Your eStatement is ready - click here to be phished!
For years I’ve been saying that the ‘PULL’ model of eStatements is a prime target for phishing. Conditioning customers to click on a link to view their bank statement will eventually pique the interest of the phishers who replicate the process but with dodgy links to pseudo sites that capture login details and empty out bank accounts.
Recently I received my first phishing email masquerading as an HSBC eStatement alert. It was exactly as I would have expected an eStatement notification to look; the logo was in the right place – the images all linked to the HSBC site and all the links went to the HSBC site with the exception of the “Proceed to the HSBC website” which went to a compromised website that was housing a man-in-the-middle phishing exploit.
I wonder how many customers innocently clicked on the link and entered their login details? These would have been captured and with the user being logged into the real HSBC website, they would be none the wiser of the scam taking place.
Luckily, I know better. But I decided to click on the link just to see how good the attempt was. And it was really good! The normal bad grammar and spelling mistakes synonymous with phishing emails were not apparent.
All banks should maximize customer protection
How will someone know if an email comes from their bank? Sadly, unless customers have been constantly educated on what to expect, anything reasonable that they receive is likely to be believed. I believe that bank emails should be digitally signed, come from SPF and DKIM protected domains and have personalization and partial customer data on the face of the email to assure that the bank knows who they are sending the email to. Go here to read more about these protection devices.
In an “always connected” world only 24% have gone paperless
Recently in the Forrester report, “Paperless Plight: Growing Resistance Outpaces Adoption” the survey of 3554 online adults revealed that only 24% had switched off paper bank statements.
In today’s always on, always connected world, this seems a pitiful number, especially after 10 years of pleading, motivating, cajoling, bribing, forcing and greenmailing customers into signing up for online statements. The issue is firstly that customers have to be online bankers (this already excludes 60-70% of customers) and secondly that they have to register and then fetch their statements each month.
The obvious solution is email delivery
Wouldn’t it just be simpler to email the customer a Secure PDF eStatement each month? No website to visit, no links to click on, no registration and available to everyone that has an email address (estimated at 84% of economically active customers in the UK). Luckily there are some banks in the UK that have seen the light and will be ‘pushing’ eStatements to their customers in 2011. Who do you think it is?
Get in touch with us
Keen to find out more or get an expert's opinion?