Santander Bank has been spending the past month driving a white and red van around the U.K., handing out free fish and chips as part of a campaign to raise awareness about phishing.
The gimmick is simple: Show the driver a phishing email on your phone, and you’ll get a free snack.
Sure, it’s a little goofy, but what’s not to like about this phishing awareness campaign? We could all stand to learn a little more about phishing so we don’t click on malicious links in bogus emails, right?
The problem is real: Santander says there were 600 million scam attacks directed at Britons’ phones and emails in the past year, affecting three-quarters of the UK population. (It didn’t say how many of those impersonated Santander’s brand, but it’s a safe bet that the number was nonzero.)
So Santander’s education campaign seems like a good start.
There’s just one thing: Santander could save a lot of money on fish and chips vans if it just authenticated its own email.
That’s because the company’s domain is not protected from email impersonation. (See for yourself by checking the details on santanderbank.com’s email authentication status.)
Anyone — and we mean anyone — can easily fake an email in about five minutes that uses a real santanderbank.com email address in the From field. With a little careful crafting, they can make this look just like a real email from Santander.
In fact, a smart phisher would use an actual email from Santander — a legitimate customer notification of some kind — and make only one, small, invisible change: Adding a link to a malicious website controlled by the phisher.
That’s why education is only a partial solution to phishing. It’s very, very difficult to get end-users (especially ordinary consumers) to stop clicking on links in emails. It’s close to impossible when those emails look identical to a legitimate message, right down to the sender’s email address.
But if Santander authenticated its email with DMARC, it would close down that avenue of phishing. Completely. Messages that attempted to use the santanderbank.com address would be blocked by 76 percent of the world’s mailboxes, including all of the major U.S. mailbox providers: Gmail, AOL, Yahoo Mail, Microsoft, and many others.
It would then be a lot easier to educate consumers about how to spot phishing emails. Instead of telling people to examine messages closely for misspellings or telling them to hover over links to examine their destination URLs before clicking, Santander could simply say: “If the message comes from santanderbank.com, you can trust it. If it comes from a different domain, don’t trust it.”
Why don’t more companies do this? It closes off the number one type of phishing message. And for anti-phishing education, the message would be a lot clearer — and a lot more effective — than sending a phish and chips van around the country.
Not that we have anything against fish and chips! They’re quite good with vinegar and a pint of bitters. (Come to think of it, we’re getting kind of hungry now.)
They’re just no substitute for a solid anti-fraud defense.
Top image credit: Screenshot from Santander promotional video