Secure Marketspace with Mike D'Agostino

Did You Receive This Phishing Email?

You know someone. Out of millions of Merrill Lynch customers, you should know at least one. Combine Bank of America's many more millions of banking customers, and you have to know someone. I know quite a few myself. All of these people are waiting to be absorbed into what is ultimately a new regime. This state of transition can and will be confusing for existing customers, and phishers and other social engineers will try to capitalize.

I know the thought of a new entity - "Bank of Merrill" - is pushing it a bit in terms of absurdity and how dense account-holders may be. However it does show how vulnerable banking customers may be during these tumultuous times:

Yes, this is a doctored screenshot. No, this is not a "real" email; I created it myself.

Now consider the damage that can be done after you combine all the customers of Bank of America, Merrill Lynch, and don't forget the other financial institutions that have closed and/or been absorbed thus far in 2008. Let's put on our marketing hats for a moment...

Depending on whom you ask, typical expectations from a marketing perspective say that an average email open rate of between 10%-20% and a click-through-rate (CTR) of 1%-5% are goals to strive toward. So, if you send an email to 100 people, expect 10-20 people to open the email and read it, and 1-5 people to click on a link within the email. And this would be for an email that the person may or may not be wholly interested in.

But an email such as the example from above is not from a random ecommerce site that someone registered for to purchase one measly product. The email is supposedly from a trusted source, on a very important matter. So, from a marketing perspective, I would think the open rates and CTR's would be much, much higher.

Without getting into a lot of math we can see that even with a very conservative view, out of 50 million+ customers with email addresses between both companies, the number of people potentially taking action from such an email would be staggering. Of course, even if one person was affected by such a scam, it would be too many.

Let's put our banker cap back on...

I suppose from a financial institution perspective, the ultimate question is: What does a financial institution do about phishing? It seems to be very difficult to prevent phishing attacks with 100% certainty (is this even possible?) within "normal" day-to-day operations, let alone during times of extreme transition. The answer that I offer doesn't have to do with investing in new technology, enhancing your customer education program, or re-defining your information security and risk management policies. Those things are all vital and should be addressed in an on-going manner irrespective of today's financial climate and possible increase in phishing attacks.

Instead my answer would be to utilize these instances to show your customers and prospects just how safe they are by doing business with you. As a banking customer, I'm not wholly concerned with a phishing email I may receive should my bank go virtually bankrupt and have to be rescued by another entity. I would be more concerned with the prospect of my bank going out of business!

The bottom line is that other financial institutions - whether they be small community savings banks or nationwide chains - should be responding to the insecurities of banking customers. Word gets around fast that the same executives involved in these closings and buy-outs were the same ones telling customers and investors not too long ago that "Everything is fine." What this means is that any financial institution touting the financial security of their customers will be under the microscope. My suggestion is - if you are confident - be bold and make the statement. Let customers and prospects know that yes, others have made the statement and failed to follow through - however you truly offer a financially secure environment. Nothing will do more for customer confidence than when you make a guarantee and follow through on it.

Not to minimize the importance of combating phishing. If someone receives something like the message above, it's too late to worry about customer confidence.

What are you doing to prove to your customers and prospects that they are financially safe doing business with your financial institution?



About the Author




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.