We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Do you trust email that claims to be from your bank?

Scepticism has consequences

That's a tricky question for a lot of us, inundated as we are by suspicious email claiming to be from Citibank, PayPal or financial institutions we have never heard of.

It turns out more than half of us are deleting messages from banks and financial institutions without even thinking twice. Experts say recipients who receive these emails believe that all the messages are part of phishing email scams.

Phishing messages look like they come from a trusted company, but are actually from identity thieves. Phishers attempt to trick email recipients into clicking on a link, going to a web page and providing personal information.

Even the US government has taken notice of the potential for security breaches. Last week federal regulators announced new rules requiring banks to protect their online customers from fraud more effectively. By the end of 2006 bank sites will have to adopt a 'two-factor' authentication process. In a letter sent to banks, the Federal Financial Institutions Examination Council said banks must go beyond just requiring name, account number, and password.

A two-factor authentication system might include biometric devices or smart cards that would deny access to online accounts without some type of physical card or USB token that can be plugged into a PC.

Less costly would be two-factor authentication like that being developed by PassMark Security, which has developed an authentication system that prompts users to answer questions with predetermined secret answers.

For banks, consumer reluctance to trust email from financial institutions is a double-edged sword. On one hand, banks are pleased that their customers are savvy enough not to fork over account information to a fake site. Consider the cost when they do: in 2003 phishing scams cost banks and credit-card companies $1.2bn, according to market research firm Gartner. On the other hand, banks are suffering because of this lack of consumer trust.

Credibility crisis

A research report from Javelin Strategy and Research says the first impulse of 55 percent of those who receive an email purporting to be from their bank and asking them to log into their account is to delete the message without blinking an eye.

In another survey, 28 percent of consumers said online attacks influence their online banking activity, Gartner reports. The survey found that 14 percent of this group has stopped paying bills online as a consequence, and an additional four percent stopped all online banking activity.

The more jaded we become, the more financial institutions stand to lose. Companies save money every time they send an account statement electronically instead of by mail. A bank that sends out account statements on paper to one million customers could save £253,245 monthly if it sent electronic statements instead.

Personally, I don't trust any email that contains a link to any of my accounts. Just clicking on a link in an email can get you in trouble; phishing emails can be used as lures to get you to visit websites that secretly download malicious programs.

For this reason, I advise against clicking links in suspicious messages. Instead, just type the URL of the page you want to go to in your browser's address bar, or go to the site's home page and then navigate to the page in question.

Don't get me wrong: I am not a neophyte. I check and manage nearly all my bank and credit cards over the internet. But when I get an apparently legitimate email that asks me to take action, I call my credit-card company or bank and communicate with them directly.

Call me paranoid; I don't care. But the sad reality is that phishing emails have made us all paranoid.

Too paranoid?

Here is a case in point. When the Wachovia bank sent out an email inviting its customers to go to a new login page as a result of its merger with First Union, it got an earful. Wachovia's call centre was swamped with calls from message recipients, alerting the bank that criminals were attempting to steal customers' financial information through a bogus link.

Another kerfuffle occurred when EarthLink mistakenly told some of its users that a bank's website was a phishing site. Through its free ScamBlocker toolbar, EarthLink warned customers who tried to visit AssociatedBank.com that the site was "potentially fraudulent". EarthLink advised its users to "not continue to this potentially risky site".

The owner of the site, Associated Banc, was furious and sued EarthLink in a US District Court in Wisconsin. Associated Banc argued that EarthLink's negligence had injured its business reputation. EarthLink said it had licensed the list of phishing websites used by the ScamBlocker toolbar from a third party, and therefore shouldn't be held responsible. Last month US District Judge John Shabaz agreed with EarthLink's position and dismissed Associated Bank's lawsuit.

Taking action

A growing number of financial institutions are determined to win our confidence and stop phishers. The problem is that, through their antiphishing public education programs, banks have made the public wary of online banking, according to Amir Orad, executive vice-president for marketing at Cyota, an antifraud and consulting firm. That's why banks are now focusing on ways to go after the bad guys.

One of the ways is to seek phishing emails and shut down the sites that they link to. Cyota scans 1.4 billion emails a day, looking for phishing lures. When it finds one, it works with law enforcement and ISPs to shut down access to the site.

Another way is to make it harder for phishers to fake messages from banks. To this end, Bank of America is testing a technology from PassMark Security called SiteKey. The technology requires Bank of America's online customers to choose one of 1,000 digital images from a library. They are also asked to create a short phrase. Those phrases appear in the subject line of email messages; the images are used in the body of the messages. All this is meant to reassure customers the email is legitimate. If the test is successful, Bank of America plans to roll it out across the US later this year.

Other banks try to win customer confidence by including both first and last names in the subject line of email messages, while banks such as Wachovia are testing a system in which customers get emails alerting them that a message is waiting for them in their Wachovia mailbox. The email message doesn't include any links, so customers have to visit the website and log on to read their messages.

All this makes me wonder how much inconvenience consumers will put up with to take advantage of online banking.

Morphing scams

The advent of more secure customer authentication is having a predictable impact: phishers are now moving away from large financial institutions that do use antifraud technology and targeting smaller banks that don't.

Cyota has seen a 633 percent increase in the number of attacks against smaller banks since the beginning of 2005. Cyota is also seeing an increase in personalised phishing attacks that use stolen data such as a name or the last four digits of a credit card. The use of such personal information in a phishing message gives it the appearance of credibility.

Another way phishers and spammers collect your personal information is through a technique called 'hostile profiling'.

Experts I spoke to say it's too early to tell whether the good guys are stopping the fraudsters or the bad guys are succeeding at ripping more of us off. "The fraudsters are always raising the bar, making our job harder," Orad says.

Andrew Dresner, a vice-president at First Manhattan Consulting Group, told me he thinks online banking is just too convenient to be slowed down by phishing attacks. "Once people become more acquainted with online banking they are more likely to spot fraud," he says.

The Javelin Strategy and Research study found that for every customer that refused to bank online out of security concerns, three online banking customers increased their usage of online accounts.

So what's your personal policy when it comes to phishy emails? I suggest that a healthy dose of scepticism will go a long way when evaluating any email tied to personal information.


IDG UK Sites

Windows 10 release date, price, features. The next version of Windows will run on everything:....

IDG UK Sites

Windows 9 and the death of the OS as a must-have product

IDG UK Sites

Video trends: 4K is here โ€“ HDR video, VR and 3D audio is coming

IDG UK Sites

How Windows 10 is even more like Mac OS X, and not just because it's another OS Ten