Banks using e-mail account alerts must be careful to avoid sending messages that look like the phishing e-mails they are fighting, an analyst warns.
While banks have been slow to provide such alerts, fraudsters have thrived by imitating them. Most phishing e-mails purport to be alerts that advise consumers about unusual account activity or changes in their personal information.
Javelin Strategy and Research said legitimate alerts of this nature are scarce. Just 43% of banks it surveyed in October and November offered alerts for unusual account activity, 21% offered alerts for changes to personal information, and 14% offered alerts for password or PIN changes.
Bruce Cundiff, a research analyst at Javelin, of Pleasanton, Calif., said banks can include nonsensitive customer information to prove their e-mail messages are legitimate.
In the survey, "we gave points for using personal greetings or the last four digits of the account number in the e-mail itself," Mr. Cundiff said. Giving the full account number would be careless, but giving just enough for the customer to recognize is useful, he said.
If customers respond by calling the bank, it also may help, even though it seems to remove the cost and self-service benefits of e-mail, Mr. Cundiff said. "There's a little gray area there in terms of the efficiencies or inefficiencies of what that might create, but we're talking about detecting fraud," he said.
Wachovia Corp. distinguishes its alerts by involving channels other than the Internet. It asks its customers to follow up through other channels rather than to sign in to their accounts through embedded links. The e-mail includes the address for the Charlotte company's corporate headquarters, a customer service phone number, and an e-mail address.
Susan Mutter, a vice president of emerging enterprise applications and e-commerce at Wachovia, said the idea is to carry the conversation over to channels phishers normally do not use.
"The more we do behind the scenes, the better, because then there's less for the phishers and spoofers to copy," she said.
Wachovia is researching ways to deliver faster alerts, though Ms. Mutter said its rigid schedule for alerts is itself a way to tell which e-mails are legitimate. Wachovia sends its e-mail alerts the same time every day, so a break in this pattern would immediately raise suspicion, she said.
Wachovia also promotes a special e-mail address to field customer questions about which e-mails are legitimate and which are scams. Ms. Mutter said customers know to forward the phish e-mails they receive to that address. For example, she said a large number of phish e-mails forwarded from customers of SouthTrust Corp., which Wachovia bought in November 2004, have been sent to the address in recent months.
The phishers were hoping to take advantage of the confusion that a merger and customer conversion can bring. But the SouthTrust customers were savvy enough to spot the scams and report them rather than reply to them, Ms. Mutter said.
Wells Fargo & Co. takes a different approach to let customers confirm the legitimacy of any e-mail alerts they receive.
"There's a copy of every single e-mail that we send out to customers in their inbox in their secure [online banking] session," said James P. Smith, the San Francisco company's executive vice president of consumer Internet products. "If they don't see that e-mail alert in their inboxes, it's not from us."
Though he said he does not know how many alerts are sent out for fraud-specific events, such as when Wells Fargo blocks several log-ins with the wrong password, he said customers eagerly signed up to receive such alerts. "Anything that a customer could use to be notified about out-of-pattern behavior is extremely valuable to them," he said.
Mr. Cundiff said if banks are careful to follow their own e-mail policies, they can help customers spot fraud.
Customer alerts are "very specific, whereas phishing, by nature, is more like casting a wide net," he said.
Many banks have experimented with sending e-mail alerts for specific account events that occur between statements, but few offer alerts for events that are typical of account takeovers, such as wire transfers or atypical bill payments, the Javelin survey found.
