Want to end phishing? Killing e-mail is a terrible place to start
By Stergios Saltas, Managing Director, Striata SA.
Phishing has long been, and remains, one of the biggest security headaches faced by organisations today. It's an especially big problem for financial institutions, where a breach caused by phishing attack can have serious financial implications for their customers.
But, how should organisations go about addressing the threat of phishing? After all, cyber criminals are using increasingly sophisticated forms of phishing, capable of fooling even the savviest e-mail users.
One suggestion, for banks in particular, is to simply kill e-mail. Doing so, however, would be a giant mistake.
The case for killing e-mail
In an article first published on Tomorrow's Transactions, Hyperion Consult Director Dave Birch lays out two foolproof ways that banks can avoid phishing e-mail scams.
The first, he says, is for them to encrypt all their e-mails. For a variety of reasons, he argues, this is incredibly difficult to do.
Getting encrypted e-mails to show on a variety of e-mail clients and devices, he says, is so challenging that most organisations simply give up trying.
As a result, Birch suggests, the only foolproof way for organisations to fight phishing is to exercise the nuclear option and kill e-mail.
Instead, he argues, banks should send messages exclusively through their smartphone apps.
"It's time," Birch says, "to move to conversational commerce based on messaging and forget about the bad old days of insecure, spam-filled, fraudophilic (and frankly, pass'e) e-mail."
Why it won't work
While there's a certain appeal to Birch's logic (if your bank only contacts you through its app, there's no way for a cyber criminal to spoof them), it's unlikely that banks are going to stop sending e-mails to their customers anytime soon.
There's a simple reason for that. E-mail is still the most effective way for organisations to communicate with their customers.
In part, that's purely down to numbers. According to Statista, global e-mail user numbers are set to reach 4.2 billion by 2022.
That means any organisation wanting to talk to the broadest possible number of customers simply cannot ignore e-mail as a communication channel.
Even if a bank has an incredibly successful app, it won't be able to reach the same number of customers as it can with e-mail. Even the new wave of digital-only banks coming into existence will still likely rely heavily on e-mail.
How could they not, when 68% of teens and 73% of millennials consider e-mail to be their preferred communication medium when communicating with brands?
Killing e-mail might dent cyber criminals' ability to use phishing tactics, but it could also do irreparable damage to a bank's ability to communicate with its customers.
Importance of education
Given that killing e-mail is unfeasible, how should banks go about combating phishing? Technologically, their security teams can obviously continue working hard to stop attacks from happening and to minimise their impact when they do happen.
The most important thing any organisation can do, however, is educate its customers. This doesn't just mean keeping customers up to date with the latest messaging used in phishing attacks, but also reminding them what the organisation will never ask them to do in an e-mail.
Importantly, this messaging needs to be consistent and communicated across multiple channels (including your app). People are forgetful, and if your messaging isn't consistent, then they're likely to slip back into old habits.
It's also vital that this messaging is simple and easy to understand. If there's even a hint of jargon or technical speak, people are likely to switch off and not digest whatever it is you're trying to tell them.
There are a number of ways to combat phishing, but to suggest that a bank (or any organisation for that matter) kill e-mail, simply isn't feasible.
Stergios Saltas is the Managing Director of Striata SA. With 17 years' experience in the ICT industry, Saltas is responsible for guiding the strategic direction and daily operations of the African business, and serves as a member of the board of directors.
During his career at Striata, Saltas has fulfilled a wide range of roles, most recently, Director of Operations, where he oversaw the management and delivery of Striata's messaging solutions.
Saltas is dedicated to understanding client needs and executing solutions with precision; ensuring that Striata products meet the highest standards of quality and functionality; while promoting the wellbeing of Striata's valuable resources.