L9 | Web Management for Credit Unions Weber Marketing Group - Brand Solutions Acton Marketing Blog | Financial Marketing Insights Momentum | Building. Branding. Breakthroughs. CU*SWAG | T-Shirts for Credit Unions

Twitter Phishing: How Can It Be Stopped?

August 11, 2009

Since January, the number of financial institutions on Twitter has skyrocketed. At last count, no fewer than 500 retail banks and credit unions had a Twitter account. With more and more of them offering to help resolve service issue on Twitter, it’s inevitable that phishing attacks will soon target retail financial consumers…if it isn’t happening already. Here’s how a typical scam might look and what you can do about it.

The Setup

In less than 15 minutes, someone can make an account on Twitter and start posing as a representative from your financial institution. They could use any one of dozens of possible screen names:

  • ABCBank
  • ABC_Bank
  • ABC_Banker
  • ABCBank_Service
  • Your_ABC_Banker
  • ABC_Bank_Rep
  • ABCBank_Help

The profile page for the phony Twitterer could look 100% authentic, and maybe even better than your legitimate account (if you are already on Twitter). The impostor could even swear that they will “never ask for account details over Twitter,” as almost every financial institution on Twitter promises.

The Scam

The con artist scans Twitter for people mentioning your financial institution. Preferably, they are looking for someone with a service issue. The impostor reaches out and establishes contact, reassuring the victim at every step how the financial institution will “never ask for account details on Twitter.” But they could easily ask for — and get — someone’s phone number: “Can you give me a phone number where someone from our service department can reach you today?”

Shortly thereafter, the call is placed. “John, our Twitter rep, has already given me a general overview of your situation,” the phone service rep explains. “But to get started, can I get your account number please?”

“And to verify who I am speaking with can I have your [social security number, mother's maiden name, etc.]” A clever conman might even be able to extract online banking details while they have the victim on the phone.

To win the victim’s confidence, the phony service rep can tap away on their keyboard while promising them that the issue has been resolved and “everything is now taken care of.”

“Is there anything else I can help you with today? No? Well thank you for choosing ABC Bank.”

What You Can Do About It

It could be argued that financial institutions have a moral, financial and fiduciary duty to protect their customers from phishing attacks and identity theft. And don’t forget about the nasty PR impact any phishing attack can have on a financial brand. Inasmuch, here are five things you can do to combat phishing on Twitter.

  1. Use Twitter – A good defense starts with a strong offense, and you can’t understand Twitter and the phishing threats it presents if you aren’t familiar with the medium. By being active on Twitter with an established presence and ever-growing following, you put yourself in a better position to intercept customer inquiries. This the best possible strategy for combating phishing.
  2. Monitor Twitter - Every company in America needs to be running an aggressive, automated “scan and search” of the internet for any mentions of its name (and probable derivatives). That means you should be looking for people talking about your brand on Twitter, just like nefarious characters will do. There are a number of good tools out there that make the automation of this process easy. If you are the first to reach out to people talking about your financial institution, you’ll greatly reduce the potential for phishing attacks.
  3. Reserve Accounts - You should cybersquat a few of the more obvious combinations of your name (see example above). You don’t need to get carried away with this. Most financial institutions won’t need to squat more than a dozen or so variations. (Note: Twitter only allows one account per email address, so you’ll likely need a little help from your I.T. department to hook you up with enough email accounts: twitter1@bankname.com, twitter2@bankname.com, etc.) Each of your reserved accounts should include a URL in the bio pointing to your legitimate Twitter account.
  4. Twitter Account Authentication - If your financial institution is on Twitter, you should create a page at your main website that helps customers authenticate your Twitter account. This page should clearly list any/all official accounts your financial institution has on Twitter. The link in your Twitter bio should point to this page. (Tip: This page could fall under the “Contact” category of your main site.)
  5. Verified Twitter Accounts - Twitter has recently introduced “Verified Accounts.” The feature was originally introduced to help protect high-profile personalities (read: “celebrities”). Unfortunately, the people running Twitter aren’t the most business-savvy folks on the internet, so it may take them a while to realize there are thousands of companies who would gladly pay for this added level of security and protection. When/if Twitter wakes up to the money-making potential sitting in front of them, your financial institution should be first in line to have your account verified. Whatever it may cost, it’s sure to be less than the blow — both to your brand and its balance sheet — of a phishing attack. Twitter could probably charge as much as $495 and get most financial institutions to pay.

