FDIC Phishing Scam is an Object Lesson to us All

The FDIC's alert this week is a great example of what needs to be told to customers.

Just what are you telling your customers about phishing emails and security awareness?

On Monday, I was going through my inbox, and spotted what I thought looked like two official FDIC emails.

But the minute I opened them, I got suspicious. One was titled "FDIC alert: check your Bank Deposit Insurance Coverage." The other screamed "FDIC has officially named your bank a failed bank." Both had embedded hyperlinks that would take the person clicking on them to somewhere other than the FDIC.gov site.

I forwarded the two emails to the FDIC, although I'm quite sure they already were alerted to them.

A day later, the FDIC sent out its alert telling people that both of these emails were not from the agency. FDIC officials said they're working with US CERT to determine the exact effects of the executable file.

In the meantime, for you out there who are waiting to hear if I clicked on either of the links in those emails .... No, I didn't. But that's not saying the average online customer of a FDIC-insured bank wouldn't fall for it, especially during the current environment of uncertainty when it comes to the soundness of financial institutions. Imagine someone's grandmother or great uncle seeing that email and clicking on it because they think their money is endangered.

Which leads to the question: Just what are you telling your customers about phishing emails and security awareness? Are you doing enough education of your customers so they won't fall for these "official" emails?

I will guess that most bankers and credit union security professionals think they're doing what everyone else is doing when it comes to customer education, which is putting up the requisite web page about phishing, and the quarterly statement stuffer on identity theft, maybe a corner on an inside page of the monthly customer newsletter (if you still put one out). It's not like you're playing the part of Chicken Little by alerting your customers to these phishing emails.

But that is not enough any more; in fact, it is nowhere close to enough. These phishing emails are coming in from every direction, like a recent IC3 alert that the phishers are now using United States Attorney General Eric Holder's name, among other federal officials, to scare people into clicking on and reacting to phishing emails

You should have the attitude that you're on the front line, passing back vital information to keep the war on cyber crime moving forward. Keep the information you're putting out there for your customers fresh, relevant and useful.

Have a talk with your customers, reassure them - especially those who are using the internet for banking -- about the big picture of security awareness and what they need to know. You'll find out that they're listening much more than maybe you thought they were.