Snail Phishing?

I got a letter on our mortgage company's letterhead requesting insurance information on our condominium building. The letter instructs us to either fax the info (policy number and period, coverage amount, etc) or to log into a website using a PIN included in the letter. Something about the letter failed my smell test when it arrived a few days ago. Last night, I looked more closely.

The company's logo looked like a bitmap image (grainy), rather than an original. The zip code on our unit is wrong (though our mailing address was fine). The url we were to visit wasn't either of the two that I know our mortgage company to use, and the state in the return address from the company matched none of our other documents from them. The letter also claimed its purpose was to ensure "prompt and accurate processing of our condominium insurance", but we hadn't asked anyone to process insurance for us. It just didn't add up.

We were able to construct explanations for most of these oddities: owners don't necessarily live at their properties, so our mailing address and unit address were probably two separate database fields, with one of them entered manually. Collecting insurance info could be outsourced to another company in another state that creates letterhead from bitmaps of its clients' real letterhead. The letter could have been poorly written. And we weren't able to construct a plausible identity attack that would want the insurance info on our whole condo building (as opposed to our unit).

So I called our mortgage company using the number from their website rather from the letter. A maddening sequence of menus later (on which I got the same options at multiple levels), I get to a customer service representative who checks the notes on my loan file and finds no mention that they've requested this info. She advises me not to comply. I ask how I should go about reporting this to their fraud department, but she says they don't have one. Curious now, Shriram called the number on the letter and went as far as the menus that asked for the loan number and all 10 digits of the social-security number (giving dummy values for each). The rest of the call sounded extremely professional.

So, we are left with suspicious practices from the company requesting the info (the full SSN request), instructions not to trust the letter from a mortgage company with no fraud division, and several small signs that our mortgage company isn't as polished as it could be. Friends who have had several mortgages reported being asked for similar info on a regular basis. We are going to return the letter with a note that the mortgage company has no record of requesting this info and advised us not to comply.

There's a real business lesson in here though about how to create the perception of security and trust. If this request is legit, the company has a lot to learn about preempting concerns about identity theft and phishing; if not, they need a fraud department. Either way, the constant hum of data threats raises the stakes on companies that may just be catching up with the infrastructural aspects of IT. These psychological questions will become only more relevant if more people develop the sensors that triggered my night of investigation.