What is the obligation or responsibility of companies to educate consumers on phishing scams? Yesterday, we blogged about the prevalence of phishing scams. Phishing scams are designed to extract personal details and financial data either directly from the user or by way of a computer virus. We look further into this issue and look at what companies are doing to educate their customers, and whether they should be obliged to do so and go further in preventing financial loss, identity theft and a damaged credit rating. This post was written for National Cyber Security Awareness Week 2012, of which MyCRA is a partner.

By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and www.fixmybadcredit.com.au.

After the blog post went up yesterday, a staff member read it and told me he had received such a phishing email just the day before. It was meant to be from one of the major banks, of which he is a customer. The email requested his bank account name, account number and PIN number to verify his online banking – as according to the email, the bank was having security issues.

Working at MyCRA and dealing with these issues for our clients, my staff member, Luke was pretty hip to the scam. But we got to talking about how many people could potentially fall victim to this kind of email. After all, Luke did actually have an account with the bank, and the email looked quite legitimate.

Luke called the bank in question and explained the email he had received.

“Yeah of course that is a dodgy email,” the bank’s worker says, sounding a little surprised that someone would call to verify this.

The customer service operator’s standard advice was that the bank would never request personal details via email. He said they have the details, but if they did need them, they would be requested during the general banking process, rather than emailing the customer.

This is a good general rule to remember for most company emails. They will never ask for your details – they already have them.

But what about the attitude that people need to just assume these days that they will have a phishing scam tried on them? That is dangerous ground for companies.

I bet if you ask most older Australians if they know about phishing, they will say, “yep – but I don’t get to throw the rod in much these days.” Many people – and not just older Australians are left vulnerable to scams when using internet banking and all the other myriad of things that need to be done online in today’s society.

When I looked at the bank’s website, there’s a pretty extensive section on banking security, as well as lots of information on scams. This is great stuff. But what could be even better, is some direct warnings to their customers about the prevalence of specific scams when they involve the company, and what to do should they come across them. This would go a long way to preventing their customers from falling for phishing scams in the first place.

The Computerworld article I featured yesterday PayPal, Amex phishing: What you need to know also talked a bit about company obligations. Here is an excerpt from that story:

IDC Australia senior market analyst ,Vern Hue, said that companies needed to be extra vigilant with security as the emails could prove to be an opportunity for cyber-criminals to deceive people into believing that emails and other communications came from a legitimate source…

He recommended that organisations put in place formal business communication policies and guidelines around acceptable use of social media and financial services.

“The onus is also on the organisation to better secure its perimeters by putting in place network and content management protection technology, such as the next generation intrusion prevention systems

[IPS], which offer a better capability in detecting threats from social media.”

PayPal, American Express lessons

Credit card and financial institutions need to secure their weakest link–the human–according to Hue. Organisations should also begin to educate their users on the importance of being vigilant on the internet and educate them on the potential damages one could potentially face if they should fall victim to such attacks.

“Financial institution need to spearhead the move to inform their users on the need of proper patching and upgrades in order to keep them safe from these attacks and to also educate them that if ever in doubt, users should call and notify the financial institution to verify the origin and authenticity of the communication,” Hue said.

A blog post late last year by Dynamic Business writer Hamish Anderson titled Financial institutions, social responsibility & phishing scams pleads with big business whose identities are borrowed for the purposes of scams to take an active approach to educating consumers. Here is an excerpt:

“Big organizations all decry their credential about social responsibility, or environmental sustainability, or corporate ethics, but how many of these social stances encompass combating phishing or alerting the public?

As the saying goes, forewarned is to be forearmed. With the large purses that these companies have, surely there is a strong argument for these companies to inform people when they know there is a scam focusing on them as a brand. I recognize that many of these brands Tweet about scams as they become apparent, but it often appears that accounts from the Government (such as @SCAMWatch) are more aggressive, are dedicated to scams and more responsive.

There thus exists a gap to for business to be more socially responsible and to help the public not fall prey to the various scams which exist,” Mr Anderson writes.

Here here! With the former Attorney-General’s statistics of a staggering 1 in 6 Australians falling victim, or knowing someone who is a victim of identity theft – this ‘social responsibility’ towards informing customers of potential scams to befall their computers in the company’s name seems to be well overdue.

The implications for identity theft and the difficulty a victim may face to not only recover their financial losses, but to remove bad credit history after full-blown identity theft does warrant a very active approach to stamp out the constant attempts fraudsters make to steal money and identities.

Let’s promote cyber security awareness amongst all sections of the community, and stamp out phishing scams. If no one fell for these scams, they wouldn’t exist.

Above image: noomhh/ www.FreeDigitalPhotos.net