Ah, the teachable moment. For parents, teachable moments often come when kids are in tears, fresh off a major disappointment or minor injury and not really expecting to learn anything at all.
Banking has its own teachable moments, and Bank of America has engineered more than 60,000 in the past few months as it educates customers about the perils of phishing emails. As part of the bank's proactive takedown strategy, known malicious sites are replaced with a redirect to an Anti-Phishing Working Group educational page that gently informs consumers they've almost 'just been had.'
"It's a teachable moment when we can say, 'You just got phished, here's how you can prevent it from happening again,'" says David Shroyer, svp of online security and enrollment at Bank of America. BofA is the catalyst behind the effort - the institution even patented the idea, mostly out of fear of patent trolls glomming on - but it's meant to be an industry-wide initiative, nurtured by BofA, the APWG and the phishing braintrust at Carnegie Mellon's CyLab Usable Privacy and Security Laboratory. Between July and December 2008, APWG received reports of almost 138,000 unique phishing sites and 174,000 unique phishing emails; financial services was the most targeted sector, attracting 40 percent of the attacks in fourth quarter 2008.
And while educators and parents everywhere know about the teachable moment; academics at Carnegie Mellon verified that theory holds true for phishing with an experiment conducted on 500 students, faculty and staff. Some members of the group received an ordinary email containing anti-phishing education material; this group spent an average of nine seconds reading the tips. Another group was sent a fake phishing email, and the training was delivered after they followed the phoney link. This group spent an average of two minutes reading the advice, says Lorrie Cranor, associate professor of computer science and engineering and public policy at Carnegie Mellon University. The big payoff: Those who spent more time reading the material were less likely to be duped by the next phishing email they received. "We needed to find a time that they're convinced they need education. When somebody feels, 'Wow, I just fell for something,' now they have motivation," Cranor says, adding the researchers also tested a handful of messaging approaches on the education pages, searching to find which one offered the most learning while not offending or upsetting consumers. "We take a very constructive approach, we try to make it very inviting and fun with characters [that] look very friendly,"
Characters that are fun, friendly and inviting as the anti-phishing ambassadors; maybe bank customers aren't all that different from kids when it comes to teachable moments.