phishing training

I stopped by the bank this morning to make a deposit. While fussing with the ATM machine, I was listening to a nearby bank employee making a phone call. His side of the conversation went like: "Hi, this is Bob from $YOURBANK. Your father just opened an account with us, and I'd like to give you the referral credit for it, but I don't have your account number here. Could you read it off your ATM card to me?"

Wow. Step one: decide what is secret and what isn't, and then be consistent in how you ask users to deal with them. Training users to reveal secrets to anyone with a convincing pitch may not be serving them well in the long run.

It also reminds me of the joke: the definition of "secret" is a piece of information that, when you tell it to someone, you also tell them to not tell it to anyone else.