The Attack
Without going into too much detail, a Telstra-branded email was sent out
with instructions to click a link to update your details “following an
error in scheduled maintenance”, but the link of course didn’t go to any
Telstra site (reportedly, it pointed to a British spa website which is a bit bizarre in itself).
Your service provider says 'click' - the Fraud Squad says don’t!
What interested me the most was the statement from the Queensland Crime Prevention Command’s Fraud and Corporate Crime Group: "Regardless of what’s in this email - logos, account details and email addresses - the most important thing to remember is that they asked you to click on a link within an email. Legitimate companies will never ask you to do this, especially when it comes to providing your personal information.”
While this is well intentioned advice, it is fundamentally wrong! The fact is that thousands of legitimate companies send millions of emails every month asking their customers to click on a link – in most cases to view their eBills or eStatements online. And we’re talking big names; American Express does it, HSBC does it, 3 does it…and Telstra does it too.
So, now we have millions of confused customers out there being told by the police never to click on a link in an email, while their service providers are asking them to do just that! What’s the answer?
The Solution
The fraud squad suggests that the safest solution is to just stop using
links to web portal log-in pages in your emails. So, perhaps you should
consider delivering your customers' eBills or eStatements as PDF
attachments to the email instead? This way, there’s no need for a link
and a significantly reduced risk of the email being a phishing attack.
However, if you have no alternative, there are a few things you can do
to protect your customers...
3 steps to prevent phishing attacks:
- Educate your customers – While it’s important to ensure that you use consistent branding in all your email communications, fraudsters are getting smarter about replicating these. Educating your customers to recognize your emails is one of the most powerful ways to protect them from phishing attempts. Look for alternative ways to help them identify your legitimate email such as using a customer selected image that must appear in every email.
- Personalization – “Dear Keith” is better than “Dear Valued Customer” (and does anything make you feel less valued than being called a ‘valued customer’??), because generic greetings are an easy way for a fraudster to recreate a company’s style.
- Authentication – This is the big one! Consistently include authentication in every email communication with the customers. Name, partial account number, partial address or postcode are all easy for a legitimate company to include in the email body, but impossible for a fraudster. Educate your customer that your emails will always have authentication, so any phishing email becomes instantly recognizable. Make use of the various security features available, such as digital email signatures, DKIM, DMARC and SPF to further authenticate the email and minimize the risk of it ending up in a spam folder.
Taking these steps will minimize the risk of your company and customers
becoming the victims of phishing attacks. If you’d like to find out
more, contact one of our email specialists...Keith Russell
striata.com
No comments:
Post a Comment