How to Tell Customers You're Under (Cyber) Attack
For bankers, alerting customers about online banking outages in the midst of a cyberattack is a lot like the task the flight crew faced in the movie "Airplane!"
"There's no reason to become alarmed," a flight attendant named Elaine tells passengers. "By the way, is there anyone on board who knows how to fly a plane?"
On an airliner or at a bank, it takes a deft touch to provide critical information in a crisis without amplifying the alarm - a task that's particularly challenging for a heavily regulated financial institution.
Since September, banks' skills in dealing with angry customers have been heavily tested during online banking outages caused by ongoing distributed denial of service (DDoS) attacks.
With banks, there's information that can't be disclose because of regulation. There's concern that if certain details become public they'll prolong the attacks. There's worry that digital updates will unnecessarily scare consumers. There's even an uncertainty around what words to use: To call it a cyberattack or not to call it a cyberattack?
Despite these fears, banks need to say something: People notice when a channel they have come to rely on goes down. Ignoring the problem will likely make the situation worse, analysts say.
"Banks don't have a choice," says Alphonse Pascual, senior analyst of security, risk and fraud at Javelin Strategy & Research. "Banks can tell customers what is going on or [customers] will catch it on CNBC. It's on the industry to help consumers understand what the attacks mean. It's not a question of, "Should we?" [Consumers] are already being communicated with. There's an opportunity for the industry to shape perception."
Part of that opportunity means pushing messages out to social media sites. For one thing, consumers will vent their frustrations online with or without a bank participating in the conversation. "You see the flood of madness on Facebook and Twitter of consumers in the dark," says Jacob Jegher, senior analyst at Celent. "People want answers.
"The minute [an outage] happens, the wheels need to get in motion ... and communication is an essential chain of the event."
Especially since attacks are here to stay.
"It's pretty early in the game," says Michael Wyffels, chief technology officer at Illinois-based QCR Holdings, a bank holding company. "You are starting to see more organizations say they are a victim of DDoS."
While the industry moves to collaborate and share lessons learned among each other even more, Wyffels says banks also need to continue to help customers better understand the threats, Wyffels says.
To some extent, they are doing this. "In the onset of these attacks, there was a bit of obfuscation," says Julie Conroy, a research director at Aite Group.
Conroy says part of that silence was designed to prevent satisfying hacktivists with feedback about the success of their attacks. As the outbreaks have become more widely known in recent months, the bank mentality is shifting. "Don't try to hide this," Conroy says. "At the end of day, we are very well aware this is the reality."
"Banks are always going to be targets," says Steve Durbin, global vice president of the Information Security Forum, an international association that focuses on cybersecurity issues. "Banks have been under attack since people gave them money … Threats have matured. You don't have to go down there [to a bank bracnch] with a gun. You can do it from a bed."
Ways to Say I'm Under Attack
Among the banks already using social media platforms to convey news about a disruption, writing styles vary. Some declare in straightforward terms that they're under cyberattack. Other institutions are more reserved and say they're experiencing "intermittent issues." Some say they're experiencing to high traffic.
"We are currently under cyberattack and our website and Online Banking are experiencing issues," Regions Bank tweeted in April. "We apologize for any inconvenience."
Experiencing a cyberattack the same month Wells Fargo tweeted: "We're seeing high traffic causing online & mobile access issues, like a cyber traffic jam. If u have issues, try again or call 800-869-3557.
For JPMorgan Chase, Chase Support tweeted in March: "Chase Online is experiencing intermittent issues. We are working to resolve and will keep you updated."
The difference in language is natural. Communication strategies will differ, based on the bank's existing policies and the way it typically interacts with customers.
Unlike with data breaches, there are also no set laws or regulations outlining what banks must do during DDoS attacks. There is guidance, however.
The Office of the Comptroller of the Currency issued in December Alert 2012-16, which outlined general contingency planning recommendations, including one on communication.
The OCC writes: "banks should be prepared to provide timely and accurate communication to their customers regarding Web site problems, risks to customers, precautions customers can take, and alternate delivery channels that will meet their banking needs. Banks should consider the recent DDoS attacks and concurrent fraud against customer accounts as part of their ongoing risk management program. Consideration should extend throughout the banks' risk management process and encompass risk assessment, risk mitigation techniques, response plans, related policies and procedures, testing, training, and customer education.
The OCC declined an interview request on DDoS attacks.
There's no way to tell consumers a channel they have come to rely on is down without having some of them get upset (they always will). Even so, financial analysts point to a number of general guidelines banks should adopt. They include:
- Alert people when an online banking system is down and run regular updates every hour or so.
- Emphasize that the customers' data remains safe.
- Reaffirm that the company remains committed to world-class security.
- Ease consumers' worries by letting them know all fees will be waived during the outages and that such attacks are an industry-wide problem.
- Inform customers which alternative channels are fully operational (mobile banking, call centers, branches, etc.).
- Provide a contact number and/or email for concerned consumers, and make sure to shore up staff to handle the influx of calls and messages.
"Provide the basic essentials of the event," says Ronald Raether Jr., lawyer at Faruki Ireland & Cox P.L.L, who specializes in technology-related areas. "Address the questions people have. Address what happened. The bad guys already know it's an attack."
PNC Financial Services has come to be recognized by peers and industry executives as a bank to emulate. The bank has a forthcoming and transparent communication strategy. PNC's tweets have pre-cautioned customers about possible outages and website contains language hinting at the attacks targeted at U.S. banks.
The bank's president, William Demchak, penned an apology page on PNC's website, outlining how the bank was hit in September by DDoS. In the note, Demchak writes: "While the attack was not a result of any action taken by PNC, we regret that you were affected. We want you to know that our customers will not be responsible for PNC-assessed fees or penalties resulting from the unavailability of PNC systems during this event."
Regardless of what caused an online banking outage, speed and frequent updates are important when communicating through social media channels. "Practices are the same," says Celent's Jegher. "It's about how you get the message out in a timely manner. It's all about making the customer think 'it's not my problem' in the messaging."
Jegher encourages banks to translate technology issues into human speak. Using the term DDoS in a Tweet, for example, may make the average American think "what the…?" says Jegher. "Bring [the message] into a lay person's terms. Explain the attack. …The acronym isn't good for the average American."
In other words, be specific without overwhelming. "There's nothing wrong in saying 'we are trying to get back up, but it's proving more difficult than we thought,'" Jegher says.
The messaging should be spread across all of a bank's channels, too. And if banks can redirect a down website to another page that informs people how to reach the company, that's a good practice, he suggests.
According to Javelin's Pascual, banks should especially address business owners and mobile banking users during outages. "Those are critical segments that banks need to tend to," Pascual says.
All banks, according to Pascual, should work on better explaining the threats to consumers. "Educating customers should happen long before an outage," he says. "Don't brush [the attacks] under the rug. It won't be the last time it happens."