It's so easy for bank marketing to take a wrong turn
26 March 2014
Yesterday I came home to a strange voicemail from ING Direct Canada. I decided to phone back right away because I noted the following 3 things about the message:
- The toll free number provided was nowhere to be found on the bank's web site
- The message left was with regards to "my profile and information"
- The reference number left on the voicemail was my online banking user ID
I called back the main toll free number provided on the bank's web site. After a brief hold I was transferred to an agent who looked me up in their system. I was told that I had to be transferred to another department and that yes, the message that I received was legitimate. The person I was transferred to was polite and friendly and wanted to sell me an investment. WHAT??? The good news for the bank is that they got me to call back right away. The bad news is that I don't even know or care about what she offered because I was so thrown off by the voicemail. I had questions. Why was I being directed to a toll free number that I can't find on the bank's web site or through a Google search? Why were the details of the voicemail so mysterious? Why was my user ID being divulged over the phone as a reference number? All of my comments were noted and the rep apologized. Granted I'm not a typical customer, but it's customers like me that can help make a difference when it comes to these issues (or so I would hope!). There's a lot that banks can learn here - on the security front and on the marketing front. This is particularly relevant in an age where banks are so focused on marketing and offers that are based on data:
- You can have great data, but it's useless if you don't master things like privacy and security
- Customers should always be directed to call back a primary telephone number that can be easily validated. Banks are so cautious about email communication with clients - they should be just as cautious with telephone communication
- Under no circumstances should a user ID ever be divulged. It's a key piece of an authenticated login. It of course takes a couple of other pieces to login but that's not the point - why give away any pieces of the puzzle? Furthermore, if a bank or customer were to suffer a breach, a fraudster could attempt to gain access to other account credentials by leaving a convincing voicemail containing a user ID (that obviously did not happen here).
I welcome your thoughts and comments. UPDATE 4/7/2014:
I was contacted by ING Direct last week. They have informed me that they will no longer use a user ID as a reference number. Kudos to them for reacting quickly and switching around the process.