Phishing, And Some Advice

By | May 29, 2004

I was just reading the new publication put out by the U.S. Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council on “Lessons Learned by Consumers, Financial Sector Firms, and Government Agencies during the Recent Rise of Phishing Attacks” (PDF here, page on Treasury website here). A rather wordy title for a document that to me is rather thin on specifics.

In short, there’s not much here people don’t know already. And there are some bits of poor advice. One for banks and other institutions whose customers are being phished: ”Contact consumers by e-mail or postal mail warning them not to respond to suspicious e-mails. Remind consumers of the firm’s or agency’s official policy of not soliciting sensitive information through an e-mail.” How exactly is sending an email going to help? A lot of phishing emails use exactly this ruse to get the target to check in to their fake website, suggesting they suspect their account has been compromised, or something. I’d say now is the time to spend some cash on doing a proper mailing to all customers using the postal service. Now is not the time for more emails saying ‘Beware of scams. By the way this is a not a scam’.

Anyway, here are three of my own suggestions for banks to build trust with customers and minimise further confusion about what is genuine and what is phishy:

  • Don’t be tempted to fire pop-up ads at them when they visit your website, like one U.S. bank I know of, because pop-up ads can legally be hijacked by other companies like WhenU, which means they can also be hijacked by scammers.
  • Don’t outsource your marketing to email marketers, like the Singapore arm of one U.S. bank I’ve written about here before, who then send out dubious unsolicited emails inviting me to open a new Premium Deposit …and enjoy a potentially higher interest rate on your money AND a S$10 Tangs shopping voucher for every US$10,000 invested. What’s to stop a phisher mimicking the same email and then luring someone to a kosher-looking website, asking them to submit some personal data about, say their existing Internet account at another bank, and then directing them to the real website?
  • Don’t give customers an extra screen of ads for other services after they’ve logged out which uses cute but confusing language – one Hong Kong-based bank I visited the other day said something like ‘You’ve logged out but you haven’t logged off’ and then proceeded to offer the customer some more services. A lot of customers are going to be confused about that. And what for? Just to sell them a few extra services?  

All bad practice, and I think if anyone is going to draw up a ‘lessons drawn’ note it should be along those lines: specific, cautionary, and at least trying to anticipate the way this war on scamming may go.