While the epidemic of “phishing” — hoax bank emails intended to fool customers into disclosing access details — may be on the wane, some banks may be confusing customers by using email themselves as a prime medium of communication.
The advice to “delete suspicious emails” is reasonably well embedded in the internet-literate community, but customers, bank staff and even the regulators are struggling to explain banks’ email protocols.
No bank has given up completely on email, although Kevin Zucatto from the Australian High Tech Crime Centre was under the impression that banks no longer use email. His initial advice was: “Ignore all emails from banks”.
When informed that banks are still using email his advice became: “If you are not expecting an email, then check with your bank, make enquiries over the phone”.
Get Crikey FREE to your inbox every weekday morning with the Crikey Worm.
One bank where there may be an above-average level of uncertainty is Commonwealth Bank, amid ongoing phishing campaigns targeting the bank’s NetBank service.
CBA’s public relations staff originally told The Sheet, “We don’t send emails to our internet banking customers, full stop.” Another CBA spokesperson later said that the bank sends automated confirmations of NetBank transactions via email, although this information was not quite correct either.
Further enquiries determined that NetBank sends automated emails to customers when they use a transaction type for the first time. It is these apparently “out of the blue” emails that are leaving customers unsure.
St George Bank uses emails to notify customers who opt to receive them. Westpac says it does not ask for personal security details in emails. ANZ does not send out emails requesting personal or account information. NAB said advice on internet banking will only be communicated electronically via the secure messaging facility within their internet banking interface.
Citibank’s recent phishy-looking email to their internet banking customers informing them of changes to the online platform and directing them to log on to the website and enter their details created considerable confusion and attracted considerable criticism from the industry.
A Citibank spokesperson said that: “The email you are referring to was part of an awareness campaign to inform our customers about Citibank’s new online banking system which now provides additional security to customers.”
David Bell says the email issue will be addressed in the upcoming review of the EFT Code of Conduct.