Ask HN: Should Banks Phish Their Own Customers
At my previous job, the bank used GoPhishMe to conduct internal phishing tests on employees. Clicking a dubious link or downloading a shady file led to an informative email about the dangers and tricks used by real cybercriminals.
What are your thoughts on extending this practice to bank customers?
63 comments
[ 3.7 ms ] story [ 114 ms ] threadSo my train-of-thought goes something like: If my customers are going to get hacked, its better they get hacked by my good-guys than actual criminals. If they're more suspicious about clicking on links from my bank (or links that LOOK like they're from my bank) - it isn't necessarily a bad thing.
Yeah but they are not mutually exclusive.
I suppose with internal users you can theoretically target test-failures for individual training or performance intervention - for customers you can’t do that.
That annoyed me to no end.
Literally the email domain, address, company, etc would match something in real life (I checked).
Is that phishing or just being a dick?
It was obviously fake, but the timing was so suspicious, and it came in to the wrong email address - so my first thought was not ‘ah, here’s my Google play invoice’; nor was it ‘ah, a phishing test, let me report it and feel smug’. It was ‘oh crap, my phone must be compromised’ - if someone knows I just updated a Google play subscription, and they cross-associated it with my work email, the only place those come together is on my phone.
Then when I got confirmation that it was a simulated phishing email, my second thought was ‘wait, did the corporate endpoint security system monitor that I was just on the Google play store and send me a targeted phishing attack?’ - which is a significant hit to the degree of trust I place in my employer.
Turns out no, it really was just a randomly selected phishing template and a wild coincidence. But for me it says it is a very bad idea to send out phishing emails that masquerade as real services your employees might use in their private life.
The ironic thing is what made me realize it was legitimate: She was initially asking me about my physical address; I didn't give her the information but asked what she had on file. Two numbers were transposed. When I realized it was probably legitimate was when she was trying very hard to send me a bill for a statement they mailed to the wrong zip code, and she was insisting that I must have lived in that town at some point.
I told her I wasn't going to pay them a cent for a mistake on their part, and that I needed to talk to my local branch. So I hung up, called them, and found it it was legitimate. One of the employees transposed two digits on an account I'd just set up about a month prior.
But holy crap do you have to be careful about giving any information out. I can't imagine if this had been a phishing attempted from the bank itself. I think I would've dumped them to be sure!
Good for the company because it increases the savviness of their customers, good for customers because they become more savvy (and make a few extra bucks)
I had a half-semester that was called "economics" but was basically an old dude ranting about of bunch of this kind of shit, very informative, not sure it was really from the text book.
[0] https://phishingquiz.withgoogle.com/
I can sympathize with a bank wanting to at least offer some sort of anti-phishing something to their customers. After all, it is the bank that has to deal with it when things go wrong. They have already started some customer education attempts with "we will never call you" type of things. This could just be the next step in that.
I've reported my ATM card phished+stolen before. I took money out from an ATM in a bodega in a bad part of town (where the thief was apparently watching me input my PIN through the window); and then, when I stepped outside, the thief mugged me for the ATM card.
Luckily, they only got ~$1000 from the account (= my daily withdrawal limit at the time); and the bank reimbursed me for this.
Annoyingly, to get the bank to do that, I had to file a police report, and give them the investigation number.
I also (obviously) had to change my PIN.
Ever since then, though, my ATM card will no longer work at bodega ATMs in this bad part of town. (I worked in the area at the time, so this was easy to notice.) It also doesn't work for the PoS systems in the bodegas themselves! However, it still works fine in ATMs at real banks in the bad part of town; and at ATMs / PoS systems in other, less-sketchy parts of town.
My belief is that, once my bank had to pay out an theft-insurance claim for the account, they labelled me in their internal systems as "at high risk of being a victim of future theft" (a.k.a. an "easy mark") — and this then bumped up my account's "paranoia level" to protect against future theft. So now, my bank, when being asked to authorize any ATM transaction, will reject the transaction if the business making the request has ever been associated in their systems with fraud/theft claims (even as an intermediary); or if the business has a high rate of refunds; or doesn't have enough history; etc.
