With phishing attacks hurting the credibility of email communications, forward thinking banks are turning to social media as the best channel to warn customers of scams and attacks.
For example, one of the leaders in this emerging best practice, Westpac of Australia, made good use of social media yesterday. The bank tweeted a scam alert warning of a fraudulent email that purports to advise Westpac customers to download a new security program.
The email message was a fake, and its attachment carried a Trojan download, not real security software, the bank said in their tweet alert.
Dave Jevans, chairman of the Anti-Phishing Working Group (APWG), said, “It makes sense that when phishing is corrupting trust in the email channel, banks look to Twitter and other social media to alert their customers. By using Twitter to publicize Internet security threats, banks can warn customers instantaneously, without sending them emails which could themselves be construed as malicious phishing attempts.”
Crimeware, such as ZeuS, SpyEye, OddJob, and Sunspot silently infects the computers of online banking users. Crimeware is now the most alarming threat to online banking in the U.S., according to analyst firm Gartner.
Cybercriminals are increasingly sending fake emails that pretend to be from security software companies and banks, in a bid to trick users into downloading crimeware onto their computers.
Here are five best practices that Jevans proposes banks consider to use Twitter as a tool to alert customers to phishing and other fast-breaking scams:
1. Own and verify your handle. Make sure customers can verify it is your official bank Twitter handle. If you are already verified, great, and make sure you educate customers to look for the blue badge. If you are not verified, contact Twitter for help. Twitter also recommends you put a link to your website on your profile page so people can see it is you.
2. Link to Twitter. Make sure customers can find your Twitter handle easily. Put the full Twitter address there, not just a link in a Twitter logo, so customers learn to recognize your Twitter handle.
3. Get the message out. Promote your Twitter account to your customers as a security channel. Educate your customers to go to your Twitter page for the latest security alerts if they see anything suspicious.
4. Respond rapidly. Monitor for phishing and other attacks and rapidly Tweet an alert when someone is attacking your brand. A quick response using social networks is an incredible multiplier in stopping attacks in progress. Post the alert to your other social media pages as well. Repeat the alert several times a day as it will get pushed down with new Tweets. Include a link to your website with full details on the scam.
5. Educate continuously. Tweet general security tips and warnings regularly, even linking to reporting like this example on mobile phone scams from Zions Bank or First Security Bank who warned their customers about fake check fraud and auction sites.