Organisations spend a lot of time warning customers about fraud, impersonation and social engineering.

They tell us not to trust unexpected calls.

They warn us not to click suspicious links.

They remind us that numbers can be spoofed and emails can be faked.

Then some of those same organisations phone customers out of the blue and ask them to confirm their date of birth, email address, Eircode or account details before they explain why they are calling.

That makes no sense.

If a company initiates the call, the company should prove who it is before asking the customer to prove who they are. Otherwise, the process looks exactly like the kind of scam customers are told to avoid.

This is not just a customer service issue. It is a security issue.

Much of the information used in “verification” — names, email addresses, addresses, phone numbers and dates of birth — can already be available through data breaches, marketing lists or social media. Asking for it on an unsolicited call may feel routine to the company, but to the customer it feels risky.

And the customer is right to be cautious.

The same applies to emails. Banks and financial institutions often tell customers they will never ask for sensitive information by email or through links. Yet customers still receive survey requests, marketing messages and third-party emails that look very similar to phishing attempts.

The message becomes confused.

Legitimate organisations must stop designing communication processes that fraudsters can easily copy.

A better approach is simple:

“Hello Mr Walsh, I’m calling from ABC Company. This is not urgent, and for your security I won’t ask for personal information on this call. We would like to speak to you about upgrade options on your account. Please call the official customer care number on our website or app and quote reference ABC123.”

That protects the customer. It reinforces good security behaviour. It also builds trust.

Every outbound call, email or message should be tested against one question:

If this was sent by a fraudster, would it look almost the same?

If the answer is yes, the process needs to change.

Customer experience is no longer just about speed and convenience. It is also about safety. A poorly designed contact process can train customers to ignore their own security instincts.

The customer who refuses to provide personal information on an unexpected call is not being difficult. They are doing exactly what organisations have told them to do.

So let’s be consistent.

Do not ask customers to click links if you warn them about phishing.

Do not ask customers to confirm sensitive information on calls they did not initiate.

Do not hide behind “security checks” while failing to prove your own identity first.

If your process can be copied by a scammer, it is not secure.

It is a gift to the bad guys.