Interesting tactics, Weaver. I have also sometimes resorted to demonstrating email spoofing, to show just how easy it is. Sending an email “to” somebody in a room, “from” somebody else in the room, tends to make the point.
I’d like to find a way, for phone calls, of demonstrating “Calling number” spoofing. But that’s less easy, and I’m not sure it wouldn’t break T&C, or possibly even criminal law. But so many people are entirely convinced that it is (say) the bank calling them, just because they recognise the bank’s CLI.
Mind you, if everybody knew that email could be so easily faked, CLI spoofed, and phishing sites could look so convincing, less people would switch to online banking. And indeed I personally still refuse to use online banking, no matter how many rules they have for “strong” passwords, and “customer protection algorithms”.
Timely to say so, as one of my pensions does in fact have an online portal, useful just for checking fund valuations. In order to login, I must supply my account number, a pin, and my date of birth. Last week I logged in and noticed, just after entering dob, I’d got it wrong. I was a decade out. Muscle command was already in the pipeline, and brain override was lagging, so I hit the connect button before correcting it and... it logged me in. I then tried again and, sure enough, I can log in with incorrect dob. Not that it worries me as dob is no security at all. But slightly worrying that a financial institution should (a) think that dob adds anything to a secure login, and (b) screw up something that they (wrongly) think adds to security. Still, it probably makes 99% of their users feel better about security, which is probably the Pension company’s intent.