Bank of America Seeks Anti-Fraud Anodyne

Banks have had a harder time protecting customers’ money since the bank robbers followed customers online. And it becomes harder still when customers don’t cooperate with banks’ efforts to secure their accounts.

Consider Bank of America, which claims 19 million customers online, more than any of its competitors. The bank now processes more transactions online than it does through all of its physical banking centers. Still, online popularity has its price.

In February 2005, Bank of America was sued by a customer—Ahlo, a wholesaler of ink and toner cartridges in Miami—that held the bank responsible for an unauthorized transfer of more than $90,000 from Ahlo’s account to a bank in Latvia. The company’s PC was infected with a Coreflood Trojan, a bit of malware that can be spread by a phishing attack and hands control of its victim PCs to hackers, according to reports in the South Florida Sun-Sentinel and other publications. Ahlo’s attorney, Karen Backer of Patino & Associates in Coral Gables, Fla., says the suit has been “amicably resolved” and includes a gag order that prohibits Ahlo from talking about it. Bank of America spokeswoman Shirley Norton says the bank has no comment. The bank also says it does not discuss individual phishing attempts and has posted information on its Web site (www.bofa.com/privacy) to educate customers about online fraud, according to Betty Riess, another Bank of America spokeswoman.

Since December 2004, there have been more than 350 phishing attempts—fraudulent e-mails that try to trick customers into giving up their account information, sometimes by infecting their computers with malware that logs their keystrokes—against Bank of America, according to FraudWatch International, a vendor of anti-phishing products. This works out to about one attempt every other day. Out of 339 financial institutions tracked by FraudWatch, Bank of America is currently the 10th favorite target of phishers—behind JPMorgan Chase, Washington Mutual and Citibank, among others.

Bank of America’s struggle against phishing shows how hard it is for businesses—especially big ones that have grown by acquiring companies with incompatible information-technology systems—to protect unwary and sometimes uncooperative customers from cybercrime.

About 18 months ago, the bank initiated a project to test and install anti-phishing software for all of its customers. That project is still underway. The bank’s senior vice president of e-commerce customer support solutions, Katherine Claypool, says Bank of America currently has three separate back-end processing systems—one for California, one for the Pacific Northwest, and one for the rest of the country—and customers in the Northwest will not get the software, SiteKey, until this summer.

Meanwhile, according to Claypool, after the bank made SiteKey mandatory, customers who had trouble using it—for example, by failing to follow directions when they registered—boosted calls to the bank’s customer service centers by 25%.

“Be realistic,” Claypool advised attendees of BAI SmartTactics, a banking industry conference, in Las Vegas in April. “The average consumer does not have a clue how the Internet works.”