Security awareness campaign highlights things your bank will never say

If you like anti-phishing efforts, hashtags, and confusing but colourful video games, you’ll be interested to know that a security initiative involving all three is now live. The American Bankers Association and other banks in the US are involved in an awareness campaign tied in with National Cybersecurity Awareness Month.

The campaign focuses on phishing and ways to tackle it head on with the aid of some learning tools and an informative website. It’s called “Banks never ask that,” and this is a good place to focus a campaign given the number of times we do indeed say that “banks will never ask you this.” It’s a common bit of security messaging, given a potentially very visible boost. That can only be a good thing, right?

Scoping out the scams

The incredibly colourful Banks Never Ask That is a collection of tips focused on four key areas of phishing danger: text messages, mobile payment app scams, email, and phone calls. Each section focuses on advising would-be victims to slow things down and not be rushed into hasty decisions by the scammer. This is a good idea; many phishing attacks plug into a fear of missing out, or time limited offers, and even refunds and panic-inducing situations. This is all in an effort to have someone not think clearly, and hand over logins or payment details in ways which can’t easily be corrected.

Also, a related PDF that claims to offer a “deeper look” into the problem repeats much of the same info from the website’s dropdown menus. All the same, it’s still handy to have all of the information in one place as opposed to dropdown categories which are only viewable one at a time.

The rest of the site focuses on specific areas of security related to locking down accounts, using multi-factor authentication, insisting on calling back a bank directly instead of taking a random caller’s word for it and so on.

There’s also one of those pages where you can “spread the word”, in the form of pre-written tweets giving the same advice. I’m not entirely convinced this kind of thing is particularly effective, but the option is there nonetheless.

Let’s all go to the movies

There is a tendency for people to not read things, and any cybersecurity month runs the risk of overloading folks with information. When everyone is saying to do this, and not do that, over the space of a few weeks, then fatigue will come into play.

With this in mind, there’s a number of videos tied to the campaign which make a lot of the points easier to digest. One focuses on not falling for fake phone calls from your bank, another makes the point that bank staff will never ask for your PIN number. In fact, the videos seem to make the point about what banks don’t ask for more clearly than the various text-laden portions of the site. In conclusion, bonus points for the videos! They’re short, easy to understand, and work like a charm.

Taking a trip to Scam City

Finally, we come to the prominently promoted game on the front page called “SCAM CITY.” It’s a very old fashioned side scrolling game where you jump or slide underneath enemies designed to look like the various types of cyberthreats being warned about.

There’s a flying telephone in the form of a landline receiver, which some players probably won’t recognise. We have an angry wallet, which I thought was a brick. There’s something which for all the world looks like a rectangular fried egg, but is supposed to be a…payment app? A mobile phone? A brick covered in egg? I don’t know.

Unknown egg figure SCAM CITY video games

The game works by giving you security tips. Unfortunately, you most often see a tip once you collide with an enemy and then die. It’s also easy to miss the tips as they appear and click right through them. If you manage to survive long enough, you eventually see one additional bonus tip once you gain enough points.

What this means is we have an educational game where you’re only educated if you’re really bad at it, or decide to deliberately run into the enemies. Good players will see one tip and then that’s probably it, until they die and then are graced with a second tip.

From a design perspective, it feels like penalizing the player for doing well is at odds with trying to show them as many fun security tips as possible.

How to dodge the fakers and phishers

Despite the fun and breezy nature of this campaign, it is underpinned by some very serious business. As DRG News highlights, the United States Federal Trade Commission (FTC) estimated somewhere in the region of $5.8 billion lost to phishing and related fraud across 2021.

It only takes one mistake to find yourself faced with significant and damaging losses from a phish. As such, maybe a light and playful attempt at having folks think more about what a bank doesn’t ask you for is a smart move. Here’s a few more tips::

  • You won’t be asked for PIN numbers, or secret passwords, or online banking logins by a legitimate bank employee. Someone on the phone will also never ask you for any kind of authentication code, either.

  • Bogus refunds and non-existent problems with your account are common tactics. Where genuine issues such as these exist, you’ll almost certainly receive a letter in the post about it first or have an alert in your online banking portal to check out if you’re paperless. As with all of these fake-outs, you should phone the bank directly using a number from the official website.

  • Treat email attachments with skepticism, especially in relation to refunds or payment issues. The attachment may direct you to a phishing site, or even attempt some form of malware hijack. If you’re using Microsoft Office products, most if not all forms of enablement required to activate malware via document should be disabled by default. “Read only” mode is best, but not opening the document in the first place is even better.

  • Very rarely, scammers will claim that a bank’s site is being updated, or replaced, and moved to a new URL. Should you receive a message along these lines, call your bank and visit the real thing. It’s almost certainly going to be a fake, this isn’t the kind of thing a bank keeps quiet and then suddenly changes with almost zero warning.

  • If you’re talking to your bank’s customer support on social media, make sure the account you’re talking to is the one you started with. Scammers create fake bank profiles and attempt to interject in your conversation when the real support channel is out of office.

Stay safe out there.