'Phishers' wreak havoc on online banking

It was any banker's worst nightmare. Shortly after Wachovia Corp. sent an e-mail inviting recipients to go to a new log-in page as a result of its merger with First Union Corp., some savvy customers swamped Wachovia's call center to inform officials that criminals apparently were attempting to steal the financial information of Wachovia's customers through a bogus hyperlink.

One problem: The e-mail was authentic.

Buried under an ever-increasing deluge of Internet spam and phishing attacks -- which imitate e-mails from financial institutions to dupe victims into revealing financial information -- online banking customers have become so wary of Internet correspondence from financial institutions that bank officials must now think twice before sending out an e-mail to contact customers.

''Phishers have done a pretty good job of wrecking e-mail," said Lawrence Baxter, chief e-commerce officer for Wachovia. ''We've stopped all of that for that reason."

According to a report by Javelin Strategy & Research, 55 percent of people who receive an e-mail with their bank's name and e-mail address that asks them to log in to their account will delete the e-mail without taking any action. The magnified awareness of phishing has nearly destroyed the trust in a valued avenue of communication between banks and customers that banks took years to build.

Another survey released last month authored by Avivah Litan of Gartner Inc. said that 28 percent of consumers have said that online attacks influence their online banking activity. The report said that 14 percent of that group have stopped paying bills online as a result and that 4 percent have stopped online banking altogether.

''Banks have come to rely on the Internet for low-cost interaction and marketing," Litan said. ''This might get much worse."

Litan said that, on average, companies save about 45 cents every time they send an account statement electronically instead of by paper mail. A bank that sends monthly account statements by paper mail to 5 million customers would spend $27 million more than if it sent electronic statements.

During its next acquisition of SouthTrust Corp., Wachovia officials resorted to paper mail to inform customers of what was happening and what to do.

Bruce Cundiff, the author of Javelin's report, said that Wachovia's example demonstrates eroding conference in the online medium as a secure means of communication for financial institutions.

''Consumers are made overaware of identity theft, and there's lack of trust in e-mail," he said. ''Now, it's ludicrous for a bank to send out an e-mail with an embedded link."

Bank of America spokeswoman Betty Riess said that Bank of America officials have reduced their e-mail marketing programs, and now more commonly send e-mails specifically targeted to a customer.

During its massive conversion of 2 million FleetBoston online accounts, which was completed last month, Bank of America officials used only paper mail to communicate to customers, she said.

Officials at the Charlotte, N.C.-based bank also are rolling out a new security program, called SiteKey, which displays a picture and message unique to each online banking customer when the customer logs in to prove that they are at the legitimate Bank of America website.

Other banks include account information in the subject header to try to persuade customers that the e-mail is legitimate. When retail customers receive an e-mail from Citibank, for example, the e-mail's subject line includes the customer's first and last name and the last four digits of his or her ATM card number, according to Citibank spokeswoman Janis Tarter.

But according to antifraud security firm Cyota, some phishing attacks already include targets' names and ATM numbers in the e-mail.

These specialized attacks use previously stolen data to fool recipients into divulging other sensitive information, such as Social Security numbers or an ATM personal identification number.

Such attacks contain an added threat because the previously stolen information gives them a veneer of credibility, and once they become widely known, many customers are unlikely to trust e-mails that contain personal information.

Banks' intensive public education programs to alert customers to phishing scams have had the added effect of eroding confidence in online banking, said Amir Orad, Cyota executive vice president for marketing.

''When a banker sends an e-mail telling customers to be careful when they receive an e-mail, to never give out personal information, and so on, is he doing a good thing or making people not use the channel?" he said. ''This phishing trend is obvious, and it's going to get worse."

Joe Light can be reached at jlight@globe.com.