Security and communication consultants to banks are using the latest high-profile online spoofing case - a satirical, phony Bank of America account on Google+ - as a teaching opportunity about the potential pitfalls of social media.
In the Google+ case, the fake Bank of America page used the bank's official logo, actual address and phone number, and links to the real B of A corporate website to create the impression that B of A was the actual sponsor of the page, posted on Google's social media challenge to Facebook. The page stayed up for more than a week in November, with postings about company parties scheduled in foreclosed homes and threats to seize the accounts of Occupy Wall Street protesters, among other irreverent items.
Although Bank of America was a victim here, it didn't look good that the parody page just sat there for so long. One way that a bank can try to prevent spoofing, or to make it more difficult, is to establish a presence quickly on new social media platforms, says Steven Ramirez, the chief executive of Beyond the Arc, a customer communication consultant to financial institutions. It's a preemptive move that allows banks to gain a beachhead in social media that can establish a counter narrative before the negative commentary becomes the primary voice behind a bank's presence in social media.
"When the bank is slow to establish a presence, it leaves that bank open to claim jumpers, if you will - people who get in and try to establish a presence before you can," Ramirez says. "You want to make it clear from the beginning what the authentic voice of the bank is. If you're active in social media, then you start to become known. With your brand personality, it becomes clear who you are. If you haven't been engaging, it's hard for people to know that."
Bank of America did have its own Google+ page up at the time, but it had almost no content on it, leaving an opening for the spoof.
By being proactive, banks can respond faster in a game without a magic bullet. Banks should have a plan in place that will help them learn about spoof websites or social media pages, or fake fan pages, quickly and to address the situation quickly, says Jackie Marshall, director of information technology regulatory compliance for Gladiator Technology. A bank should be using Google alerts and other tools to be aware of any changes in social media and the sentiment of postings and discussions about the bank, she says.
"For financial institutions, there's really not a good preventative measure," says Marshall, who helps banks write risk assessments for new technologies and tech services. "Quickly detecting these situations is really the goal."
Text analytic tools are helpful for monitoring social media, scanning the Internet for anything written about a bank through millions of postings and categorizing them to make sense of what people are talking about, and what the sentiment is toward the bank, Ramirez says.
Even satire in social media can cause long-term damage to a bank's brand or reputation if there is no response, he says.
"It's not that it's not funny; it's not that it's not interesting. But it's one thing being in on the joke, and being part of the humor, versus being the butt of the joke," Ramirez says. "I think maybe all of us feel that if a claim or charge or argument is not addressed, then it's true."
It is difficult to tell, initially, if a fake bank site or social media account is satirical, which presents reputational risk, or an attempt to access customer account data or other non public information, which is outright fraud, Marshall says. But banks should plan for both scenarios.
The Gramm-Leach-Bliley Act and Federal Financial Institutions Examination Council guidance require that banks have steps in place to manage possible security breaches, which fake social media accounts would fall under, Marshall says.
Tom Hinkel, director of compliance for the hosted IT service provider SafeSystems, says that auditors are starting to ask banks about what social media policies and procedures they have in place, and who the bank has designated to coordinate those policies. And under FFIEC management standards, banks should be assessing their social media risk consistently with the goals and objectives of their strategic plan, Hinkel says.
Unlike most technology risks, a bank cannot avoid the risks presented by social media by simply not engaging in social media, Hinkel says. Even if a bank decides against having a presence on LinkedIn, Facebook, Google+ or Twitter, for example, that won't prevent someone else from pretending to be the bank, or saying things about it.
"Avoiding the risk is not an option in social media. You're going to assume risk, whether you decide to go in or not," he says.
Part of any bank's incident response plan should be the designation of a response team that reflects the potential seriousness of the threat, Marshall says. That team should include the bank president and other C-level executives representing IT, information security, compliance, marketing and a direct line of communication to the board of directors.
"Financial institutions always have to be cognizant of the fact that there may be actual access to financial information gained. That's the most serious aspect of what could occur," she says.
The incident response plan should also include procedures for an evaluation or analysis of the situation, once it is recognized; communication with customers to let them know about the threat; notifying the Federal Bureau of Investigation or other law enforcement agencies about a possible security breach; a plan for having the threat removed - taking down a fake social media page, for example; and periodic testing of the response plan for various scenarios, Marshall says.
Another component of a bank's plan for social media threats should be education, she says. Customers should be informed about what to do when they see anything suspicious, and about what the bank's legitimate sites or social media pages look like, and any unique identifying marks or images that can't be copied.
Employees, management and even board members should be told about the risks of social media - of fake Facebook pages for a board member, for example, or the reputational risk of what they might post on their own legitimate personal pages. And they should never post photos or discussions of what is happening within the bank or about other employees, Marshall says.
"Things like: 'Oh, the servers were down today, so I didn't have anything to do,' " Marshall says. "It happens all the time."