Are you training your customers to be phished?Published on 12 Jan 2011
How pushing eStatement notifications can lead customers into the wrong behaviour
Financial institutions that send email notifications with links to a website, requiring customers to login and retrieve their eStatements are conditioning them to be phished. This ‘PULL’ model of eStatements is now a prime target for phishing because not only is it easy for potential phishers to replicate, but recipients who are familiar with this process become easy targets – they won’t think twice about clicking on links in these emails and ‘surrendering’ their login details.
“Phishers merely copy email notifications and add a phoney link, which takes customers to a pseudo site where their login details are captured,” explains Mia Papanicolaou, Messaging Specialist, Striata. “The only way to prevent customers from falling prey to such phishing attempts is to implement email processes that can’t be replicated and then educate them accordingly. Merely stating that customers shouldn’t click on links from within an email isn’t doing enough. In addition, email marketing campaigns will more than likely have call to action links or links to landing pages. It’s the nature of email marketing to engage customers and so excluding links in these emails is not an option.”
By sending the eStatement as an email attachment and ensuring that the document is encrypted and password protected, companies can help customers avoid this altogether. Customers will be accustomed to receiving the information rather than having to log into a site via a link in an email notification, ultimately reducing the likelihood of phishing.
Additional security can also be applied to the email through verification and authentication, which displays information such as the last four digits of the card or account number and the recipient’s name as captured by the company. These details, which are not possible for a phisher to know, should appear in every email, teaching the customer to identify fraudulent email by the lack of this personal data.
Papanicolaou acknowledges the fact that many banks and corporate businesses have spent a substantial amount on building online portals and therefore need to realise a return on investment through site visitors. “The value of a portal is the additional services and information it offers the customers. A combination of ‘push’ and ‘pull’ is the ultimate solution. The primary benefit of email billing for online bill pay and self-service portals is that trusted links within the secure electronic bill or statement drive customer adoption of web based services. This option is far more secure than pulling customers to your portal via links in email notifications.”
“By eliminating security concerns associated with secure electronic delivery, combined with the convenience of email bill presentment and payment, customers can take advantage of the time saving self-service options available online without the threat of being phished,” concludes Papanicolaou.