Information Security: Email Scams Targeting Bank Customer

Michele Petry, Ph.D., BankersOnline.com

In a new-age twist to an old scam, bank customers are receiving targeted emails purporting to be from banks, requesting that the customers disclose confidential information on a Web site.

Very recently, customers of Bank of America and Wells Fargo have received fraudulent emails that at first appear to come from the bank, but the emails actually direct unwitting customer to links that go to unaffiliated Web sites. An individual fraudulently posing as a Bank of America associate distributed an unauthorized email asking recipients to enter personal financial information at a Web site masquerading as the Bank of America site. B of A became aware of the situation within hours of its onset and alerted authorities and the fraudulent site was quickly shut down. Details about the distribution and its source are pending investigation.

Wells Fargo reported receiving over forty emails from customers alerting the company to a similar email scam, purporting to come from the bank. In both the B of A and Wells situations, the authorities were contacted and no known customer information was compromised. Both institutions have warned their customers to be vigilant regarding disclosing confidential information only to legitimate known sources.

Growing Trend
This latest round of email scams is an example of a growing trend to steal information in order to perpetuate identity theft online and is similar to popular email scams that may be aimed at your customers. The government's Internet Fraud Complaint Center (IFCC) which publishes a report on Internet fraud each year says Internet auction fraud was the most reported offense. But close runners up (after the Nigerian Letter Scam, believe it or not!) are offers for advanced-fee loan scams, guaranteed loans or credit on easy terms, credit repair, and educational finance schemes - often using the names of legitimate financial institutions.

Clever Methods Used
Some of these scams may come through pretending to be offered by your bank.

Advance Fee Loan scams, for instance, consist of an offer for a loan or a credit card in return for a fee. They'll also promise home-equity loans that don't require equity in a home. Consumers are reassured that they have nothing to lose because they will get a refund if they are turned down. These "turn-down rooms" do not make good on their promises to deliver either the promised loan or the refund.

An ad may promise your bank's help to Repair Credit, claiming that your bank can get negative information removed from a credit report immediately. The fact is that accurate negative information stays on consumer credit reports for seven years - ten years in the case of bankruptcies.

Yet another that has appeared fraudulently using a bank's name was one promising thousands of dollars in Grants and Scholarships, again for an up-front fee ranging from $10 to $300. This is one of the most successful of the scams. The FTC said that in five years more than $15 million was conned from over 100,000 consumers. Law enforcement is actively prosecuting these cases.

I'll mention the Nigerian Letter Scam only because sometimes the financial institution can recognize that a customer is being duped, and will be able to save a loss to a fraud. An email to an individual (or a company) will claim there are extensive funds available (multi-million $) for immediate transfer into the recipient's bank account. The money supposedly comes from over invoiced contracts, existing contract debts, or from beneficiaries of wills. All that is required are the details of their personal or company bank accounts so the money can be wired to your customer. In return, your depositor is promised millions of dollars in fees. If a response is made, some form of advance payment will be required "to bribe officials" in Nigeria, and your customer may even be asked to fly to London or Lagos to "finalize" the deal. It has been reported to the Secret Service that persons who have done so have simply disappeared.

Need To Be Proactive
Given the recent increase in attempted email scams, banks should consider being proactive in reminding their customers to safeguard their information. The following tips can be helpful reminders for your customers regarding how your bank interacts with your customers online.

1. Inform your customer to always check to ensure they have connected to the correct bank web site address. If your bank has multiple addresses you should clearly state which web addresses are legitimate sources of bank information - for example, if your bank can be reached at: http://www.abcbank.com and also at http://www.ebank.abcbank.com then both addresses, and ONLY those addresses, should be considered as a legitimate bank entry point.
2. Let your customers know they should always check that their browser indicates that a secure Web session is in place by noting the LOCK in the lower toolbar of their browser.
3. Tell your customers to always log off a session and close their browser when they finish using online banking to prevent someone else from gaining access to their information.
4. Though it may seem to be an unnecessary caution for you to make, nevertheless gently remind your customers to protect all their PIN and access code information. Also tell them to NEVER give out their account numbers to any but legitimate companies where they are setting up bill payment arrangements.
5. Be sure to clearly state your email communication policy with your customers. If your bank never requests confidential information via email, your customers should be told that.

Michele Petry, Ph.D., is President of the Glia Group, an Internet consulting and web strategy firm and an Editor of www.BankersOnline.com. She has written numerous articles and given lectures on a variety of topics relating to banking and technology, including online banking, ecommerce, using the Internet, and deploying technology effectively.

Copyright © 2003 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 12, No. 11, 2/03