Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 AM
Ron Shevlin, Senior Analyst, Aite Group (Boston)
Ron Shevlin, Senior Analyst, Aite Group (Boston)
Connect Directly

Banks Should Empower Recipients in the Fight Against E-Mail Fraud

In addition to implementing authentication protocols, banks should ensure that e-mail recipients understand e-mail dangers and control their own fates.

Ron Shevlin, Aite GroupBanks need to implement e-mail authentication protocols to help prevent e-mail fraud. Specifically, a bank should publish its Sender Policy Framework (SPF) record (a technical standard that helps prevent sender address forgery); implement cryptographic solutions, such as digital signatures and encryption; and control and monitor its brand domain names. Internet service providers (ISPs) often reject e-mail from derivative domains, so banks should standardize "from" lines.

Banks also should empower the customer/recipient in the fight against e-mail fraud. To do this, banks should provide easy and conspicuous access to preference pages and their privacy policies, allowing recipients to understand and control their preference information, including the ability to opt out or change messaging frequency and content. In addition, banks should incorporate e-mail change-of-address links and preference selection information in all messaging.

From a detection perspective, while many banks have incorporated fraud and spoofing education content onto their Web sites, they also should allow customers to report and/or submit suspicious e-mails. Banks should also implement internal systems to publish and communicate legitimate and fraudulent messaging to critical frontline employees who respond to customer questions/concerns.

There are two major initiatives that have been developed to address the requirement that senders of e-mail are authenticated: the Sender ID Framework (SIDF) and Domain Key Identified Mail (DKIM). The former is championed primarily by Microsoft and AOL, the latter by Yahoo and Google. Both provide a foundation for distinguishing legitimate e-mail, and thus a means of associating a verifiable identifier with a message.

While SIDF and DKIM fulfill a role in the sifting of wheat from chaff, a number of third-party solutions have been brought to market with the specific aim of providing some form of certificate of authenticity for delivered e-mails. A common characteristic of these solutions is to provide some form of mark for the end user to visually illustrate that an e-mail is trustworthy, such as a sealed envelope or a padlock.

Finally, to maximize productivity, banks should provide internal training on using e-mail; publish e-mail policies and best practices, including processes to assure the white-listing that is critical to business-to-business e-mail; and implement spam filtering solutions at the server level to reduce employee in-box clutter.

Comment  | 
Print  | 
More Insights
Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.