Why, oh why, do banks send phishing messages.

Written By: Peter Abrahams
Content Copyright © 2016 Bloor. All Rights Reserved.
Also posted on: Accessibility

Part of my accessibility practice deals with learning disabilities and support for naive users, especially amongst the elderly. Digital systems need to be simple and easy to understand and use but they also need to be safe to use, if they are to be considered accessible.

One clear message needs to get to people with learning disabilities, the naive and in fact to all digital users. If it looks like a fraud it probably is. There are some clear indicators of fraud:

  • An offer that is to be good to be true (the Nigerian Minister of Finance etc.).
  • A message seemingly from your bank to call a number you do not recognise.
  • A message to click on a link to reset you credit card account.
  • A request to fill in a form asking for personal details when it is not expected.

Our Banks, Credit Card companies, the Government and others all explain this to us and ask us to recognise this fraudulent phishing and not to be caught by it.

So it was with real amazement and anger that I was sent a phishing text message from my bank and later that evening was asked to fill out private credit card information on a theatre booking system.

The text from my bank said ‘There has been an unusual payment in your bank account, please call 030…. or 020… to talk to your bank’. It smelt to me of a phishing attack and I did not recognise either of the numbers, so I did not call either of them. I rang my bank using a number I knew. The text message was real and from my bank and I had made an unusual payment and I was glad that they contacted me.

However, I think everyone should be angry, even incandescent, that a bank should send a message that has the hallmarks of phishing. The message should just say ‘Dear Sir, There has been an unusual payment request on your account, please contact your bank and ask for the fraud department as soon as possible so that we can process it correctly. Thank you’.

The same evening I tried to book some tickets at a theatre that I have been to many times. Everything went well until I tried to pay, I filled in my credit card details, hit submit and got a form to fill in saying ‘Please register for Mastercard Securecode’ and asking for various private details. I had not heard of Securecode and was not willing to register for something I did not know about via the website of a fairly small theatre (I trust the Theatre company but am less convinced that their website could not have been compromised). It took me an hour on the phone to my credit card company to find out what I was registering for and how to do it, I was not happy by the waste of time, especially when it was suggested I had been sent a letter about the change. Luckily the tickets were still available and I look forward to the show.

Again I was incandescent that I was asked to fill out a form that looked like phishing (I apologise to the operator for raising my voice but I hope she recognised that my anger was not with her but the company). I hope the recording of my conversation goes to top management.

So after these two incidents within hours of each other I am writing this article. It is important that the digital economy is a safe place for us all; but especially people with learning disabilities, the naive and the old. That is only possible if recognising fraud is as easy as possible. Leading institutions sending out messages with the hallmarks of fraud makes that message impossible to get across. It also means that people like me, and I assume you, will just not respond to the message.

I will send links to this blog to the two specific institutions but I hope my message will be heard by all institutions.

Please, please, please do not communicate with your client in any way that has the hallmark of phishing or fraud. Please communicate with your clients in a way that will encourage them to deal with any potential issues in a safe and effective manner. If you do not I will move my custom elsewhere and suggest others do the same.