What is the obligation or responsibility of companies to educate consumers on phishing scams? Yesterday, we blogged about the prevalence of phishing scams. Phishing scams are designed to extract personal details and financial data either directly from the user or by way of a computer virus. We look further into this issue and look at what companies are doing to educate their customers, and whether they should be obliged to do so and go further in preventing financial loss, identity theft and a damaged credit rating. This post was written for National Cyber Security Awareness Week 2012, of which MyCRA is a partner.
By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and www.fixmybadcredit.com.au.
After the blog post went up yesterday, a staff member read it and told me he had received such a phishing email just the day before. It was meant to be from one of the major banks, of which he is a customer. The email requested his bank account name, account number and PIN number to verify his online banking – as according to the email, the bank was having security issues.
Working at MyCRA and dealing with these issues for our clients, my staff member, Luke was pretty hip to the scam. But we got to talking about how many people could potentially fall victim to this kind of email. After all, Luke did actually have an account with the bank, and the email looked quite legitimate.
Luke called the bank in question and explained the email he had received.
“Yeah of course that is a dodgy email,” the bank’s worker says, sounding a little surprised that someone would call to verify this.
The customer service operator’s standard advice was that the bank would never request personal details via email. He said they have the details, but if they did need them, they would be requested during the general banking process, rather than emailing the customer.
This is a good general rule to remember for most company emails. They will never ask for your details – they already have them.
But what about the attitude that people need to just assume these days that they will have a phishing scam tried on them? That is dangerous ground for companies.
I bet if you ask most older Australians if they know about phishing, they will say, “yep – but I don’t get to throw the rod in much these days.” Many people – and not just older Australians are left vulnerable to scams when using internet banking and all the other myriad of things that need to be done online in today’s society.
When I looked at the bank’s website, there’s a pretty extensive section on banking security, as well as lots of information on scams. This is great stuff. But what could be even better, is some direct warnings to their customers about the prevalence of specific scams when they involve the company, and what to do should they come across them. This would go a long way to preventing their customers from falling for phishing scams in the first place.
The Computerworld article I featured yesterday PayPal, Amex phishing: What you need to know also talked a bit about company obligations. Here is an excerpt from that story:
IDC Australia senior market analyst ,Vern Hue, said that companies needed to be extra vigilant with security as the emails could prove to be an opportunity for cyber-criminals to deceive people into believing that emails and other communications came from a legitimate source…
He recommended that organisations put in place formal business communication policies and guidelines around acceptable use of social media and financial services.
“The onus is also on the organisation to better secure its perimeters by putting in place network and content management protection technology, such as the next generation intrusion prevention systems