Financial institutions, social responsibility & phishing scams

Woman typing on a keyboard

What do financial institutions, social responsibility and phishing scams have in common? It sounds like the start of a joke doesn’t it. Unfortunately, to date these three phrases in one sentence is just that; a bit of a joke. Perhaps that seems a tad harsh to some, to others, perhaps not harsh enough. But let me explain where I am coming from and why I make this statement.

Recently, one of the EnBox team identified that the system was picking up a new PayPal scam. He took the initiative to inform PayPal of the scam via their dedicated web address yet never heard back from them, nor did we see extensive efforts by them to alert their customers; in fact very little, if anything discernible seemed to be undertaken. Surely, with fraud and phishing so rife, there should be more responsiveness from big business, especially if specific companies know they are the targets of phishing scams. Surely they have a responsibility to inform the public.

Now if you are thinking, “is phishing and credit card fraud that widespread in Australia that it deserves more attention”, let me present you with the reasons I believe it does.

Credit Card Fraud

Losing your wallet or having it stolen can be a traumatizing experience, and one that comes with a fair share of inconvenience and stress. Aside from the inconvenience of having to organize new cards, there is the worry about what was charged to your credit cards before you realized your wallet was missing.

Fortunately, if you let your provider know quickly, your liability for all purchases made is limited (or nil), as long as you can prove that you were not responsible in any direct way for the losses incurred. MasterCard are one such provider who will cover you if you meet a couple of simple criteria.

Actually, as a generalization, when it comes to credit or debit card fraud, banks and financial institutions are very good at providing you with information and pointing you in the right direction as regards to, what to do next. In fact a simple search on a few financial websites for the term ‘credit card fraud’ reveals search result after search result – but more on this later.

Should I be surprised by this? No, I suppose not. After all credit card fraud has been around for a long time, time enough for institutions to determine how to best inform the consumer, to have mitigation strategies in place and to have comprehensive disclaimers and policies as well. Plus bear in mind, credit card and debit card fraud cost over $193million in Australia in 2010.

Credit-Card-Fraud-Table

Credit Card what? Let’s discuss phishing

Ok with the figure of $193 million in your mind I want you to consider this. In the 12 months to July 2010, it is estimated that Australian’s lost $1.286 billion (Galaxy Research) to online scams, which makes credit and debit card fraud, insignificant in comparison. The difference is more than $1 billion. Even if you assume that the figures reported for credit cards and debit cards are also reported in the phishing total, the figures are astounding and somewhat scary.

Let me make this even scarier. In the same report, Galaxy Research actually concluded that approximately 1 in 10 Australians online had fallen victim to phishing, each losing on average $1000 each.

Now as much as you may scoff at this figure and question the intelligence or otherwise of these victims, remember this: scammers are being craftier than ever in devising their phishing emails. From the language used, to the HTML formatting of the email, through to the destination URL, and even the webpage you arrive at (often these scammers are building micro sites). It is getting harder and harder to necessarily know what’s fake and what isn’t.

However, what many people do not realise, is that scammers have developed other ways to get your money from you that don’t rely on you entering your passwords into their phony sites. They know that the more steps you have to go through, the greater the chance you will see the ruse and thus they lose the opportunity. These days, visiting a site they have driven you to from an email can be enough for them to activate a script which installs a key-logger on your machine. With this installed, your account information becomes theirs.

With these two successful tools in the arsenal of hackers, it is truly no surprise that the figure of $1.286 billion was reached last year.

Or is it? Perhaps it is not that surprising as it would appear that unlike credit and debit card fraud, the big institutions are doing relatively little to inform “Joe and Jane Consumer” in the fight against cybercrime and in the fight to lower the figure above. You and I use the net to make purchases, pay bills and check our accounts and are doing so through the portals provided by some of the biggest companies in the world. But are we being supported and made aware of threats by these large companies? To some extent yes, but for the most part, I believe there is so much more they can and should do.

Financial Institutions and the Fight against Phishing

I have no doubt that the big boys are taking the fight to scammers, working hard to shut down dodgy websites as they become known and using the full arm of the law to tackle them head on. However, I believe this is not enough as it is a reactive strategy only. What about a preemptive strategy that seeks to empower and educate Joe Consumer so that the incidence of phishing decreases too?  Sure each of the big banks has a page on their site dedicated to informing you about the risks of scams;

but sadly, the information they offer is insignificant compared to the information they provide on credit card fraud. To illustrate my point I did analysis of some keywords (as relates to credit card fraud and online phishing) on Google to ascertain their search volumes within Australia. I used this as a gauge of how often the terms are searched for in Australia. Once I had these figures I then conducted searches for these terms on the sites of 7 different financial institutions.

The results were somewhat startling –without fail, every institution has more information available on credit card and credit card fraud than on phishing and scams. Not by a little bit, but by several hundred percent if not several thousand.