To learn more about how financial institutions are using Twitter, pick up your copy of “Connecting to Customers with Twitter: The Comprehensive Guide to Twitter for Financial Institutions,” by Jeffry Pilcher, Publisher of The Financial Brand. It’s 80 pages of strategies, analysis, examples and how-to advice.



Print This Article Share
Captive Indoor Media | Digital Signage for Financial Institutions




Previous related stories from The Financial Brand:

SPONSORED MESSAGE: Is your bank or credit union ready to go green with its branches? Watch this free webinar playback, “Green Is The New Black,” where the branch-building experts at Momentum outline the strategy, rationale, challenges, advantages and ROI of eco-friendly financial facilities. WATCH NOW

Filed Under: Social Media

Tags: ,

8 Responses

  1. Ron Shevlin:
    August 11th, 2009 at 11:47 am

    What about “don’t use Twitter”? Is that not a viable alternative? Many banks have issued statements to their customers indicating that they don’t do any kind of email marketing, and that any offer received through email should be assumed to be fake.

    Why shouldn’t a bank of CU say “We do not have a Twitter presence, and therefore, anyone representing themselves on Twitter as being a representative of the bank should be ignored”?

  2. Editor:
    August 11th, 2009 at 12:06 pm

    @Ron – I suppose that would work, although swearing off all forms of “email marketing” seems a bit drastic.

    I’d still recommend that the financial institution reserve its own name(s) on Twitter with this message. And every company in America should monitor the web for people talking about their brand, whether they use social media tools or not.

  3. james w:
    August 11th, 2009 at 4:28 pm

    Why do banks swear off email marketing?

    As a young person (I deliberately avoided the gen y buzzword ;P) I would rather marketing stuff be sent to me by email, rather than mail.

    If I’m interested, I get the offer instantly, and if I’m not interested, all I have to do is hit delete with no environmental impact.

    The business case is pretty straight forward too. No postage or physical production costs.

  4. Kent Dicken:
    August 12th, 2009 at 2:49 pm

    Good information and plan of action. Now if I can only get myself to actually use Twitter.

    @Ron – It seems to be more about insurance than simply a media choice. Issuing a statement won’t stop a phisher, and anyone that does not see or read said statement won’t know you issued one. From a customer’s viewpoint it sounds more like the bank would rather not be bothered. Or at least it tells me they can’t be bothered by the types that use Twitter and email.

    I agree with James. Why would anyone, even a bank, rule out email as a customer’s preferred means of communication? Seems very short-sighted.

  5. Kasey Skala:
    August 12th, 2009 at 7:46 pm

    Financial institutions that do not use Twitter or at least monitor the service are only harming themselves. The fact is the trend is moving toward online banking and mobile banking. It only makes sense to have an online presence. This same argument was probably made when financial institutions were starting to implement online banking. There will always be critics, but the ROI is too great to ignore.

  6. The Financial Brand » Blog Archive » Vantage CU’s Twitter banking breakthrough:
    September 29th, 2009 at 4:25 am

    [...] a hacker controlling a financial institution’s Twitter profile doesn’t need anything else to wreak havoc and steal people’s [...]

  7. The Financial Brand » Blog Archive » Twitter phishing: It’s here, now:
    October 15th, 2009 at 4:23 am

    [...] months ago, The Financial Brand warned of the phishing risks financial institutions face on Twitter. Yesterday, at least two financial institutions had their official corporate Twitter [...]

  8. The Financial Brand » Blog Archive » Petition to verify Twitter accounts for financial firms:
    October 26th, 2009 at 9:29 am

    [...] Financial Brand has warned of the dangers of phishing attacks on financial institutions’ Twitter accounts ever since January, when BofA first started offering customer service via [...]

Leave a Reply