Killing email wont stop phishing: here's why...
Anyone who works in the email space knows that phishing is one of the biggest security threats organizations face. It’s been that way for a long time and the situation hardly seems to be getting better.
In large part, that’s down to the fact that it’s also probably the hardest form of threat to counteract. After all, it doesn’t target technological vulnerabilities, but human beings. All it takes is one person not paying full attention to an email and an entire organization can be breached.
Given the cost and damage that a breach can cause, it would be wonderful if there was a bullet-proof way of preventing phishing.
Over the years, there have been a few suggestions around how to do this. One of the latest is that organizations, and banks in particular, should simply kill email as a form of communication.
In an article published on Tomorrow’s Transactions, Hyperion Consult Director, Dave Birch says: ”It’s time to move to conversational commerce based on messaging and forget about the bad old days of insecure, spam-filled, fraudophilic (and frankly passé) email”.
As alluring as Birch’s nuclear logic might seem, killing email as a form of business to customer communication simply isn’t advisable or able.
68% of teens and 73% of Millennials consider email their preferred communication medium when communicating with brands.
Small wonder then that a recent Wall Street Journal article labelled email as *the* hot new channel for reaching people and the only guaranteed-delivery option the Internet has left.
Even if killing email didn’t come with such pitfalls, it is still likely to be entirely futile
Without email, tech savvy criminals would increasingly turn their attention to ways of intercepting your bank app connections and applying social engineering tactics to fool you into providing details over other channels. The crime will just move neighbourhoods. At least with email we have 30 years of knowledge of the process, pitfalls and safeguards
Fraudsters would keep using email, safe in the knowledge that a percentage of customers would still assume email communication from their bank to be legitimate.
So, where does that leave banks in the war against phishing?
From a technical perspective, their security teams can use SPF, DKIM and DMARC, all of which go a long way to securing the email channel.
Consistency in the form, format and security features of each and every email that leaves the organization is also a key way of weeding out the knock-offs, spoofs and phishing scams.
But by far the most powerful thing they can do is educate their customers.
This means keeping customers up to date with the latest messaging used in phishing attacks, as well as reminding them what the organization will never ask them to do in an email.
Anti-phishing messaging needs to be consistent and communicated across multiple channels (including your app). If your messaging isn’t consistent, then people can quickly forget what to look out for and slip back into risky habits.
It’s also vital that the educational messaging is accessible to the entire customer base. Eliminate the jargon and technical speak, or risk people switching off and not digesting whatever it is you’re trying to tell them.
There are a number of ways to combat phishing, but to suggest that a bank (or any organization for that matter) kill email, simply isn’t feasible.
Did you enjoy the read? Then be sure to subscribe to our blog to receive more great posts from our expert bloggers.