Westpac, Other Banks Use Twitter to Warn of Fraud

The social media site’s starting to get used to spread the word about possible fraud. But the venue also carries risks of its own.

Bank Technology News | June, 2011

When Westpac was recently targeted by web crooks, the Australian bank used another online venue to warn consumers, sending a Tweet warning consumers of the crime. The alert was part of a new trend—using social media to publicly expose online fraud attacks in real time—that Anti-Phishing Workgroup Chairman Dave Jevans says can be an effective way to spread security warnings, if it’s done right.

“There’s 500 million people on Facebook, and a lot of people don’t even read their email anymore,” says Jevans, who’s also the chairman of IronKey, a security firm. “Especially with the next generation coming up, they rely on social media much more than email.”

In the case of Westpac, it tweeted an alert warning of a fake email that claimed to advise customers to download a new security program. The email instead carried a Trojan download. Jevans says that if phishing and other attacks are corrupting trust in the email channel, it makes sense that banks would look to Twitter and other social media to alert their customers.

By using Twitter, he says banks can warn customers instantaneously, without sending emails that could be construed as a malicious phishing attempt.

“If you know of a phishing scam, putting something out on Facebook is a good way to get out the word in addition to the other things that you do,” says Kevin Lynch, svp of electronic commerce for 1st Mariner Bank, which has been active in a variety of social media venues for more than two years.

While social media has been primarily used by banks as an informational and customer service venue, in some cases it’s being used to alert customers of outages in other channels, such as Bank of America’s alert of a temporary web outage earlier this year. Jevans says using the site to warn about malware attacks is a new and powerful use, but is also a strategy that requires banks to be aware of how the Twitter, Facebook and other sites can be used by crooks themselves.

Tweets could be used to spread false security alerts, similar to how email is used by fraudsters. Jevans says a beta program at Twitter in which out-of-band authentication is used to verify a user’s identity is a good start toward security in that that channel.

But he also says banks need to be aware of the various handles that are tied to their brand that can be used on social media for unauthorized purposes. He says he has found a case in which there were three Twitter sites tied to one major bank, which only owns two of the sites.

“That’s something that banks are going to have to get on top of. Banks are going to have to start thinking about social media, and how it can be used to spread malicious [activity],” he says. “Even if banks don’t intend to use social media as a communication channel yet, they still should look at handles, and look for people registering bogus handles.”