In other words, the bank seems to internally assign businesses a kind of "credit score" for authorizing transactions; and a transaction is only authorized if the business's "credit score" exceeds the customer account's "safety threshold." My safety threshold was increased, so low-credit-score businesses can no longer interact with me through the bank.
---
It should be clear what I'm getting at here: failing an internal-red-team phishing test, should bump up a given customer's accounts' fraud-risk safety threshold.
If a customer fails this, their internal risk score goes up, which should increase the scrutiny/friction of future interactions between them and the bank.
(my employer runs these sorts of tests and I'm fine with it, the expectations in that relationship are quite different)
Add some credits (maybe real money) if a customer reports correctly the phishing to the bank instead of ignoring it or falling for it? The downside could be a lot of pressure on the security related part of customer service so they should plan to get only a few reports per day.
Without the support infrastructure of internal company communication, phishing your customers most likely leads to more confusion and open support tickets.
That way the bank doesn't have to worry about any legal or good will issues from doing this.
Bank.com hires pen-testers to trick people to go to Bank.evil, spill their ID/Password/OTP.
The customers who need phishing training are going to become more confused. Since some of the phishing emails now come from the bank, they are going to have a harder time than ever figuring out which emails are legitimate.
Offer free guides and classes to help your customers learn to remain safe. Do not include phishing tests that erode trust and confuse your most vulnerable customers.
A headline like “ABC Bank admits to phishing its customers” would most likely be the end of ABC Bank.
At work I’m ok with it though. Certain roles move millions on cash regularly so fire drills are just part of life
Even if I could, I would still be dubious. It seems that the long-term efficacy of phishing tests is still disputed.
Should we place dummy card skimmers on gas pumps to teach people to be cautious of credit card fraud? Would you conduct a similar campaign over the phone or in person?
Don't lie to your dependents. Secure your infra.
and the dummy skimmers on gas pumps isn't a bad idea, there's a lot of people who have probably still never heard of them, although maybe videos would reach a wider audience for this one as having this irl could cause actual problems. whereas fake phishing emails to vulnerable customers will force them to wisen up.
even if its something that shouldn't need to be implemented at your bank, because there are better solutions, it can still help them elsewhere in life.
To take the example to the absurd, should we entrap people to teach them not to commit crimes?
I'm also not arguing that it is ineffective, I just view it as morally ambiguous and sowing distrust.
As far as customers go, good luck. I'd drop a business that treated me this way without a second thought. The method only works if administered from a position of authority.
You will never be able to block 100% of legit phishing attempts, your employee alertness is another layer of defence.
We have solutions to most of the phishing attacks, but most people find them hard to use or don't want to use them as they are seen as not important. I've made comments to several companies that SMS or TOTP based MFA is not phish-proof and that they need to implement something stronger, but it often is ignored.
and how would they work with smartphones, as banks a increasingly making them first-class banking clients?
* Zero links on legitimate emails. Any email with a link is automatically a phishing attempt.
* Minimal content in mails. Any personal details other than my email address and first name absent in the notification. All the relevant content in the secure messaging section of my customer access.
* Clear categories of emails, and an easy way to unsubscribe from each.
* Direct-to-support-team phone numbers advertised in the website.
* Periodic reminders about good practices (e.g. a legitimate mail will never ask you to follow a link or click on a button; a one-time code can only be entered in the app and never used in any other way or given to anyone through any channel).
* ability to confirm email validity by logging into my bank and seeing same email in their communication queue with me
My bank sends me emails, and I have no way to confirm that the bank really sent them.
Then you receive an email from your "securebank.com"
from: "securebank-communications.com"
title: "Beware of fraudsters sending emails and text messages"
body: "Tap here to install our latest secure mobile app"