With the recent JPMorgan Chase breach affecting an estimated two out of every three households in the U.S., hacking has officially gone mainstream. Reports revealed that data thieves made off with account holders’ names, home addresses, phone numbers and email addresses, and it’s important to note that the risk extends beyond active accounts. In fact, anyone who has logged on to any of the JPMorgan Chase websites or apps is potentially at risk.
Privacy protection experts believe that the biggest risk associated with the breach is that the hackers will successfully draw out more sensitive personal information from affected consumers. And, it’s also possible that the thieves can sell the data to others who can enrich it with publically available online information to create fully-fleshed personal profiles ripe for identity theft.
Experts universally agree that the key point of infiltration for identity theft will be email, and the bitter reality is that there’s very little that the bank can do at this point to fully protect at-risk consumers from spear-phishing. So, it’s critically important to educate customers about phishing risks and communicate consistently such that they will more likely recognize forgeries.
Today most folks are skeptical of ploys like “stuck in Nairobi and need cash now” or “click here to receive your million dollar prize.” However, given the scale of the breach, a sizeable pool of people will fall for these tried and true scams. And, when personal data is sold and enriched, the fraud schemes become far more sophisticated and subtle and can fool even the most vigilant of email users.
While JPMorgan Chase has been backed into reactive mode, this breach is a wakeup call for other financial institutions around the importance of proactively educating account holders about email security. What do banking customers need to know about spear-phishing?
- Never provide personal information requested via email
- Do not call the phone numbers or click on the links within the body of the email – instead, manually enter the bank’s web address and call the numbers listed on the legitimate site
- Vigilantly monitor accounts and credit reports to immediately detect fraudulent activity
- Do not send attachments via unsecured email
And what can banks do on their end to proactively implement best practice email security policies?
- Communicate consistently in terms of branding, email frequency and lexicon
- NEVER request sensitive personal information or “verification” of account details via email
- Implement secure document delivery capabilities for documents containing sensitive data to avoid delivering sensitive information directly to the email inbox
- Use a second layer of security to protect access to such sensitive information
- Prevent access to customer data to third party data security vendors to protect customers from government surveillance and court-ordered document turnovers
- Educate customers on the importance of personal email security measures
There have been so many large scale breaches recently that consumers have become both desensitized to the scope of the risk and falsely placated that their banks are on the hook for any losses associated with security breach. What consumers don’t realize is that they’re also on the hook because banks can only protect their customers to a certain point. Phishing scams and identity theft are not minor matters, and it’s critically important that banking customers both understand the full scope of personal exposure and take appropriate measures to protect themselves.