• Subscribe   
  • Subscribe   

Tips to prevent your emails from being phished

Published on 07 Dec 2010
Phishing How To Protect Your Customers
It is becoming more evident that the ‘PULL’ model of eStatements is a prime target for phishing. Conditioning customers to click on a link and login to view their bank statement piques the interest of phishers who then replicate the process but with dodgy links to pseudo sites that capture login details and empty out bank accounts.In this edition of eBilling Insight we investigate how easily your customers can be caught in a phishing scam as well as give advice on how you can structure your eStatement process to prevent this from happening.

Get in touch with us

Keen to find out more or get an expert's opinion?

By submitting your details via this form, you are consenting that we receive and store your information for the exclusive purpose of contacting you.
  • We will not share or publish your information or process it for any other reason.
  • Once your request is fulfilled, we will either delete your information or request your consent for further processing.
  • Please find additional information in our Privacy policy.
View our Terms of use | Protected by reCAPTCHA.

A phishing email masquerading as a bank’s eStatement alert – would you know the difference?

A case in point. Recently an HSBC eStatement alert was replicated by phishers. It looked exactly as one would expect an eStatement notification to look; the logo was in the right place and the images as well as links were directed to the HSBC site. The exception was the “Proceed to the HSBC website” link which went to a compromised website housing a man-in-the-middle phishing exploit.

Customers wouldn’t have thought twice about clicking on the link and entering their login details, the details of which would have been captured by the phishers.

The following statistics were extracted from the latest AWPG Global Phishing Survey (October 2010):

“Millions of phishing URLs were reported in the 1st half of 2010, but the number of unique phishing attacks and domain names used to host them was much smaller. The 1st half 2010 data set yields the following statistics:

  • There were at least 48,244 phishing attacks. This is down significantly from the record 126,697 observed in 2nd half 2009, and the fewest in any period since the 1st half 2008. The decrease in attacks was due to reduced activity by the Avalanche phishing gang.
  • The attacks occurred on 28,646 unique domain names. This is virtually unchanged from the 28,775 seen in 2nd half 2009, and down from the 30,131 observed in 1st half 2009. The number of domain names in the world grew from 168 million in mid-2008 to 192 in late 2009 to 196 million in May 2010″

As indicted in our Industry Trends graph alongside; the total number of phishing attacks are declining. However this does not negate the fact that phishers are getting smarter and producing emails that are almost indistinguishable from the authentic version.

To prevent phishing, customer protection must be maximized

Emails should be digitally signed, come from SPF and DKIM protected domains and have personalization such as your full name and the display of partial customer data on the face of the email. This assures customers that the sender knows who they are sending the email to.

Security is a key factor for both the sender and recipient, here is more information on these protection devices.

The obvious solution is email delivery

Emailing the customer a Secure PDF eStatement each month is a much simpler and safer option. There is no website to visit, no links to click on, no registration and this option is available to everyone that has an email address (estimated at 84% of economically active customers in the UK).

Across the globe, some of the biggest banking brands have already seen the light and are ‘pushing’ eStatements to their customers, we think it’s just a matter of time until the whole market follows suit.