Blog article
See all stories »

I've been Phished, Again !

With half of the Internet users in the UK now banking online (UK Payments Administration, Jan 2010), it’s hardly surprising that phishing is on the rise. As new customers migrate to more convenient banking processes, the number of potential targets for phishers grows each week.

I’m a victim of phishing attacks each week, but as part of an antiphishing working group, I know better than to click on the links offered in my “Account Suspended” notice or “Security Upgrade” message.

The scary fact is that not everyone can detect the difference between a real email from their bank and a fraudulent one.

One reason for this problem is that banks have been systematically terrible at educating their clients (especially new and young ones) about how to recognise authentic banking emails and how to identify phishing attempts.

For years many banks stopped sending emails to their clients, only to have the phishers increase their activity to fill the gap. Without valid, authentic emails to compare to, increasing numbers of customers were being tricked into clicking on links in an email and providing their login and password details to fraudsters.

The key is NOT TO STOP sending emails but to SEND MORE email. More regular, authenticated, validated email that educates users on what to expect in emails sent to them by their bank and allowing them to spot the phishing emails a mile away.

If I understand what to look for in a real Rolex watch, I won’t be duped into buying a fake one. The same principle applies to emails – banks need to educate their clients in what to expect when receiving an email from the bank. These features will be predominately visual as that is how people work, but should include partial customer data that the phishers can never amass for any size database. Alternative authentication including technical methods such as SPF and DKIM as well as digital signatures can be combined to make email the trusted communication tool it needs to be.

Phishing is a reality in today’s connected economy, but we can combine technology and education to make it less and less economically viable for the fraudsters to phish our banks.


Comments: (2)

A Finextra member
A Finextra member 22 January, 2010, 09:13Be the first to give this comment the thumbs up 0 likes

Holy cow! 

So you are claiming that you can actually fight phishing by increasing email traffic from banks? I think it only makes the customers more confused when you have to keep adding "security features" to something that is as secure as a postcard (anyone on the way can read it) to start with. How long do you think it takes for the phishers to push out messages with the same "security features" on top?

The only way to REALLY fight this is to educate customers that "Your bank never contacts you via email". This is where the customers can really spot the phishing messages, since all of them are fraudulent.

The way to deliver electronic messages to and from customers is inside the internet bank. Once you are logged in, the secure browsing session provides a stable and usable channel for customer dialogues.  


Michael Wright
Michael Wright - Tilte, Taxd, Welleasy - London 22 January, 2010, 10:17Be the first to give this comment the thumbs up 0 likes

Hi Kalle,

YES - I'm saying that by NOT sending email to customers and educating them on what to expect, their customers are left wide open to phishing attempts.

Banks have tried the "We will not send email" route and the sad result is that phishing has increased.

So my view is that we can't stop phishing. We can make it more difficult by adding technology and education to the mix. A good start is adding SPF to your DNS and DKIM to the email headers (effectively signing the mail as authentic). These 2 technologies alone will have a huge impact on the amount of phishing email that actually gets to the inbox.

But more important is that education of what to look for in legitimate email is the key to reducing the number of victims of this type of fraud. If customers are receiving legitimate emails that enable them to identify that the emails are from their bank (personal data in the email) then when the phishing emails arrive it will be easy to spot them.

I don't think this will eradicate phishing as a fraudulent activity - but if we reduce its effectiveness then we're part way to winning the battle.

The legitimate emails should have features that can't be easily replicated - like the last 4 digits of my account number and mobile phone. This information on the face of the email enables me to know that the sender is someone that knows me.

I'm not saying that a fraudster can't get hold of this information - but the process of sending millions of phishing emails out so that you get a tiny % of people to click that link will be much harder if you need everyone's details.

Part of what I'm saying is a reality anyway - banks are sending millions of marketing and service emails every month. What they need to do is be consistent in their identification, authentication and verification tools and techniques and ensure that they educate their clients about these every time.

Now hiring