21 October 2017
Michael Wright

eBilling - Turn off the Paper

Michael Wright - Striata | Secure Document Delivery

10Posts 42,414Views 37Comments

I've been Phished, Again !

20 January 2010  |  3201 views  |  1

With half of the Internet users in the UK now banking online (UK Payments Administration, Jan 2010), it’s hardly surprising that phishing is on the rise. As new customers migrate to more convenient banking processes, the number of potential targets for phishers grows each week.

I’m a victim of phishing attacks each week, but as part of an antiphishing working group, I know better than to click on the links offered in my “Account Suspended” notice or “Security Upgrade” message.

The scary fact is that not everyone can detect the difference between a real email from their bank and a fraudulent one.


One reason for this problem is that banks have been systematically terrible at educating their clients (especially new and young ones) about how to recognise authentic banking emails and how to identify phishing attempts.

For years many banks stopped sending emails to their clients, only to have the phishers increase their activity to fill the gap. Without valid, authentic emails to compare to, increasing numbers of customers were being tricked into clicking on links in an email and providing their login and password details to fraudsters.

The key is NOT TO STOP sending emails but to SEND MORE email. More regular, authenticated, validated email that educates users on what to expect in emails sent to them by their bank and allowing them to spot the phishing emails a mile away.

If I understand what to look for in a real Rolex watch, I won’t be duped into buying a fake one. The same principle applies to emails – banks need to educate their clients in what to expect when receiving an email from the bank. These features will be predominately visual as that is how people work, but should include partial customer data that the phishers can never amass for any size database. Alternative authentication including technical methods such as SPF and DKIM as well as digital signatures can be combined to make email the trusted communication tool it needs to be.

Phishing is a reality in today’s connected economy, but we can combine technology and education to make it less and less economically viable for the fraudsters to phish our banks.

TagsSecurity

Comments: (2)

A Finextra member
A Finextra member | 22 January, 2010, 09:13

Holy cow! 

So you are claiming that you can actually fight phishing by increasing email traffic from banks? I think it only makes the customers more confused when you have to keep adding "security features" to something that is as secure as a postcard (anyone on the way can read it) to start with. How long do you think it takes for the phishers to push out messages with the same "security features" on top?

The only way to REALLY fight this is to educate customers that "Your bank never contacts you via email". This is where the customers can really spot the phishing messages, since all of them are fraudulent.

The way to deliver electronic messages to and from customers is inside the internet bank. Once you are logged in, the secure browsing session provides a stable and usable channel for customer dialogues.  

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Michael Wright
Michael Wright - Striata | Secure Document Delivery - London | 22 January, 2010, 10:17

Hi Kalle,

YES - I'm saying that by NOT sending email to customers and educating them on what to expect, their customers are left wide open to phishing attempts.

Banks have tried the "We will not send email" route and the sad result is that phishing has increased.

So my view is that we can't stop phishing. We can make it more difficult by adding technology and education to the mix. A good start is adding SPF to your DNS and DKIM to the email headers (effectively signing the mail as authentic). These 2 technologies alone will have a huge impact on the amount of phishing email that actually gets to the inbox.

But more important is that education of what to look for in legitimate email is the key to reducing the number of victims of this type of fraud. If customers are receiving legitimate emails that enable them to identify that the emails are from their bank (personal data in the email) then when the phishing emails arrive it will be easy to spot them.

I don't think this will eradicate phishing as a fraudulent activity - but if we reduce its effectiveness then we're part way to winning the battle.

The legitimate emails should have features that can't be easily replicated - like the last 4 digits of my account number and mobile phone. This information on the face of the email enables me to know that the sender is someone that knows me.

I'm not saying that a fraudster can't get hold of this information - but the process of sending millions of phishing emails out so that you get a tiny % of people to click that link will be much harder if you need everyone's details.

Part of what I'm saying is a reality anyway - banks are sending millions of marketing and service emails every month. What they need to do is be consistent in their identification, authentication and verification tools and techniques and ensure that they educate their clients about these every time.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Michael

Counter Point to 'Banks are Struggling with Email'

02 February 2017  |  7116 views  |  0 comments | recomends Recommends 0 TagsSecurityTransaction banking

Google, Digital Mailboxes and the long tail of eBilling

28 February 2013  |  3691 views  |  0 comments | recomends Recommends 0 TagsPaymentsInnovation

The 2012 Billentis eBilling, eInvoicing Report

26 April 2012  |  2679 views  |  0 comments | recomends Recommends 0 TagsPayments

eBilling adoption rates, what's a realistic goal for 2012?

15 March 2012  |  3776 views  |  0 comments | recomends Recommends 0 TagsPayments

Will PDF will be the saviour of eBilling and eInvoicing

01 March 2012  |  3469 views  |  0 comments | recomends Recommends 0 TagsPayments

Michael's profile

job title CEO
location London
member since 2009
Summary profile See full profile »
Michael is the founder and CEO of Striata, a leader in Secure Document Delivery. Striata is a global eDocuments, eBilling and eMarketing software application developer and services specialist. As a...

Michael's expertise

Member since 2008
9 posts37 comments
What Michael reads

Who's commenting on Michael's posts