Will's Web Watch: Can banks improve phishing defences?

It was always a curious oversight that banks tended only to be open when those of us actually earning money to put in them were too busy working to get along and use their services. It was a bit as if the concessions at the Odeon Cinema only sold popcorn while the films were on or pubs in the City shut at 5pm on a Friday.

Now, of course, many of us bank online to get over this problem, despite much scaremongering and should-we, shouldn't-we dithering sparked by security concerns. But according to recent research from TNS there is now a hardcore of just 24 per cent of banking customers in the UK who don't trust 'that there interweb' thing.

And confidence among the rest of us is growing, despite the issue of phishing which dominated headlines last year. In fact 31 per cent of users are more confident now than they were in 2002 when phishing was little more than a crude nuisance limited to pretty small circles.

But phishing is still an issue and I believe there is still more the banks can do to help limit its impact - not so much for those of us with 'web savvy' but for those who aren't yet fully fledged converts to all things online... which is a kind way of saying those who need protecting from themselves.

And that protection is needed now more than ever with banks suggesting their willingness to reimburse the defrauded is being worn thin by users not exercising enough common sense.

But before they point the finger at others should the online banks be exercising a little more grey matter themselves where this issue is concerned?

There is a confusing array of methods being employed to communicate with customers currently, from regular emails and text updates to occasional emails and SMS messages on an 'as and when basis'.

The more random factor end of this scale creates uncertainty and uncertainty creates opportunity for criminals.

Last week we criticised the move towards gated email communities but perhaps banking is one area where we should embrace such innovation. If users had an email account within their bank account where they would receive personalised communications from their bank it would eliminate a lot of the uncertainty.

Terms and Conditions which say 'From time to time we may...' should be consigned to history. Policies which state non-payment of credit card bills may be followed up with 'either' a text, automated phone call, call in-person or written letter do little to put readers' minds at rest as to how and when they might be contacted by their bank.

It's understandable that customers banking in the virtual world choose to ignore all communications from their banks. How many people now would respond to a solicitation to ring a number and then divulge any personal information to the person on the other end of the phone?

And that is an unhealthy situation because invariably communication is essential where managing our finances is concerned. Ironically the biggest problem with this silence born of fraud is the fact that the most essential communication relates to the very prevention of fraud.

Phone calls or text messages out of the blue raise suspicion. Have the phishers moved from email to SMS or phone? But in many cases those calls or messages are made to query transactions - they are the first warning that something may be happening with your account that has raised alarm.

And users ignore it because they think it's fraudulent. It's an awkward Catch-22 and one which leaves the banks in a 'damned if they do and damned if they don't' situation. With this in mind banks need to think about verbal signatures. We've been using them for years to tell them who we are, why don't they use them to confirm who they are?

If they contact customers out of the blue, then they are accused of muddying the waters where phishing is concerned but if they maintain silence and an account gets cleared out by anomalous transactions they will be the first in line for stinging criticism.

The banks say the customer should always contact a branch or helpdesk if they are approached in a way which arouses suspicion - it is certainly a sensible first step, even though it complicates much of the streamlining intended by banking online.

But banks also need to make a lot more noise about the threat of phishing. No matter how loathe they are to discuss theft and fraud, customers would rather hear about it than experience it.

Have your say, register a Reader Comment below and let us know your thoughts on this issue.