodgy… and was advised this is actually a ‘security feature’ used by their ‘backend team’.

They apparently use a system of cycling mobile numbers for outbound calls, and there’s apparently no process in place of how to help customers verify the caller, and nothing on the website about this practice. There’s also little information for their callcenter on what to say to customers asking about it as he was grasping at straws somewhat trying to answer my questions - “It is secure because they ask people security verification questions when they call them.” - which is the problem here!

There has been a growing awareness of vishing, and many organisations are trying to educate people to this threat. If you’re recieving a call from an unverified caller, don’t trust it. Teaching your customers to trust cold-calls from random numbers, asking for your policy details and your security verification answers is poor practice.

I feel like a much better approach would involve:

  • Calls come from a number listed on the website.
  • Leave a voicemail, advising to call a listed number for the company.
  • Write about the process on the website.
  • Give callcenter staff a playbook and info about how privacy is ensured during outbound calls.
  • I believe there’s a method for companies to have their numbers show up as text, I’m not much of a telco expert but surely it’s available if you’re a huge organisation such as this.

Do you have a story like this? I’m keen to hear in the comments about your experiences and other ideas of how companies could be making outbound calls in a much safer manner.

I’ve not embedded the company name in this post, I will likely disclose it in a week or after I have a response from the email I have sent them…. which isn’t a security email, just the general info email as that’s all they list on their site.