But is identity theft really a problem when all a bad guy can do is get my name, address, and phone # at the most? It seems like that's just not enough to put me seriously at risk.
It might be enough to let them steal your credit rating. Don't underestimate how much they can get from how little information.
And talk about...I dunno what, I get periodic reports from Medicare in which my Medicare ID number - my SSN, but with a following "A", which obviously disguises it - is fully displayed, but in which my SSN is truncated to its final four digits. Now whose idea of security is that?
Pretending to hide your SSN on a page that displays it elsewhere is indeed really lousy security. But the final "A" means that it refers to the primary beneficiary. Your social security account may have several beneficiaries: yourself, of course, and probably your spouse, and possibly other dependents such as your disabled or orphaned children. You're "A", your spouse is probably "B", and your other dependents would go up from there. There may be a number following the letter, as in, children might be C1, C2, ... . It's been decades since I've had to write code to deal with SSNs, but I recall having to allow space for up to a 3-character suffix. Same SSN; different beneficiaries.
PS: I got another weird e-mail today, at the same address to which the phishing e-mail came, this one claiming to be from Amazon and including a .zip, which I unzipped to a .exe, which I trashed.
Why did you unzip it? Nothing safe is ever going to come to you as a .zip in a weird email message. Unzipping attachments is almost on a par with clicking on strange links. (Almost. Clicking on the link can confirm that you received the message and read it. You've already received the attachment, though, so they get no new confirmation. But it might expand to something other than an .exe, something that has an (admittedly rare) drive-by vulnerability. Or, if you're not careful, it could be a link disguised as an attachment.)
