Phishing Hits Banks

Posted on October 1, 2005 by Chief Marketer Staff

THERE’S GOOD NEWS AND BAD NEWS FOR BANKS ABOUT phishing, the scam in which identity thieves masquerading as trusted companies send out e-mail to induce recipients to click on a link, go to a Web page and give up their personal information.

The good news? More people are becoming aware of the threat. The bad news: This awareness may be leading recipients to delete authentic e-mail communications from their banks on the suspicion they’re fraudulent.

Consumers may not know everything they should about phishing — the crime is growing, according to observers — but they are at least aware that the e-mail channel to and from their bank, credit union or online payment account is under siege like never before.

This is creating problems for financial institutions. For one thing, they’re being forced to revert to paper communications, and this is driving up costs. And customers, suspicious enough of e-mail already, are becoming wary about conducting transactions online at all.

But some banks are coping by coming up with innovative technological solutions.

THERE’S GOOD NEWS AND bad news for banks about phishing, the scam in which identity thieves masquerading as trusted companies send out e-mail to induce recipients to click on a link, go to a Web page and give up their personal information.

The problems created by closing off financial institutions from the e-mail channel to their online customers are several. For one thing, by forcing them to resort to paper mail to send their customers special offers or account alerts, it undercuts the savings banks are hoping to rack up from moving those customers online.

A June research report from Javelin Strategy & Research found that 55% of those receiving an e-mail purporting to be from their bank and asking them to log into their account say they delete the message without taking any action. That behavior costs banks money, says Javelin researcher Bruce Cundiffe, who authored the report — as much as 45 cents more to send out a paper bank statement than to e-mail the same information.

Beyond that, there’s the issue of public perception. The inability to communicate with consumers by e-mail risks eroding confidence in a bank’s ability to conduct online finance safely and securely. A recent survey by the Ponemon Institute found three-fifths of respondents consider it “unacceptable” for a bank not to respond to phishing schemes that use the bank’s identity. Nearly 96% of customers said the bank should respond with technological safeguards. So while the crime occurs at the user’s desktop, consumers are adamant that financial institutions must take the lead in providing a solution.

Charlotte NC-based Wachovia Corp. encountered this problem when it sent out e-mail in spring 2005 advising customers of a new log-in Web page after its merger with First Union Bank. The customer service desk promptly received a flood of phone reports of a potential phishing scam.

Realizing that malefactors had polluted its e-mail stream to consumers, Wachovia moved to set up a secure online message center through which all account information must now travel. Online customers get an e-mail that tells them a message has arrived in their Wachovia mailbox, but without an active link to the message center. It’s then the customer’s responsibility to surf to the proper URL, log in with user name and password, and open the message.

Lesson learned on Wachovia’s part: In notifying customers of a subsequent acquisition of SouthTrust Corp., the bank went back to mailing paper letters.

Wachovia’s message-center technique trades some of the efficiency of e-mail for increased security. But that may make it a less than ideal solution, since at least some portion of online banking users won’t take the time — or have the Internet know-how — to find their own way to the message center.

Another large financial institution has taken a different tack to reclaim e-mail as a customer communications channel. Bank of America, also in Charlotte NC, has deployed technology from PassMark Security that should help retain e-mail as a useful medium for getting its operational messages and marketing offers out to bank users.

SiteKey, the PassMark solution used by B of A, involves what’s known as “two-factor authentication.” Customers are invited to sign up for the free service by choosing a digital image from a library of thousands: everything from ice skates and cowboy hats to penguins and sailboats. At the same time, they concoct three “challenge questions” for further authentication if necessary.

The next time a registered SiteKey user logs on to the bank’s Web site, he enters his user name. The bank’s system matches that user ID to a unique identifier that SiteKey places on the customer’s computer. If the B of A server finds a match, it serves up a pop-up of the image the customer selected at registration. Reassured that he is indeed logging on to the official B of A Web site, the customer can then proceed to enter his password and bank more securely.

“The system offers assurance to the bank that you are really you, using a device with a machine ID that you’ve used before to access your account,” says Mark Goines, PassMark’s chief marketing officer. “And two-way authentication means you can be sure the bank’s Web site is real and thus feel comfortable entering your password and any other personal data your banking business may call for.”

SiteKey also will be applied to Bank of America’s e-mail communications with its customers. After linking that same digital image to a user’s e-mail address, the picture is inserted as HTML code into outbound B of A e-mail messages, using the same technology that direct mailers use to customize messages with targeted offers.

Bank of America customers who open that e-mail can therefore get the same reassurance of legitimacy that they get on the Internet. This then will allow B of A to make fuller use of e-mail to transact banking business the most efficient way — by including live hyperlinks to Web offers, account log-ins, bill payment centers or other action items directly within the message rather than forcing users to get out of their mailboxes and surf to a site on the Web under their own steam.

