The Expert's View with Patti Broer

Customer Education an Essential Step

A Critical Component of Layered Security
Customer Education an Essential Step

Educating customers about how they can protect themselves from financial fraud and scams is important. The challenge, however, is that if your customers do not want to help themselves, then no campaign you put forward will succeed. You can show someone how to do something and lead by example, but you can't force them to do it.

See Also: 10 Incredible Ways You Can Be Hacked Through Email & How To Stop The Bad Guys

We can lead them to our websites, mobile banking apps and voice response unit systems to conduct their banking. And we can provide all of the security layers, such as multifactor authentication, security protocols and protections, while meeting all of the FFIEC guidelines with every I dotted and every T crossed.

Customer education can be a powerful force in the fight against social engineers and fraudsters. 

But ultimately, security and safety comes down to the first line of defense - our customers.

A computer sitting on a desk, not connected to the Internet, encrypted and password protected, installed with the best virus protection and firewalls the industry has to offer, is harmless and is protected until the customer turns it on and connects to the Internet. And once that user starts clicking on links to make online purchases, interact through social media, play online games and perform various functions within their online banking, their risk level dramatically changes.

Now that computer is more threatening and poses more risk for the owner. What they do may lead to harm, not only to themselves, but to others as well and - and it could be very costly.

Benefits of Customer Education

So, what are the benefits to educating our customers and employing the guidelines bankers have been given from the FFIEC? Does customer education actually work? And can education actually benefit the customer and the bank?

I believe it can, and I also believe it already does.

I recently had a business customer, who also has a personal account with our bank, contact me because he was suspicious about a call he received from someone claiming to be with the Government Office of OSHA Compliance. This customer told me the call seemed official, and that the caller persuaded the customer to purchase a "compliance package" to avoid possible penalties.

To buy the compliance package, he was asked to provide his bank routing number and his account number.

Feeling threatened, this customer provided that information and soon had an ACH payment transferred from his account for $179.99. The caller said the compliance package would arrive by mail, and once the "package" was implemented, his business would be OSHA compliant.

Thankfully, the customer, whom I'd like to mention is in his mid-70s, became suspicious. He contacted the bank and learned he was prey to a scam. Luckily, we were able to cancel the ACH transaction and protect his BankWest accounts.

When it was all said and done, I thanked him for banking with BankWest and he replied enthusiastically to me, "Well, it saved me $180!"

Another battle won in the fight against financial crime.

Was this win tied to education he received from the bank? He mentioned the call to a teller and she referred him to me. But whether or not he had prior education from us about how to spot a scam like this is uncertain.

Yes, he compromised his account information. Yes, he had to change his account number. But he, and the bank, won because he learned from the experience, which he can now share with others, telling them how BankWest quickly responded to this incident.

We, at the bank, had an additional win, because we were able to use the incident as an opportunity to educate our staff about this scam and alert them to watch for certain flags, in case another customer mentions receiving a similar call.

Educate Employees

We need to educate our employees to educate our customers. After all, both employees and customers are our first lines of defense. The social engineers and fraudsters will keep coming at us, our employees and our customers. If we block them in one area, they'll find another way in.

They'll use old tricks and new tricks. They will try to gain the trust of our customers and our employees. They will threaten us and our customers. It means we are, and will remain, in a constant battle. We need to make sure that we show up for battle and that we're prepared and trained to fight.

This battle takes repetition, commitment, persistence and perseverance.

Customer education can be a powerful force in the fight against social engineers and fraudsters.

One of the best ways I've found to educate customers is by providing them with real-life examples, like the OSHA scam. Showing them how to avoid falling for these scams is rewarding, especially when you hear about how a customer was able to avoid fraud losses.

Bankers already know what education needs to be provided and why. The FFIEC guidelines are pretty clear on what needs to be done.

Educate staff and customers about the current threats, and tell them how to protect themselves against them. Keep teaching them about the old scams as well.

Be persistent and patient, and eventually you will see the benefits and results.

I've found that using a variety of methods, delivered at the appropriate and pertinent time, with up-to-date information, is the best approach. Use your website to educate. Use e-mail, print, video, social media, flyers and brochures. Mix it up and keep it interesting. Don't flood customers every week with tips about how to protect their financial and intellectual property. But keep it steady.

Experience is the best education. When an incident occurs, with or without a good outcome, use it as a teaching tool for both customers and employees. Over time, we'll discover that our customers are learning how to spot a social engineer, and they'll know how to distinguish between a phishing e-mail and an authentic e-mail. They'll learn not to click on a potentially malicious link. They'll realize that just because someone is intimidating them on the phone, creating a sense of panic and urgency by threatening them with a penalty, doesn't mean the person calling is who he claims to be.

Broer is the information security administrator and business continuity plan coordinator at South Dakota-based BankWest Inc.



About the Author

Patti Broer

Patti Broer

Information Security Administrator and Business Continuity Plan Coordinator, BankWest Inc.

Broer supports and assists with the $754 million South Dakota-based bank's incident response plan, as it relates to breaches of information security. She also maintains the bank's information security program, which includes security oversight and administration of most of the bank's software applications. Broer also maintains BankWest's business continuity plan by coordinating annual updates and conducting enterprise-wide table-top exercises. Broer has been employed at BankWest for 25 years.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.