B of A: Phishing Victims Won't Get Fooled Again

Bank of America Corp. is fighting fraud by teaching customers at the exact moment they are fooled.

The Charlotte company has developed a system that redirects people who are tricked into visiting phishing Web sites to a site that teaches them how to avoid such online scams, and it is teaming up with the Anti-Phishing Working Group to encourage other financial companies to follow its lead.

"It's a teachable moment when we can say, 'You just got phished. Here's how you can prevent it from happening again,' " said David Shroyer, B of A's senior vice president for online security and enrollment. "We've had almost 60,000 teachable moments" in initial usage. "That's 60,000 people who aren't going to get phished again."

B of A has patented the technology, though Shroyer said that was aimed mainly at preventing a third party from claiming ownership of the idea, and the company wants its method to become an industrywide initiative.

"While security still maintains a competitive advantage in some places, fighting fraud that affects all of us is not a place where that competitive advantage exists," Shroyer said last month during a panel discussion at a conference sponsored by EMC Inc.'s RSA Security. "This is a global issue affecting all consumers. I don't feel comfortable as a good corporate and Internet citizen … [keeping secret] something that make us better. Let's make the industry better."

When bankers identify a phishing site, the typical response is to ask the Internet service providers hosting the site to shut it down; with this initiative, bankers are getting ISPs to redirect people from the phishing site to an educational one.

B of A, the Anti-Phishing Working Group and researchers at Carnegie Mellon University worked together to design the educational page. It explains how phishing works, why someone might have been fooled into visiting a fake Web site and how to avoid falling for such scams in the future.

The backers have created a generic page that any financial company can use, and financial members of the Anti-Phishing Working Group can use a version that features their brand names.

In phishing, criminals try to trick victims into visiting sites that ask them to reveal personal information that could be used for identity theft.

The security group is hosting the educational site and has created a standardized e-mail that bankers can send to ISPs requesting that a known phishing site be taken down and including details about how to redirect people to the educational page.

Lorrie Cranor, an associate professor of computer science and engineering and public policy at Carnegie Mellon, helped develop the technology for this effort. She said the redirection service went live at the start of October; since then more than 70,000 people have been sent to the educational page from more than 4,000 shuttered phishing sites.

The vast majority of these visitors are B of A customers, though a handful of other financial companies, which Cranor would not name, are also using the service.

Laura Mather, a managing director of operational policy at the Anti-Phishing Working Group, said the page is available in English, Spanish and French and will eventually be translated into more than 20 languages.

Mather, who is also the founder of the security software vendor Silver Tail Systems Inc., said the redirection service will help bankers present a unified front to both consumers and ISPs.

"If all the brands went and did their own initiative, the language wouldn't be consistent on the pages. Doing this through APWG is much more efficient. There's one message to consumers, one e-mail to send to the ISPs, and when they get it, they know what it means," Mather said. "Our goal is 100% coverage."

Peter Cassidy, the group's secretary general, said phishing is a widespread tactic. Between July and December of last year, his group received reports of nearly 138,000 unique phishing sites.

Financial services companies were the targets in 40% of the attacks tallied by the group in the fourth quarter, making it the most-phished industry.

Cranor said educating users the moment they have fallen for a phishing e-mail capitalizes on the "teachable moment" that researchers at Carnegie Mellon's CyLab Usable Privacy and Security Laboratory verified in an experiment conducted with 500 students, faculty and staff.

Some participants received just an e-mail containing educational material; this group spent an average of nine seconds reading the tips. Another group was sent a phishing e-mail, and the training was delivered after they followed the phony link. This group spent an average of two minutes reading the advice, Cranor said. Those who spent more time reading the material were less likely to be duped by the next phishing e-mail they received.

"Normally end users don't really care that much about computer security. It's not something they feel they should spend time working with," Cranor said. "We needed to find a time that they're convinced they need education. When somebody feels, 'Wow, I just fell for something,' now they have motivation."

The researchers also tested a handful of messages on the education pages to find which one was the most effective while not offending or upsetting consumers. "We wanted something that people could see they made a mistake, but we shouldn't beat them up over it," Cranor says. "We take a very constructive approach. We try to make it very inviting and fun with characters that look very friendly."

Carnegie Mellon spun the effort out of the research lab into a for-profit company, Wombat Security Technologies Inc., which hopes to sell its training services and filtering software to banks and other companies.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER