The Big Phish

The thought of fishing used to conjure up the image of good ol’ Andy Griffith and Opie prancing down a backwoods dirt road; a cane pole glimmering in the sunshine, a tackle box chock full of hooks and lures, and a fresh canister of crickets. A fisherman loves the feel of dropping that baited line into the pond. Admittedly, most of the day is spent waiting on that one big fish to take the bait, but when that magical moment happens and the sinker is pulled beneath the surface the fisherman knows with one tug of the line his day will be a success.

However, in my line of work fishing has taken on a new meaning along with a new spelling. Replace the “f” with a “ph” and you have phishing – a friendly looking email from a trusted brand embedded with malicious hyperlinks.

Webopedia defines phishing this way: “The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information. …”

Similar to a fisherman, phishers cast their lines out to thousands of recipients just waiting for someone to take the bait. Alarmingly, phishers are able to convince up to 5 percent of recipients to respond.

According to MessageLabs, phishing has reached plague proportions. In September 2003, the number of phishing emails encountered was 279. By May this year – just eight months later – the company saw almost 250,000 of them.

GonzoBankers, we are under attack. Some of the financial institutions that have been attacked include Barclays, Citibank, Lloyds TSB, Washington Mutual, Bank One, Peoples Bank and, most recently, SunTrust. At first, the spoofed emails were somewhat comical as shown below:

Subject: YOUR ONLINE BANKING ACCOUNT

Dear Online Banking Consumer,

This email was sent by your Online Banking center to verify your e-mail address. You must complete this process by entering required iformation like your Online Banking login and password. This is done for your protection — becaurse some of our members no longer have access to their email addresses and we must verify it. Please, complete the following information:

Bank Routing/ABA Number (9 digits):
First 6 digits of your Banking Card:
Online Banking Login ID (CIN or CAN):
Your Online Banking Password (or PIN):

Note the spelling errors in the above example. Initially this was a clear giveaway that the email was a scam. That is, of course, if your marketing group uses a spell checker and proofs all copy that is sent to customers. However, over time phishers have stepped up their tactics making it harder and harder to tell a scam from the real thing.

As the phishers get more sophisticated, we must also wise up. The Anti-Phishing Working Group offers the following tips on how to avoid phishing scams:

• Be suspicious of any email with urgent requests for personal financial information.
• Don’t use the links in an email to get to any Web page, if you suspect the message might not be authentic. Instead, call the company on the telephone, or log onto the Web site directly by typing the Web address into your browser.
• Avoid filling out forms in email messages that ask for personal financial information. You should only communicate information such as credit card numbers or account information via a secure Web site or the telephone.
• Always ensure that you’re using a secure Web site when submitting credit card or other sensitive information via your Web browser. To make sure you’re on a secure Web server, check the beginning of the Web address in your browser’s address bar – it should be “https://” rather than just “http://”.
• Ensure that your browser is up to date and security patches have been applied.
• Always report “phishing” or “spoofed” e-mails to the following groups:
  • Forward the email to reportphishing@antiphishing.com
  • Forward the email to the Federal Trade Commission at spam@uce.gov

At this point, I imagine some of you are thinking you could spot a fake email from a mile away. Okay, if you want to see just how smart you are, check out Mail Frontiers Phishing quiz at http://survey.mailfrontier.com/survey/quiztest.html. It sure humbled me. I only got six out of 10, and out of those six I guessed at three.

Although these scams are targeted at consumers, it is our brands they are using. I guess those “trusted” partner campaigns are starting to pay off. Consequently, it is incumbent upon us to frequently inform our customers of the legitimate ways we will try to contact them – so they can disregard all other approaches. The following are some recommended guidelines you should consider if you are or intend to market/ communicate via email with your customers:

• All email marketing campaigns should include your call center number.
• Your Internet site should reflect the information contained in the email marketing campaign.
• Customers should NEVER be asked to submit personal or account information via an email.
• One-to-one or targeted emails should only be used with secure messaging that can only be accessed after customers log in to their online accounts.
• Always include a link to or the contents of your privacy policy within the email.

Marketing and fraud alert type emails are the primary lure of phishers today, but I imagine it won’t be long until they start attacking eStatements. Just think about it. Today many of us send a link via email informing our customers that their eStatement is online. That link usually takes the customer to a log in screen that requests a username and password. Bingo! When the customer enters the access information, the phisher once again catches the necessary information to steal your customer’s identity.

So when it comes to eStatements, we recommend the following steps:

• Always address the eStatement email to the customer. Don’t say “valued customer,” “special,” etc. – state the customer’s full name. For example, my eStatements are addressed to Frederick Johnson, not Tripp. If they were addressed to Tripp, I would suspect fraud. Why? Because my bank only communicates with me using my “legal” name.
• Consider using the last four digits of the account you are referencing.
• Do not include a link to the account login from the email. Simply inform customers that their eStatements are now available online and give them the Web address without linking the text.
• Keep the contents of the eStatement email simple and to the point. Do not try to market or cross-sell the product of the month.

Here is an example of a simple yet effective eStatement email:

ACCOUNT NUMBER XXXX-XXXX-XXXX-1311

Dear FREDERICK JOHNSON:

Your Vandelay statement is now available at http://www.gonzo.com. This notification is part of the All-Electronic Program you enrolled in to receive your statements online only instead of in the mail.

To ensure that you receive monthly statement notifications via e-mail, please keep your contact information current. If you’re planning to change your e-mail address, sign-on to www.gonzo.com, go to the Manage My Account menu, and choose Update Personal Profile to edit your Email Profile. To change your postal address, just use the same menu and choose Address & Phone Change.

If you use your work e-mail address, keep in mind some employers may block receipt of employees’ personal e-mail. Please update your e-mail address at www.gonzo.com -see instructions above.

We hope you continue to enjoy the many benefits of the All-Electronic Program.

Sincerely,
S. Hodgins, Customer Service
1 800 GO GONZO

During the holiday season, the last thing any of us want to think about is someone stealing our identity – especially after ordering all of those Christmas gifts online. But now that you understand it better, some of you might be able to convince your spouse that it really wasn’t you who spent your entire savings at BAI in Las Vegas – it was a phisher!
-tj