Bank of America’s SiteKey rollout began in June in the bank’s Tennessee service region, but it’s expected to be both systemwide and mandatory by the end of the year.

One of PassMark’s potential weaknesses, of course, is that users either have to have their preview pane open when checking e-mail or trust the purported bank e-mail enough to open it. Other users may not be able to see HTML code at all in their e-mail.

To overcome these restrictions, the SiteKey platform has users associate a PassMark phrase with their image choice at registration: something random, simple and personal, such as “Maui trip” to accompany a sailboat picture. That phrase is then used in the subject line of the message to increase opens, and in the spot next to the image in the e-mail itself, so a user who can’t see the image can still be reasonably confident the e-mail really is from Bank of America.

PassMark’s solution can place the necessary servers either on the bank’s premises or with its third-party e-mail sender. Most financial institutions PassMark has been talking with want to keep the Internet log-in authentication system within their own walls, Goines says. But when it comes to the e-mail authentication portion, customers have shown they’re as comfortable outsourcing that to third parties as they are any other e-mail function.

“We’re fine with adding this image processing to an outside vendor, provided we can protect the images [on third-party e-mail platforms] with our own secure token technology,” he says. “We separate the user ID names from the images and encrypt them, so no employee can break in and get both authentication keys. You might grab the image, but you’ll never know which e-mail address it relates to.”

As large banks institute authentication measures such as SiteKey or the electronic token system Wachovia reportedly is planning to deploy later this year, experts believe phishers will move down the banking food chain to focus their assaults on smaller institutions such as second- or third-tier banks and credit unions. So in a very real sense, what Bank of America does today for its 13.2 million online customers, Hibernia Bank may be forced to consider tomorrow.

“Phishing is very much like the direct marketing industry,” Goines says. “You can buy a list of 100,000 names, or you can earn the same return from 10 10,000-name lists. Smaller institutions are going to have to [set up] the same safeguards the big brands are putting into place now.”

E-mail Needs Infrastructure Help Too

E-mail’s broken, says Dave Lewis — and he’s not just talking about consumer trust.

That broken trust is important, says Lewis, vice president of market development for e-mail systems provider StrongMail. It closes down e-mail as a useful stream for one-to-one communication between marketers and their markets. Authentication measures such as Sender ID and DomainKeys will do something to reopen those channels, telling recipients (and their ISPs) who’s trying to reach them.

But as e-mailers move slowly to adopt those standards, Lewis says, self-mailers and e-mail service providers (ESPs) should be getting their back-end systems ready for the additional load that more robust systems of authentication, reputation and spam prevention are sure to impose.

“Some of the things needed in an era of true e-mail accountability are infrastructure-related,” says Lewis, who also co-chairs the e-mail accountability committee of the Email Service Provider Coalition. Within 12 to 24 months, marketers using e-mail might be compelled to apply sender reputation — not just verifying who’s sending e-mail but what their past behavior has been — and classification of e-mail into streams such as single opt-in, double opt-in, and transactional messages.

A lot of money already has gone into beefing up e-mail’s receiving end against spam attacks and handling a growing tide of incoming mail. But there hasn’t been a commensurate investment by e-mail senders, including both ESPs and those marketers that manage their own campaigns.

“When we’re talking about reputation and segregating and prioritizing your mail stream, that requires an infrastructure that can authenticate your records and insert reputation tags,” Lewis says.

As a StrongMail executive, he’s got a dog in this fight, too. In July, StrongMail introduced a new version of its e-mail application server that includes a sophisticated bounce-back management feature and live updates to let mailers stay on top of the ISPs’ ever-changing standards for bounces and spam.

Lewis makes no bones about proselytizing for StrongMail’s platform, which currently is being used by a slew of large clients from Ticketmaster and Fox Sports to Netflix and Clear Channel Communications. But he says his experience both as vice president of ISP relations for ESP Digital Impact and in executive positions with Acxiom Corp. and Bank of America have given him a picture of just how unprepared for the future many ESPs and direct mailers are.

One problem helped by better sender infrastructure would be ISP relations, he says. That’s been a problem for e-mailers trying to improve their delivery and open rates; ISPs tend to be cryptic about why messages bounced and do not indicate whether they landed in a spam filter or a user’s inbox. As a result, e-mailers are forced to seed their lists with test addresses to monitor filtering and delivery.

“ISPs need to trust senders enough to feed back — for a price — information about where the mail has ended up,” Lewis says. “I think improving sender infrastructure can help with that. If you don’t have the system to support bounce management and tell what bounced, why, and what the suggested actions are, [the ISPs] are not going to answer your calls.”
— Brian Quinton

E-mail Needs Infrastructure Help Too

More

Related Posts

Featured

Trending Now

Chief Marketer Videos

Call for entries now open

2023 LIST ANNOUNCED

Chief Marketer Job Board

SIGN UP FOR UPDATES!