Since January, the number of financial institutions on Twitter has skyrocketed. At last count, no fewer than 500 retail banks and credit unions had a Twitter account. With more and more of them offering to help resolve service issue on Twitter, it’s inevitable that phishing attacks will soon target retail financial consumers…if it isn’t happening already. Here’s how a typical scam might look and what you can do about it.
In less than 15 minutes, someone can make an account on Twitter and start posing as a representative from your financial institution. They could use any one of dozens of possible screen names:
The profile page for the phony Twitterer could look 100% authentic, and maybe even better than your legitimate account (if you are already on Twitter). The impostor could even swear that they will “never ask for account details over Twitter,” as almost every financial institution on Twitter promises.
The con artist scans Twitter for people mentioning your financial institution. Preferably, they are looking for someone with a service issue. The impostor reaches out and establishes contact, reassuring the victim at every step how the financial institution will “never ask for account details on Twitter.” But they could easily ask for — and get — someone’s phone number: “Can you give me a phone number where someone from our service department can reach you today?”
Shortly thereafter, the call is placed. “John, our Twitter rep, has already given me a general overview of your situation,” the phone service rep explains. “But to get started, can I get your account number please?”
“And to verify who I am speaking with can I have your [social security number, mother’s maiden name, etc.]” A clever conman might even be able to extract online banking details while they have the victim on the phone.
To win the victim’s confidence, the phony service rep can tap away on their keyboard while promising them that the issue has been resolved and “everything is now taken care of.”
“Is there anything else I can help you with today? No? Well thank you for choosing ABC Bank.”
What You Can Do About It
It could be argued that financial institutions have a moral, financial and fiduciary duty to protect their customers from phishing attacks and identity theft. And don’t forget about the nasty PR impact any phishing attack can have on a financial brand. Inasmuch, here are five things you can do to combat phishing on Twitter.
- Use Twitter – A good defense starts with a strong offense, and you can’t understand Twitter and the phishing threats it presents if you aren’t familiar with the medium. By being active on Twitter with an established presence and ever-growing following, you put yourself in a better position to intercept customer inquiries. This the best possible strategy for combating phishing.
- Monitor Twitter – Every company in America needs to be running an aggressive, automated “scan and search” of the internet for any mentions of its name (and probable derivatives). That means you should be looking for people talking about your brand on Twitter, just like nefarious characters will do. There are a number of good tools out there that make the automation of this process easy. If you are the first to reach out to people talking about your financial institution, you’ll greatly reduce the potential for phishing attacks.
- Reserve Accounts – You should cybersquat a few of the more obvious combinations of your name (see example above). You don’t need to get carried away with this. Most financial institutions won’t need to squat more than a dozen or so variations. (Note: Twitter only allows one account per email address, so you’ll likely need a little help from your I.T. department to hook you up with enough email accounts: email@example.com, firstname.lastname@example.org, etc.) Each of your reserved accounts should include a URL in the bio pointing to your legitimate Twitter account.
- Twitter Account Authentication – If your financial institution is on Twitter, you should create a page at your main website that helps customers authenticate your Twitter account. This page should clearly list any/all official accounts your financial institution has on Twitter. The link in your Twitter bio should point to this page. (Tip: This page could fall under the “Contact” category of your main site.)
- Verified Twitter Accounts – Twitter has recently introduced “Verified Accounts.” The feature was originally introduced to help protect high-profile personalities (read: “celebrities”). Unfortunately, the people running Twitter aren’t the most business-savvy folks on the internet, so it may take them a while to realize there are thousands of companies who would gladly pay for this added level of security and protection. When/if Twitter wakes up to the money-making potential sitting in front of them, your financial institution should be first in line to have your account verified. Whatever it may cost, it’s sure to be less than the blow — both to your brand and its balance sheet — of a phishing attack. Twitter could probably charge as much as $495 and get most financial institutions to pay.