Educating Your Customers on Phishing
Itâ€™s often said that the biggest problem with information security is the space that is filled between the chair and the keyboard. While many of us in information security at financial institutions will shake our heads in agreement with that statement, the need for education of our customers is a pressing issue.
Who falls for these phishing emails that ask the reader to update their account information? None of your customers would respond to that kind of a request, you say. But how much have you done to educate your customers about the dangers of phishing, and what they should be on the look out for when they open their email.
Markus Jakobsson, a noted phishing researcher and professor at Indiana Universityâ€™s School of Informatics says financial institutions need to do a better job to educate their clients and phishing and other forms of online fraud. â€œTo an extent, banks are doing some education, but mostly this is dry descriptions and screen shots. This doesnâ€™t really teach your customers to understand phishing,â€ Jakobsson noted. The majority of the online pages he sees on financial institutions websites â€œarenâ€™t attractive enough that people feel like they want to read it.â€
Two more problems he noted are that the information presented is â€œa bit scary and intimidating.â€ The other is the target audience doesnâ€™t receive this information. He encouraged institutions to make sure to give clear instructions on how to spot a phishing email, and how to understand the underlying mechanism.
He added that through popular media customers are getting information about identity theft. â€œReaders Digest carried two stories on identity theft and what to do. These were very short and dry stories. â€œThese stories gave a couple of suggestions such as â€˜donâ€™t click on linksâ€™ and other things that customers are used to hearing,â€ he said.
But financial institutions are sending out emails with clickable links. â€œSo itâ€™s hard for the customers to know what are good links and what are bad links,â€ he continued. â€œIt all boils down to understanding what is going on, and that is something that is not very well taught by institutions.â€
Jakobsson pointed to one example of stronger education for phishing by Carnegie Mellon University, which employs video games to teach consumers about phishing. â€œThis is notable because of the improved rates of peopleâ€™s understanding of what is phishing,â€ he explained. Carnegie Mellonâ€™s approach presented users an appealing way to learn about phishing, â€œwhere they actually would sit down and participate in it.â€