Financial institutions that send e-mail notifications with links to a Web site, requiring customers to login and retrieve their eStatements are conditioning them to be phished.
This 'pull' model of eStatements is now a prime target for phishing because not only is it easy for potential phishers to replicate, but recipients who are familiar with this process become easy targets - they won't think twice about clicking on links in these e-mails and 'surrendering' their login details.
“Phishers merely copy e-mail notifications and add a phoney link, which takes customers to a pseudo-site where their login details are captured,” explains Mia Papanicolaou, Messaging Specialist, Striata. “The only way to prevent customers from falling prey to such phishing attempts is to implement e-mail processes that can't be replicated, and then educate them accordingly. Merely stating that customers shouldn't click on links from within an e-mail isn't doing enough. In addition, e-mail marketing campaigns will more than likely have call to action links or links to landing pages. It's the nature of e-mail marketing to engage customers, and so excluding links in these e-mails is not an option.”
By sending the eStatement as an e-mail attachment and ensuring the document is encrypted and password protected, companies can help customers avoid this altogether. Customers will be accustomed to receiving the information rather than having to log into a site via a link in an e-mail notification, ultimately reducing the likelihood of phishing.
Additional, security can also be applied to the e-mail through verification and authentication, which displays information such as the last four digits of the card or account number and the recipient's name as captured by the company. These details, which are not possible for a phisher to know, should appear in every e-mail, teaching the customer to identify fraudulent e-mail by the lack of this personal data.
Papanicolaou acknowledges the fact that many banks and corporate businesses have spent a substantial amount on building online portals and therefore need to realise a return on investment through site visitors. “The value of a portal is the additional services and information it offers the customers. A combination of 'push' and 'pull' is the ultimate solution. The primary benefit of e-mail billing for online bill pay and self-service portals is that trusted links within the secure electronic bill or statement drive customer adoption of Web-based services. This option is far more secure than pulling customers to your portal via links in e-mail notifications.”
“By eliminating security concerns associated with secure electronic delivery, combined with the convenience of e-mail bill presentment and payment, customers can take advantage of the time saving self-service options available online without the threat of being phished,” concludes Papanicolaou.
Share
Editorial contacts