Educating Your Customers on Phishing

It’s often said that the biggest problem with information security is the space that is filled between the chair and the keyboard. While many of us in information security at financial institutions will shake our heads in agreement with that statement, the need for education of our customers is a pressing issue.

Who falls for these phishing emails that ask the reader to update their account information? None of your customers would respond to that kind of a request, you say. But how much have you done to educate your customers about the dangers of phishing, and what they should be on the look out for when they open their email.

Markus Jakobsson, a noted phishing researcher and professor at Indiana University’s School of Informatics says financial institutions need to do a better job to educate their clients and phishing and other forms of online fraud. “To an extent, banks are doing some education, but mostly this is dry descriptions and screen shots. This doesn’t really teach your customers to understand phishing,” Jakobsson noted. The majority of the online pages he sees on financial institutions websites “aren’t attractive enough that people feel like they want to read it.”

Two more problems he noted are that the information presented is “a bit scary and intimidating.” The other is the target audience doesn’t receive this information. He encouraged institutions to make sure to give clear instructions on how to spot a phishing email, and how to understand the underlying mechanism.

He added that through popular media customers are getting information about identity theft. “Readers Digest carried two stories on identity theft and what to do. These were very short and dry stories. “These stories gave a couple of suggestions such as ‘don’t click on links’ and other things that customers are used to hearing,” he said.

But financial institutions are sending out emails with clickable links. “So it’s hard for the customers to know what are good links and what are bad links,” he continued. “It all boils down to understanding what is going on, and that is something that is not very well taught by institutions.”

Jakobsson pointed to one example of stronger education for phishing by Carnegie Mellon University, which employs video games to teach consumers about phishing. “This is notable because of the improved rates of people’s understanding of what is phishing,” he explained. Carnegie Mellon’s approach presented users an appealing way to learn about phishing, “where they actually would sit down and participate in it.”


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network