The thought of fishing used to conjure up the image of good ol’ Andy Griffith and Opie prancing down a backwoods dirt road; a cane pole glimmering in the sunshine, a tackle box chock full of hooks and lures, and a fresh canister of crickets. A fisherman loves the feel of dropping that baited line into the pond. Admittedly, most of the day is spent waiting on that one big fish to take the bait, but when that magical moment happens and the sinker is pulled beneath the surface the fisherman knows with one tug of the line his day will be a success.
However, in my line of work fishing has taken on a new meaning along with a new spelling. Replace the “f” with a “ph” and you have phishing – a friendly looking email from a trusted brand embedded with malicious hyperlinks.
Webopedia defines phishing this way: “The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information. …”
Similar to a fisherman, phishers cast their lines out to thousands of recipients just waiting for someone to take the bait. Alarmingly, phishers are able to convince up to 5 percent of recipients to respond.
According to MessageLabs, phishing has reached plague proportions. In September 2003, the number of phishing emails encountered was 279. By May this year – just eight months later – the company saw almost 250,000 of them.
GonzoBankers, we are under attack. Some of the financial institutions that have been attacked include Barclays, Citibank, Lloyds TSB, Washington Mutual, Bank One, Peoples Bank and, most recently, SunTrust. At first, the spoofed emails were somewhat comical as shown below:
Subject: YOUR ONLINE BANKING ACCOUNT
Dear Online Banking Consumer,
This email was sent by your Online Banking center to verify your e-mail address. You must complete this process by entering required iformation like your Online Banking login and password. This is done for your protection — becaurse some of our members no longer have access to their email addresses and we must verify it. Please, complete the following information:
Bank Routing/ABA Number (9 digits):
First 6 digits of your Banking Card:
Online Banking Login ID (CIN or CAN):
Your Online Banking Password (or PIN):
Note the spelling errors in the above example. Initially this was a clear giveaway that the email was a scam. That is, of course, if your marketing group uses a spell checker and proofs all copy that is sent to customers. However, over time phishers have stepped up their tactics making it harder and harder to tell a scam from the real thing.
As the phishers get more sophisticated, we must also wise up. The Anti-Phishing Working Group offers the following tips on how to avoid phishing scams:
At this point, I imagine some of you are thinking you could spot a fake email from a mile away. Okay, if you want to see just how smart you are, check out Mail Frontiers Phishing quiz at http://survey.mailfrontier.com/survey/quiztest.html. It sure humbled me. I only got six out of 10, and out of those six I guessed at three.
Although these scams are targeted at consumers, it is our brands they are using. I guess those “trusted” partner campaigns are starting to pay off. Consequently, it is incumbent upon us to frequently inform our customers of the legitimate ways we will try to contact them – so they can disregard all other approaches. The following are some recommended guidelines you should consider if you are or intend to market/ communicate via email with your customers:
Marketing and fraud alert type emails are the primary lure of phishers today, but I imagine it won’t be long until they start attacking eStatements. Just think about it. Today many of us send a link via email informing our customers that their eStatement is online. That link usually takes the customer to a log in screen that requests a username and password. Bingo! When the customer enters the access information, the phisher once again catches the necessary information to steal your customer’s identity.
So when it comes to eStatements, we recommend the following steps:
Here is an example of a simple yet effective eStatement email:
ACCOUNT NUMBER XXXX-XXXX-XXXX-1311
Dear FREDERICK JOHNSON:
Your Vandelay statement is now available at http://www.gonzo.com. This notification is part of the All-Electronic Program you enrolled in to receive your statements online only instead of in the mail.
To ensure that you receive monthly statement notifications via e-mail, please keep your contact information current. If you’re planning to change your e-mail address, sign-on to www.gonzo.com, go to the Manage My Account menu, and choose Update Personal Profile to edit your Email Profile. To change your postal address, just use the same menu and choose Address & Phone Change.
If you use your work e-mail address, keep in mind some employers may block receipt of employees’ personal e-mail. Please update your e-mail address at www.gonzo.com -see instructions above.
We hope you continue to enjoy the many benefits of the All-Electronic Program.
S. Hodgins, Customer Service
1 800 GO GONZO
During the holiday season, the last thing any of us want to think about is someone stealing our identity – especially after ordering all of those Christmas gifts online. But now that you understand it better, some of you might be able to convince your spouse that it really wasn’t you who spent your entire savings at BAI in Las Vegas – it was a phisher!