Another approach for Banks
Below are examples of recent phishing emails I received in the name of a French bank. These are issues banks have to deal with on a daily basis and in volume: not only because it hurts their image but also because it causes serious problems to some of their customers. For these two reasons, and also because it is useless thinking that procedures exist at (some) Registrars to fight phishing, here is another approach banks can have to protect more their customers from phishing.
Phishing is this:
- The end user receives an email with a fake link to click onto: the email says that it is sent from firstname.lastname@example.org but it is not, and at this level, you cannot learn who is the sender (because it is so easy to send an email using a fake one).
- The link to click onto is either some text (ie: "Confirmer votre PassCyberPlus" in my case) or a link which looks like it is a known link (domain name) from our bank (ie: "www.banquepopulaire.fr"). In both case, the link is a fake one, or an IP address (my case) offering to go to another website where the fraud is installed. Sometimes, it will ask for your login and password or it will try to automate the installation of a program to encrypt your hard drive (ransomware) or it will ask for more information.
Banks can fight fishing another way
Trying to explain their client to be cautious with phishing is negative and trying to solve these problems with registrars, which often demonstrates to be completely useless and endless, is a total waste of time. ICANN will answer that it has no responsibility into this, and Registries...well...try to complain at a registry and tell us more about your experience ;-)
Another way for banks to fight phishing - and better protect their clients - is to "work on words": when building a website, navigation has to be simple, if there's more than two clicks to reach out to the information, you lose your reader. It is the same for banks' names: with too many names for branches, inline services, banks confuse their customers and that also takes them to click on the wrong link. Working on words is called branding. Banks want their clients to:
- Recognize their name;
- Go to the right website and not another.
The number one advantage to remember for a Bank is that when it controls the registration of its domain names, it also means that a phisher will never be able to register one of them: anyone can register a domain name ending in ".com", in ".fr" or any other domain name extension available to the general public: but not a ".brand".
Let's talk about my case figure, the "Banque Populaire" one
When you hit "banque populaire" in Google, you get a full list of words: banque populaire, bred, bred banque populaire sa, groupe bpce, casden banque populaire, etc...there are dozens of names belonging to Banque Populaire and dozens of websites:
- How do you expect clients not to be confused when receiving an email about Banque Populaire? How does the bank ensure that her client knows if the bank's name and URL are legitimate?
- Can you imagine the pleasure a phisher can have when preparing an attack with such a confusing information sent to this bank's clients: it's wonderland for phishers because the bank's client WILL be confused.
In terms of Branding
Paying attention to the name and the URL clients will be sent to matters and as I previously wrote it, if it is impossible to gather under a same name and domain name, gathering under a same ".brand" name changes everything:
- In terms of trust for the client: all services from the bank will be easily identified behind an exact same domain name extension. For example:
- www.casden.bpce (or ".banquepopulaire")
- In terms of name for the Bank: the domain name extension becomes the seal which connects all services, trademarks, names, categories of clients, subsidiaries, branches, office locations, etc...to the same Bank. When seeing this seal, the client knows that he is on a website belonging to the bank: "can't be something else". Instead of using various confusing domain names (which none can be certified by the bank), the ".brand" domain name extension simplifies it all for the client: when passing his mouse onto a hyperlink prior to clicking, the ".brand" extensions from the domain name is the seal that confirms that he can click.
Things take time and don't expect a client to understand why a domain name using a ".brand" extension might be less risky for him to click onto, also expect things to be more confusing...in the beginning at least; things take time and explanation.
Some banks have already migrated to their .BRAND new gTLD, there is even one in France: https://banqueentreprise.bnpparibas. Since 2012, 1,230 new domain name extensions have been created, and this also means:
- More confusion to consumers;
- More options for phishers to fool banks' clients;
- But also more training and adoption for users: the more new domain name extensions start to appear online, the more coming generations are used to them.
Another alternative for Banks
Need help understanding all this? Contact Jovenet Consulting and ask for Jean.
Recent phishing emails received