Fraud-Comparison-Chart

There are a couple of key things to notice:

  • Analysis on Google found that of the 4 terms I searched, “Credit Card Fraud” ranks as the lowest term – only 4,400 searches per month.
    • Phishing has 4 times as many searches per month as Credit Card Fraud and Scam 100 times more
  • The search volumes on Google are not replicated with the search results on the sites surveyed
  • In Australia the value of annual phishing scams far outstrips the value of credit card fraud

So perhaps indeed financial institutions are not truly doing as much as they could to inform and educate the Australian populace as regards the risks of phishing and online scams.

Increasing Social Responsibility

So the question begs to be asked: Shouldn’t companies across the board – but especially those whose identities are borrowed for the purposes of scams – stand up and take the fight to scammers more aggressively?  Big organizations all decry their credential about social responsibility, or environmental sustainability, or corporate ethics, but how many of these social stances encompass combating phishing or alerting the public?

As the saying goes, forewarned is to be forearmed. With the large purses that these companies have, surely there is a strong argument for these companies to inform people when they know there is a scam focusing on them as a brand. I recognize that many of these brands Tweet about scams as they become apparent, but it often appears that accounts from the Government (such as @SCAMWatch) are more aggressive, are dedicated to scams and more responsive.

There thus exists a gap to for business to be more socially responsible and to help the public not fall prey to the various scams which exist. I acknowledge it is often easier to criticize than offer solutions, so what I have done is think of a couple of relatively easy and low cost ways which companies can help combat Phishing:

Increased information on corporate websites

  • Focus on regular updates on the latest scams and on what to do should you have fallen foul of a scammer.
  • Dedicated YouTube channels (which are promoted on their websites) showing screenshots of the latest scams with voice over explaining how to identify them.
  • Dedicated Twitter handles for nothing but information about latest scams and information on what to do.

- Allows for the message to get across without being occluded by marketing and customer service messages.

  • Other dedicated Social Media channels to reach a broader market.

- After all not everyone is on Twitter, nor Facebook.

  • Advertising of latest scams in street press (E.g. 9-5 magazine or MX)

- Which is both affordable and easy to go to print later in the day and reaches a broad market cross-section.

  • Press releases to news outlets both on and offline.

- Online press releases can be syndicated quickly and affordably.

Where to from here

Financial institutions and other big companies beat their chests about the social policies they have in place, however, none seem to be on the front foot as regards online scams and phishing. With evidence showing that attempts at phishing are not diminishing quickly despite the efforts of organizations around the world, the cost to society from scams will continue to rise. Surely there is an argument for large businesses in Australia to be proactive in the fight and to help the public in not falling prey to cybercrime. Steps such as those listed above, would be a good start, but there is much more that can be done. As far as I am aware, not enough is being done and as a result, scammers are getting away with other people’s money, way too easily.

The cynical part of me, know that this list is only the tip of the iceberg too really. What about the banks and other financial institutions taking on some of the accountability and looking to help consumers recoup their lost money. Surely their multi-billion dollar profits could be put to use?

Or what about an independent body being set up which has the sole purpose of monitoring, reporting on and informing the public about cybercrime? This body could then, in part, be funded by the financial industry’s largest earners as a way of them giving back to the community.

That said, it is not all up to big business to protect the consumer, consumers too should be taking positive steps to avoid being scammed. Simple steps include the use good of a leading Spam and Malware platform to detect and eliminate spam and phishing emails and in being vocal in spreading the word about any scams that you become aware of. Start by telling the organization who is at the ‘centre’ of the scam (usually via email), and then by telling your friends. And should the organization not be responsive to your notification, be vocal about that too, sharing your story on a public forum – a great way to get noticed by many and to get the attention of the organization that ignored you. Perhaps then, together we can take the fight back to spammers and cyber thieves and reduce the amount of money lost to them each and every year.

Please share your thoughts on this, both for my edification and that of others. Because at the end of the day, the more we all share our knowledge, the better equipped we will all be to combat these crimes and the less profitable these scams will be.

Lastly, should you fear you have been duped by an online scam, contact an organisation such as http://www.antiphishing.org/consumer_recs2.html who can help.

  • http://www.enbox.com.au Hamish

    In addition to the above, I read a timely article from Infosex about protecting your online identity and services available to help you cancel and recover lost credit cards. Have a read of the article here http://bit.ly/oGuw2N

  • http://www.enbox.com.au Hamish

    APOLOGIES re the typo, that meant to say Infosec, not the aforementioned typo…
    Sorry all.

  • http://www.dvdorchard.com.au Richard Foate

    Whay don’t the bank seem all that concerned ? At the end of the day they’re not losing most of the money. Thief steals credit card info, spends at a merchant online, gets delivery of goods. Card owner realises card has been compromised, reports to bank, bank reverses charges. Bank writes to Merchant at who the card was used requesting proof of transaction, none can be provided, sp bank reverses finds from Merchant. Customer inconvenienced, Bank inconvenienced, End Merchant is the loser.