For as long as phishing is a problem, I believe banks have got to rethink their Internet strategies.
In short, any email sent from a bank or other affected online institution leaves customers vulnerable.
For example: Citibank, one of the worst hit banks, still send out emails to their customers. Their Internet privacy page in Singapore, for example, says: “While Citibank does send email to our customers which contain links to our website, Citibank will never ask you for your PIN or other confidential information under any circumstances whatsoever.” This is not the point. Most phishing scams don’t ask directly for confidential information; some ask you to log onto the site to confirm such details, while others (a Citibank phish) warn of scams and urge you to log in to your account to check its status. Other phishing scams don’t even do that; they simply load a keylogger and wait for you to tap into the site in your own sweet time.
For sure, banks must contact customers, if only to warn them against phishing scams. But there are ways and means of doing this. If banks have to use email (what’s wrong with letters; presumably this was how banks communicated with their customers before?), they should be cut to a minimum, so as not to further confuse the customer.
And banks have got to think ahead. Phishing scams have grown in sophistication in a few short months, not just in their graphical mimicry of real banks, but in their technical approach (keyloggers) and in their social engineering tricks. For as long as this war escalates, banks must think hard about anything legitimate out on the Internet with their name on, and ask themselves whether it might be turned to a phisher’s advantage.
Banks should, for example, immediately abandon all marketing campaigns that use email: They are an invitation for creative phishers to exploit. One I received today, for example, is from a Singaporean company called ShareInvestor that alleges I am a member of its network (could be, but it must have been a long time ago, when I was still an Internet innocent.)
The email itself is a promotion for Citibank inviting me to “Book a new Premium Deposit with Citibank Online Treasury Services and enjoy a potentially higher interest rate on your money plus receive a S$10 Tangs shopping voucher for every US$10,000 invested**.” The email appears to be genuine (I had to check carefully and get someone smarter than I in such matters to check again), but I have to question Citibank’s wisdom in allowing these kind of promotions to carry on, particularly when their own website warns against phishing emails which “often look like the real thing and are hard to distinguish from a legitimate email or website.” Such promo emails from what are basically spammers (OK, email marketers) are just asking for trouble.
In this case, the link in the email takes you to a Citibank website and, after some blurb, tells you to call a number or visit a Citibank branch. So, no Internet transaction, which is definitely good. But what’s to stop a phisher mimicking the same ShareInvestor email and then luring someone to a Citibank-looking website, asking them to submit some personal data about, say their existing Internet account at another bank, and then directing them to the same Citibank website?
Think, Mr. Bank Manager, think. The phishing may only have just begun.