How TSB's simple tech issue became a big phishing problem

Security is a top priority for financial institutions around the world. In the past few weeks, the U.K.’s TSB Bank has learned the hard way that availability is even more important.

And when availability is an issue, security can’t be ignored.

With typical British understatement, it would be fair to say that the migration of its IT systems to that of its new parent company Sabadell has caused a few problems for TSB. CEO Paul Pester described the bank as being “on its knees” as a very large number customers have been affected by the issues that started on April 20 and still haven’t been fully solved. Customers have been unable to log into their online banking account, or reach the bank by phone; many customers have also reported transactions missing from their accounts.

Chris Ratcliffe/Bloomberg

Added to these problems, phishing emails are attempting to fill the void in the bank's customer service, U.K.-based security expert Kevin Beaumont reported. Customers have been targeted via email, text messages and even Google advertisements.

Phishing remains a huge problem that every financial institution has to deal with and it is hardly the first time TSB has been the target of phishing emails. However, the large-scale IT issues the bank is dealing with makes it an extra attractive target for phishers, given that customers right now have a good reason to expect an email from TSB.

And the most effective phishing emails are those users expect.

The bank's tech issues even make the process of spoofing its website easier — after customer enter their details into the fake website, they won't be surprised to receive some kind of error message.

But it’s not just customers who may have a harder time than usual spotting "fakes." The backlog in transactions, as well as the many canceled and resubmitted payments that will have been made through their systems, will likely make it a bit easier for a rogue transfer to slip through in the confusion.

Indeed, while the bank has confirmed it has seen the phishing messages and has sent a warning to its customers, the fraud department appears hard to reach, judging from user complaints on Twitter.

Here’s a very small number of the TSB fraud tweets. Customers can’t reach TSB so now everybody is piling in. A nightmare situation - a midsized UK bank is being pilfered before our eyes. @NickyMorgan01 @TheFCA pic.twitter.com/pYvjrb6vJ9

— Kevin Beaumont (@GossiTheDog) May 6, 2018

“Had my bank account hacked and money stolen. Waited two hours for someone to answer the phone to me, only to get cut off after a few minutes,” one user complained, while another didn’t mince her words, calling TSB’s fraud team “a joke” and was just waiting to get her money back so she could switch to another bank.

After it confirmed the phishing emails, the bank released no further statements on fraud, but it has been telling its customers almost tirelessly that its fraud department is receiving a “high number of calls.” Indeed, fraud complaints on Twitter have also risen sharply in recent weeks.

Understandably, its availability issues remain the main focus for the bank. But though the financial impact of the increase in fraud may be relatively limited, it could do serious lasting damage to the bank’s reputation.

When asked for a comment, TSB said that it does not disclose fraud data beyond its "business as usual industry level reporting,” but said that protecting the bank's customers’ money is “number one priority.” TSB also referred to the Take Five campaign, which the bank actively supports.