Information Security Involves Customer Service, Too - Mary Beth Guard & Michele Petry

<a href="http://adserve.bankersonline.com/cgi-bin/advertpro/blink.fpl?region=2&slot=1" target="_top"><img src="http://adserve.bankersonline.com/cgi-bin/advertpro/bimg.fpl?region=2&slot=1&keyword=NULL" border="0"></a>


Site Map Our Sponsors Home

Print Friendly!

Email This Article!

<a href="http://adserve.bankersonline.com/cgi-bin/advertpro/blink.fpl?region=34&slot=1" target="_top"><img src="http://adserve.bankersonline.com/cgi-bin/advertpro/bimg.fpl?region=34&slot=1&keyword=NULL" border="0"></a>

Information Security Involves Customer Service, Too
Is your call center staff prepared?

by Mary Beth Guard and Michele Petry

After a scam email was received last weekend, a phone call to the customer service department of a affected bank revealed how those manning the phones can weaken a customer's perception of an institution's commitment to safeguard customer information.

Sometimes institutions mistakenly believe the job of information security can simply be delegated to I.T. personnel. That is not the case. Every employee must abide by your information security program, and frontline personnel have a special role to play -- reassuring customers of the safety and security of their information and helping create the perception that your institution places a high priority on safeguarding customer information.

When an information security incident occurs, your incident response program will need to include an action plan for informing frontline staff about what has transpired. Decisions should be made regarding how to handle customer inquiries in a manner that is authoritative and reassuring. Even devising scripts and possible Q&As is desirable and should avoid the type of experience a BOL staffer had over the weekend.

The Email Scam:
An unsolicited email spoofing Citibank was sent to an unknown number of customers and other individuals. The email purported to concern the recipient's checking account at Citibank, and it contained the institution's logo and has the look and feel of Citibank's Web site, making it appear to the customer as if it were legitimately sent from that financial institution institution. It states:

Dear Citibank customer,

We are letting you know, that you, as a Citibank checking account holder, must become acquainted with our new Terms & Conditions and agree to it.

Please, carefully read all the parts of our new Terms & Conditions and post your consent. Otherwise, we will have to suspend your Citibank checking account.

This measure is to prevent misunderstanding between us and our valued customers.

We are sorry for any inconvinience it may cause.

Click here to access our Terms & Conditions page and not allow your Citibank checking account suspension.

When the person clicks to access the Terms & Conditions, they are taken to a Web page that asks them to disclose the first four digits of their account number along with their customer name.

While the email looked good, it sounded fishy to us. We thought we smelled a scam, and a grammatical error on the Terms & Conditions page, along with broken links on that page to all the other information (such as the bank's privacy notice) convinced us that our suspicions were probably correct. We're familiar with similar scams, so we weren't fooled into submitting the requested information, but we were concerned about how the bank could let this happen, whether they knew about it, and what measures they were taking to shut it down, so we found a phone number for the institution's 24/7 call center, and placed a quick call. Before we tell you about the phone conversation, ask yourself:
How would your front-line telephone operators respond when the customer calls in to say they have recieved a scam email like this one?

We hope your employees would respond more appropriately than the bank employee we spoke to on Saturday. The telephone conversation between the operator and the customer (us) went something like this:

Customer: Hello, I would like to speak to someone who handles security/fraud reports.

Operator: Is this in response to an email that was sent?

Customer: Yes, you know about it?

Operator: Yes, it is a spoof. We've known about it since this morning. [Our call was about 7:00 in the evening, and the scam site was still up.] The email is not from us. Just ignore it.

Customer: Is someone investigating? Many people may not be aware that this is a scam and might submit their information.

Operator: Yes. The email is not from us. You should just ignore it. Our computer systems are not impacted.

Customer: Is there someone who I can report this to?

Operator: You can forward the email to xxxx@aol.com [Editor's Comment: YIKES! A huge, global institution is having customers forward the scam email to someone who uses an AOL email address? Why wouldn't they have it sent to someone with the bank?]

What's WRONG with this picture?

First, the call center operator did nothing to allay the customer's concern about whether the matter was being thoroughly investigated. Second, the operator, as a representative of the institution, did little to convey the seriousness with which the institution treated any potential breach of customer information security. She indicated that the bank had known of the scam email for many hours, yet the scam site was still online, and the bank had not sent anything out, or posted anything visible on its Web site, to let customers know it was bogus and to tell them not to submit the requested information. Third, the Operator seemed to regard the call as a nuisance, rather than thanking the customer for trying to bring an important matter to the institution's attention. The next time something happens, the customer would be less inclined to want to call. And fourth, asking customers to forward the spoofed email to a non-institution, third-party email address on AOL opens a potential misperception in the customer's mind that email addresses other than the insitution's really could be used for for legitimate business purposes.

Don't be caught off guard should this type of scenario happen to your institution. Plan ahead with a well-drafted incident response plan. Train staff in advance to be alert to potentially volatile public relations issues. When such an incident occurs, have appropriate procedures in place to help your front line staff respond. Unfortunately, in the age of the Internet, cybercrime and ID Theft activities are on the upswing.

To help guard against these types of problems, financial institutions must exercise increased diligence to protect their trademarks and domains in cyberspace. According to a new report, Online Corporate Identity Risks - Banking & Finance: Global & North America - Content Risks on the Internet. 87% of the top 50 financial institutions are at risk from cybersquatters and other cyber-criminals.

View a screenshot of the email;

View a screenshot of the scam Web site.

View a slide presentation by BOL Guru Hussam A. Al-Abed that details his own investigation of the scam email, which he also received. The presentation has been converted to PDF format for viewing on the Web. View here.

Read our related story:
Monitoring Domain Names

First published on BankersOnline.com 8/18/03

Home | Compliance | Lending | Operations | Security | Marketing | Technology | eBanking

BOL Archives Privacy Policy Important Disclaimer Recommend This Site ! Contact Us

BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.