Banks and other financial institutions that offer Internet banking services continue to be their own worst enemies in the fight against cyber crime. Maybe they have the best security operating inside their data center walls. But outside, their emails to potential victims of Internet fraud leave a lot to be desired.
Let’s examine the following fraud notification attempt from Checkfree, using a baseball perspective. Note that the batter discussed in this case is me. The email arrived in my personal mail box with a large “Checkfree” logo:
Strike One
The sender’s address on the email reads checkfreebillpay@customercenter.net rather than customerservice@checkfree.com which I would have expected from someone working at Checkfree. Does Checkfree actually use customercenter.net? Turns out they do, but the average consumer doesn’t know that and probably won’t take the steps to find out.
Strike Two
My home address appears in the upper left corner of the email. Everything is correct except my zip code, which, because I live in Connecticut, has a leading zero (for example, “06103” is a valid zip code for Hartford). The “Checkfree” email dropped the leading zero, which is normal for people and companies that haven’t a clue about American zip codes. Big swing and a miss there!
Strike Three
The letter tells me that the computer I use for online bill payment may have been exposed to software that puts the security of my computer’s contents at risk. The letter then lists four conditions that may indicate that my computer may have been infected. The first one reads as follows:
“You attempted to access online bill payment between 12:30 a.m. and 10:10 a.m. Eastern time (GMT -5) on Tuesday, December 2, 2008.”
I stopped right there to ask if it is physically possible for anyone to access anything between 12:30 a.m. and 10:10 a.m. on the same day. Not in my book. As the umpire of my Internet security, I declared this email “Out!”
Out of curiosity, I sent this email to my team of Internet security experts for a forensic analysis. To my surprise, the experts arrived at the opposite conclusion! Here are their arguments:
UnStrike One
Checkfree’s customer service center really does operate out of customercenter.net. Going to Checkfree.com and clicking on the customer service link does indeed take you to customercenter.net.
UnStrike Two
My experts said the 4 digit zip code printed in the email may be the result of bad programming. Their reasoning? “Usually, if you have a ‘0’ as the initial number, most applications will strip it thinking that it is both a waste of space and a silly rendition of a number in select circumstance. What if I told you I was 026 years old?”
UnStrike Three
The odd time of day is truly odd. But 12:30 a.m. is actually the correct start of a 9 hour, 40 minute incident that concluded at 10:10 a.m. Had the letter said 12:30 p.m., the incident could not have happened.
My experts also pointed out that scammers usually cast as wide a net as possible. This email does the opposite – narrowing the net by stipulating that all four conditions be true before taking the next step.
So they’re right and I’m foolish. My guys have calmed me with the advice that “being too cautious in situations like this is never a bad thing.” How can I quibble with that? Best practice should still prompt the customer to contact the company directly from a number that you know to be theirs. We recommend accessing the Checkfree web page to get the company’s phone number, and note that the phone number on the email didn’t match any of those numbers!
But here’s the point – the email raised so many questions about its own legitimacy that I’m sure the other recipients believed it was a fraud, too. Living under the shadow of Internet crime, that’s not good enough.
If we’re going to protect the Internet business channel, we need to establish trust in every interaction with our customers. Haste in these circumstances doesn’t just create waste; it tosses the baby with the bathwater.â–