Phishing is evolving – Banks must adapt to ensure security

Last updated: 21 March 2014

Phishing has been around for almost as long as the internet itself, and is a continuing problem (the recent hack of Kevin Bacon’s twitter is just one of many examples). Despite being a well-known problem, criminals continue to prosper using this method of attack.

As John Hawes highlighted in his recent blog, this attack method shows no signs of disappearing soon. Furthermore, research has revealed that phishers are becoming increasingly organized and that, consequently, banks need effective strategies and tools to not only prevent these attacks but also to detect and mitigate against them. New emails are distributed every day, with different “calls-to-action” which criminals use to phish for account access. They create duplications (which are difficult to identify as fraudulent) of targeted websites and direct traffic to their self-engineered sites, where the victims are stripped of passwords, security questions and, ultimately, their money and control. Although the amounts are, in most cases, modest, banks’ credibility can be severely damaged if they are subject to such an attack. Of course, the monetary loss can be devastating to customers and businesses, but in most cases the bank will pay for the collateral damage. However, the bigger problem for the bank is not losing money, it is losing customer trust; trust that might have taken years to build.

Further losses of trust may also be linked to “man-in-the-browser” attacks which have recently grown popular in the world of digital crime. Bank customers are infected by malware and criminals can control transactions by faking questions that should have been asked by the bank. Using these answers from the victims, the criminals can then easily transfer (steal) money from a specific account. Modern phishing attacks are now targeting specific banks or financial institutions, causing mayhem in the security system and help-desk. Affected customers then respond by storming the different support channels, and must be guided back to feeling confident that their bank is taking security issues seriously. Often, banks are able to do this; however, the damage can be costly, both in terms of money and reputation.

The only chance for banks with an insufficient security solution is to respond quickly. Investing in the latest security technology is essentially the only real way to restore customer loyalty, before customers take their business elsewhere. One of the biggest new phishing challenges banks are facing is to reach out to their customers in time. Or, in fact, reach them at all. In many cases, banks use their own websites, e-mail or social media to get the message out. That can be a problem in itself, when those channels might actually have been a vessel for the attacks. And, unfortunately, the information that is often given to affected customers is that the problem probably lies within their own personal digital infrastructure, and that they need to upgrade their virus protection.

Fortunately, fixing a security problem like this and restoring trust needn’t be a costly and time-consuming venture. Many banks have had their security systems audited and upgraded and can now state, with certainty, that they are future proof.

And when a bank has the courage to stick its neck out and talk, with confidence, about their security solution, phishers have to retreat and leave that particular bank alone.