Security experts are saying that a well-intentioned effort by the New Jersey Office of the Attorney General to combat phishing may backfire.
Earlier this week, State Attorney General Anne Milgram called on four banks -- Bank of America, Citibank, Washington Mutual, and New Jersey-based Sun National Bank -- to provide her with details on how they respond to phishing incidents.
This is a good move that will probably raise awareness about phishing, observers say. However, Milgram also asked the banks to send e-mail to their online customers, warning them that the bank has been a recent target for phishing scams and offering advice on how to tell fake e-mails form the real thing.
That raised a red flag with anti-phishing experts.
"The New Jersey Attorney General asking the banks to send out another e-mail to clients is opening up ... those banks to be phished yet again," said Paul Laudanski, leader of the Phishing Incident Reporting and Termination squad project. "I can see the phishers writing in a new e-mail scam campaign 'The New Jersey AG has asked us to inform you that you have been phished, please click this link to secure your account.' Trouble, trouble, trouble! This is a setup for failure," he wrote in an e-mail message.
Dave Jevans, chairman of the Anti-Phishing Working Group said that while he applauded Milgram's effort to educate consumers by inquiring directly with bank CEOs, he "would have preferred that the Attorney General waited to hear back from these banks before issuing a request to send e-mails out to all their customers. That type of e-mail can set the stage for waves of copy-cat phishing," he said via e-mail. "If the phishers send out fake e-mails of this type before the banks get to it, there's a potential problem."
Even Katherine Tassi, Washington State's assistant attorney general, said she thought there could be problems. "Consumers are already confused enough about whether e-mail from a bank is authentic or not," she said via e-mail. "A lot of banks do, in fact, communicate by e-mail to their consumers, which is something that makes the problem worse." That's because consumers become more trusting of the e-mails, even messages that may be from a malicious source.
Milgram's spokesman, Lee Moore, said that banks should use every means possible to educate their customers about phishing -- including e-mail. "Banks need to compete with the phishers in the customer's e-mail box with the right message," he said.
The New Jersey AG has been receiving more and more phishing complaints of late and is coming to view the phenomenon as a growing concern, Moore added.
As of late Thursday, his office had not heard back from any of the banks.