It is time that Banks, investment houses and other organisations that we use to manage our finances (I will refer to these generically as financial institutions) recognise and accept that email represents the most inappropriate way of communicating with their audience.
Email is the undisputed No.1 conduit for malware onto end user devices. Web pages a close No.2.
Web pages are harder to pull off IF the end user is not being directed to them automatically ie: via email, and subsequently their impact on financial banking fraud will dramatically decline if email is recognised for what it is. The hackers No.1 tool of choice.
By utilising email to communicate ‘generic’ messages with their customers, and marketing to prospects, financial institutions are underwriting the continued compromise of their own institutions at the financial and emotional cost to their customers and prospects. What I mean by generic are emails that do not relate to a direct communication with a trusted known party in the bank, which would constitute a trusted email. Generic emails are those ones that banks fire out at regular intervals providing air cover for the hackers who slip into the email stream, service or advertising based and even security alerts!
End users of all classes, even the IT savvy user, struggles to qualify valid from malicious emails, especially at the end of a long day when the brain is past overload and longing for the nirvana of escape, it is all too easy to absentmindedly your guard to drop. Even the best struggle to maintain total vigilance 100% of the time, and email is such a duplicitous medium that straddles both our work and recreational worlds that the two can often blur, as does the diligence. Whether the email is requesting personal information or not, a security advisory or not, a service announcement or not, it is irrelevant, simply using this conduit causes conflict in end user behaviour. Click on this email, BUT don’t click on that email, when to the end user they are crafted identically but for the subtle suggestive messaging that can cause havoc in an end users life. The inevitable WILL happen.
Ask yourself if the convenience factor of email outweighs the risk of a hacker compromising your finances. That can often just be the final step in a full identity theft which can have much wider ramifications than just financial loss and emotional fall-out.
The reality is the hacker only has to get lucky ONCE with a fake email that links you through to a website or has an attachment with a payload that compromises your computer. You have to get it right EVERY time and the financial institutions bulk out their terms and conditions to mitigate their complicity. Furthermore hackers get a never-ending opportunity to get lucky that ONCE. Or at least as long as the financial institutions continue to play fast and loose with you for their own convenience, no doubt dressed up as cost efficiency. For is it really convenient for you to have to forever be on your guard when receiving an email from a financial institution, knowing you only have to slip up ONCE. The alternative si to be charged to revert back to paper communications.
Oh yes you have anti-virus software installed from a trusted vendor and PAY to maintain updates so you know you are as current as possible, you don’t rely on FREE solutions that often lag the leading commercial software vendors. The sad reality is Anti-Virus software by its nature rides in the slipstream of malware, it cannot pre-empt professionally crafted fresh attacks. Anti-Virus software may be able to heuristically catch the amateurish malware, but then they are rarely the ones who will do the real damage to your life.
Your bank may even provide you with FREE Anti-Virus software. GREAT! More obfuscation and dumbing down of the risks they are actually throwing like landmines across the path of end user fiscal security in the digital age. As if it’s not hard enough to hold onto our hard earned salaries when their value is still being eroded and savings leveraged by the very same financial institutions for their own protection dressed up as ours. Whilst at the same time we continue to pick up the cost and live through the fall-out of their self manifested Global financial crisis.
At least here in the UK many of the banks are Public Sector institutions so I guess this communique should also be targeting our Political class as well.
My call to action, if the financial institutions will not act responsibly and cease and desist in using email for ‘generic’ email communications, is for you to revert to phone / SMS (to a registered mobile number) / mail (Not email) or better face to face. As for email, any email communication from any financial institution should be regarded as malicious and should be deleted without reading or opening them.
Until the Banks stop expecting users to triage emails we will be unable to raise the bar on your own financial security and identity protection.
If any financial institution has the audacity to try and argue against this, especially if they try it on cost grounds, then I suggest you look at moving to a Bank that puts your safety first. Only this morning I got x3 letters from my bank, all in separate envelopes, each contained one page of A4. A little bit of joined up process management in their mail room would have had those placed in a single envelope. If the banks can afford to do that then unilaterally terminating the use of email to communicate cannot be argued against using any cost criteria. Furthermore, the savings in fraud insurance will easily outweigh the cost of reversion to a more secure form of communication.
On a closing note it might also reduce the marketing spam from financial institutions.