When online scammers recently targeted Westpac Banking Corp., the Australian bank used another online venue, Twitter, to warn consumers not to trust email.
The alert was in keeping with a trend of using social media to publicly expose online fraud attacks in real time.
Dave Jevans, chairman of the Anti-Phishing Workgroup, said Twitter Inc.'s microblogging service can be an effective way to spread security warnings.
"There's 500 million people on Facebook, and a lot of people don't even read their email anymore," said Jevans, who is also the chairman of IronKey Inc., a security firm. "Especially with the next generation coming up, they rely on social media much more than email."
Westpac tweeted a warning about a fake email advising customers to download a new security program. The email instead delivered a malicious program.
Jevans said that if phishing and other attacks are corrupting trust in email, it makes sense for banks to turn to Twitter and other social media to alert customers.
With Twitter, he said banks can warn customers instantly, without emails that could be confused with the very phishing attempts they are warning customers to avoid.
"If you know of a phishing scam, putting something out on Facebook is a good way to get out the word in addition to the other things that you do," said Kevin Lynch, senior vice president of electronic commerce for 1st Mariner Bank, which has been active in a variety of social media for more than two years.
While social media has been primarily used by banks for information and customer service, in some cases it has been used to alert customers to problems in other channels, such as Bank of America Corp.'s notice of a temporary website outage earlier this year.
Jevans said warning about malware attacks is a new and effective use of social media, but it is also a strategy that requires banks to be wary of how crooks themselves can turn to these sites.
Scammers can use Twitter to spread false security alerts. Jevans said Twitter is testing a method for using out-of-band authentication to verify a user's identity, which he said is a good start toward security in that channel.
Banks need to be on the lookout for the various handles that are tied to their brand that can be used through social media for unauthorized purposes, Jevans said. He said he found a case in which three Twitter accounts were tied to one major bank, but the bank owned only two of the accounts.
"That's something that banks are going to have to get on top of. Banks are going to have to start thinking about social media and how it can be used to spread malicious" activity, he said. "Even if banks don't intend to use social media as a communication channel yet, they still should look at handles and look for people registering bogus handles."
