InfoSecurity for Financial Services

This may seem a bit off topic, but losing your life savings due to a phishing attack that drains your accounts is a Black Swan event for many folks. Even though phishing attacks are common enough to regularly make the newspaper, the status quo for financial services when emailing customers is still quite bad.

When it comes to financial services organisations sending email marketing campaigns to customers, good practice InfoSec needs to be even MORE stringent due to the highly sensitive nature of financial data and identity data that is held.

Here are some recommendations:

  1. Login Links: It is generally NOT recommended to include login links or direct links to customer account portals in email marketing campaigns. These links can be easily exploited by phishing attacks, and customers may inadvertently reveal their login credentials to malicious parties. Instead, direct customers to the official website of the financial institution, from where they can log in securely using their usual authentication methods.
  2. Personal Information: Avoid including sensitive personal information like full names, addresses, account numbers, or any other identifying details in email marketing campaigns. Even if the email is sent to the correct recipient, this information can be misused if the email is intercepted or accessed by unauthorized parties. Industry jargon for this is “PII” Personally Identifiable Information.
  3. Account Details: Never include specific account details like account balances, transaction histories, or investment portfolio details in email marketing campaigns. This information is highly sensitive and should only be accessible through secure, authenticated channels.
  4. Attachments are a no no: Attachments should be avoided whenever possible. Instead direct the customer to a secure portal where they can view and download if needed, and even then, keep the personally identifiable information to a minimum.
  5. Consent and Opt-Out: Strictly adhere to data privacy regulations and obtain explicit consent from customers before sending them marketing emails. Additionally, provide a clear and straightforward way for customers to opt-out of receiving marketing communications from your institution.
  6. Email Authentication: Implement email authentication protocols like SPF, DKIM, and DMARC to prevent email spoofing and phishing attacks. This helps ensure that customers can verify the legitimacy of emails coming from your institution.
  7. Secure Communication: Use secure communication protocols like TLS/SSL for email transmission and ensure that your email infrastructure and systems are regularly updated and patched against known vulnerabilities.
  8. User Education: Continuously educate customers about phishing tactics, encouraging them to verify the legitimacy of emails, and warning them against sharing sensitive information or clicking on suspicious links.

It bears repeating: For any account-specific information or transactions, customers should be directed to log in to their secure online banking or investment portals where they will be authenticated before being able to see any of those details.

Financial Services are built on trust and confidence that the customers money and data is safe and secure. If you lose that, you lose your entire brand value. A breach can be very expensive and take years to recover from. Minimising the risk of data breaches or phishing attacks needs to be front and centre for the organisation, not something to be taken lightly or ignored.

Lastly, for the love all that’s good and safe: please, please, please implement a usable Multi-Factor Authentication on your login. It’s shocking how often I come across Financial Services that are so far behind on this. What’s more urgent and valuable than keeping your customers money and data safe?