Are eStatements still safe?Published on 01 Mar 2011
Phishing is a global concern for financial institutions and other billers. When offering customers the convenience of eBilling, Billers also want to ensure that the solution successfully combats the risk of phishing and fraud. This edition of eBilling Insight asks, “Are you training your customers to be phished?” and looks into how you can ensure your eStatements are secure.
Are you training your customers to be phished?
Billers who rely on email notifications to drive consumers to their websites (or ‘Pull’ eBilling) will continue to be targets for phishing and other fraudulent activities. The single most phishable electronic process is to teach your customers to expect an email once a month saying “Your Statement is now ready – click here to view it” which takes the recipient to a login page. ‘Push’ email bill presentment and payment solution sets do not require your customers to visit or log-in to any website. The entire contents of their bill or statement is delivered in the email package, which is the primary reason why this ‘delivery’ process is not susceptible to phishing. The reality is however, while the actual eStatement format cannot be phished, the process can be copied to look like the billers process. Phishers then dupe people into entering their security details on a false website, via a link in the email.
Like Internet Banking, the electronic nature of email statements makes this process a target for phishing.
How to ensure your eStatements are safe:
- Digitally sign all statement emails to provide sender authentication. Educate your customers to look for and check the digital certificate.
- Remove any links from your email – it confuses people who cannot tell the difference between a legitimate web link and a fraudulent web link.
- Add an anti-phishing section to the cover emails. This section will highlight why this is a legitimate email. For example: this email is meant for Mr A Sample. Fraudsters will battle to recreate personalized data.
- The anti-phishing section must also say – “never input your ATM pin number on a website”. If the phishing email copies the layout specifically, this will raise a red flag to the recipient when asked to input the ATM pin number in the content.
Teaching consumers to differentiate between a valid email and a fraudulent email is critical in the war against email phishing scams.