The Fraud Blog with Tracy Kitten

My Phishing Story Close Call Proves Customer Education is Critical
My Phishing Story

How much should banking institutions rely on customer and member education as part of their efforts to thwart online fraud? It's the subject of ongoing debate.

See Also: How to Scale Your Vendor Risk Management Program

But my personal experience with a phishing scam this week illustrates why it's so important to educate consumers and businesses about how to spot suspicious requests and potential fraud.

How we as an industry better communicate security risks to the general public is a challenge, I know. But it's one we have to embrace. We can't rely on technology alone. 

Regulatory demands are pushing banks and credit unions to up their investments in technologies, systems and solutions that offer better protections for online accounts. Much of those investments revolve around fraud monitoring and strengthened user authentication.

Increased investments in monitoring and detection are no doubt needed. Results from our recent 2012 Faces of Fraud survey show 82 percent of the more than 200 participants say they find out about fraud when customers or members notify them.

Obviously, there's room for improvement. But there's a ceiling on how much a banking institution or other organization can control when it comes to the prevention of online fraud.

Many security breaches are traced back to a user who unknowingly or foolishly provides login credentials to fraudsters. With credentials in hand, online fraudsters have all they need to authenticate transactions and access banking accounts. Typically, these credentials are acquired via socially engineered schemes, such as a phishing or vishing attack. (See New Strategies to Fight Phishing.)

Controlling fraud on that level is a challenge, and it's one many banking institutions will continue to struggle with as phishing attacks become more sophisticated.

Some industry pundits fear banks and credit unions, in their efforts to conform to the FFIEC's updated Authentication Guidance, rely too heavily on customer education - our survey shows 61 percent plan to invest in customer education to conform.

My Phishing Story

But I believe, based on personal experience, that customer education is a critical component. Here's my story.

I've been replying to online ads for ticket sales to the Kentucky Derby - a big event that no doubt attracts all types of scammers trying to sell cons.

I got a reply from a seller who seemed legitimate. I provided the seller my mobile number, so we could discuss the logistics of payment. He requested my eBay ID, saying I could pay for the tickets through eBay and bypass PayPal. Odd, I thought. But giving him the benefit of the doubt, I provided my eBay ID, thinking this guy just didn't really understand how PayPal and eBay work.

Within five minutes, I got a confirmation for an eBay transaction texted to my phone. And a few minutes later, I received an e-mail from what appeared to be eBay. And a few minutes after that, the seller e-mailed me, asking me to give him the confirmation code that was sent to my phone.

Right then, I knew this was a scam. The e-mail was convincing, though a few details seemed sketchy, like the fact that my alleged eBay representative lived in England and that my name was misspelled. And the fact that this person asked me to provide the texted verification code was a big indicator this was a scam.

To the casual user, however, those sketchy details might not have stood out.

Knowing not to click any links, I logged in to my eBay account and checked my inbox. Nothing. I immediately called eBay, forwarded the phishy e-mail to eBay's customer service department.

Here an excerpt of the well-composed response I got from eBay:

Thanks for forwarding the suspicious email you received. The email is a spoof, also known as a "phishing," e-mail. (That's phishing, as in "fishing" for personal information.) It didn't come from eBay. Our Trust & Safety team is working to disable any websites it links to.

Copies of any e-mails we send you about the status of your account or a change in your account information will be displayed in My Messages. This is especially helpful since many spoof emails try to convince you that your account is in jeopardy.

Important - *Never* respond to a suspicious e-mail or click any links in the e-mail message. If you think you may have given out personal information in a spoof email or website, you need to take steps to protect your identity right away. ...

Keep those reports coming -- you're helping protect the global Internet community! Our Trust & Safety team works closely with Internet Service Providers to shut down fraudulent sites. We also send your reports to Web browser companies so that they can develop tools to identify spoof sites.

Why We Need More Education

Had I fallen for this scam, my first reaction as a consumer would be to blame eBay. But eBay was in no way involved. The tickets were not even advertised on eBay. Banks and credit unions face similar issues.

I don't think customer education is the only answer, but online users have to increase their security savvy. My education about how fraud is perpetrated saved me in this case. But were I a typical user, this could have turned out badly.

How we as an industry better communicate security risks to the general public is a challenge, I know. But it's one we have to embrace. We can't rely on technology alone.



About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network