Probably not news to anyone here, but partial step in this direction is to put down vetted official contact details for the institutions.
replyEvery time someone calls to say there's a problem with your account, you ask for their name and/or extension number, because recontacting through the institution is your only good way of verifying their identity.
That works when the system is setup to allow that.
replyI've encountered banks that don't have that setup — hilariously one bank felt the need to cold call me about my complaint about cold calling from unverifiable numbers. When I asked how I could call them on a verifiable number, they claimed I couldn't. :/
Malware on your phone can reroute your calls to the attacker. So you think you're calling the official number at the correct institution, but you're actually talking to the attacker.
replyWell, yeah, and knowing first-aid is worthless if someone's been decapitated. :p
replyIf some malware is that deep on the phone, able to redirect calls, then you've got much bigger problems and the attacker might not even need to trick any cooperation at all.
What kind of malware are we talking about here? On a non-rooted phone?
replyIt was in the news a few times in my country. Not sure about the exact technical details, but it might have been a malicious Android app that advertises itself as an improvement over the stock Phone app, encouraging users to set it as the default dialer. You don't need root for that.
reply