Electronic billing and payment is a win-win scenario, offering both the biller and recipient added convenience, greater efficiency and an overall better experience. While the conversion of paper bills to digital replacements continues to accelerate; the opportunity for real efficiency lies in digitizing the entire process, from bill presentment through to payment and reconciliation.
Getting a paper bill in the mail and returning a check is moving toward an endangered process amongst US consumers; as mobile phones and tablets become more popular for viewing and paying bills.
EBill presentment and payment is a safe, secure and convenient way to view and pay bills. Unfortunately, as technology improves the efficiency of legitimate processes, it also facilitates new and innovative ways to exploit vulnerabilities that enable identity theft and phishing.
Sure, the connectedness of the digital era opens technical weak points, but it’s a mistake to think that vulnerabilities exist only as a failing of technology. Much attention and investment is made in securing the software and devices that enable eBill payment, but not enough attention is paid to the potentially risky behavior that some processes are teaching consumers – and that lies in the notification and request for payment.
It is crucial that billers and payment processors adhere to certain anti-phishing standards and techniques to avoid setting their customers up to become victims of fraud.
Don’t promote risky online behavior
Billers must embrace the advantages of electronic bill presentment and payment, but must also be cautious of teaching customers to accept processes that are easily mimicked by fraudsters. An example of this would be to send an ‘amount due’ notification in an email, with a link directly to a payment page that asks for banking or credit card details. This is especially risky if the ‘amount due’ is similar every month, such as a mobile or cable contract.
Recipients familiar with this process won’t think twice about clicking on links in an email and ‘surrendering’ their banking details. This makes them an easy target for cyber criminals who send out an ‘amount due’ email that links back to a fraudulent payment page.
A drastic approach would be to tell customers that your brand will never send links in an email, and therefore they should never click on an email link. No business can really afford this stance, as links from emails are a major factor in return on investment, cross-selling, customer engagement and self-service – all the advantages that marketing, sales and customer services want to achieve from using eBills.
In addition, while your brand might take that stance, others will not, as your customers will still receive emails with links from their other service providers. Rather than banning links, focus on educating customers to avoid risky behavior.
Start with communicating a more specific statement around your digital communication security. The energy giant, National Grid Gas and Electric Company has worded this message perfectly, saying on its website that it will never ask a customer to email personal information such as payment or financial details, never request they reveal a password, and never send programs to install on a computer.
Once a business adopts this stance, it must do two things: clean up any processes that contravene the rules and have a communication plan that sends regular, consistent messages about risky behavior to customers.
Another vital area to educate customers is on how to recognize a legitimate email from your business. Certain anti-phishing techniques make it hard for scammers to mimic your emails, meaning they may just pass over your brand in favor of one which has not taken these precautions.
Personalization of emails is one such technique. Set the standards for how you will structure emails and tell customers that every email from your brand will have personal, but not confidential information placed into the content, that proves the email is from you. This way, if a customer receives an email mimicking your brand that does not have these elements, they know to report it to your fraud division and to delete it.
Adopt processes that are harder to mimic
Consider delivering bills securely by email and facilitating payment from within the secure document. The recipient receives an email with the bill attached in a secured format which can only be opened with a ‘shared secret’ that both the Biller and the recipient know. Once inside the document, the customer can make a payment by inserting payment details on the actual document. They click on ‘pay now’ and the details are securely managed by the payment processor.
How is this not teaching the wrong behavior? In order to dupe the user, the hacker would have to mimic the entire process – create the email with the correct personalization, generate a document with legitimate-looking bill information, send it from a spoofed address and have the tools to decrypt the returned document and grab the banking details. Of course, most cyber crooks will not want to take all of these steps just to hack information. That’s why it’s important to set up eBilling processes that make it difficult and frustrating for fraudsters to gain client information.
The good news is that as the digital era continues to evolve, there are a number of service providers that can assist companies with deploying the right security measures and processes around their eBills, as well as other electronic information that’s shared. Remember, it’s not only important to implement the right security technologies, but to also familiarize users with processes that fraudsters can mimic, as this will help to better address all security weak points.
About Mia Papanicolaou
Mia Papanicolaou is Chief Operating Officer for document security specialist, Striata Inc. Mia joined Striata in 2006 and having worked in Africa and the UK, now heads up North, Central and South American operations. Papanicolaou is a regular speaker on her areas of expertise – secure electronic document delivery and email marketing.
Striata provides strategy, software and professional services that enable digital communication across multiple channels and devices. Striata technology is used to secure, send and store confidential documents for the world’s largest financial services, utility, insurance, retail and telecommunications companies; who trust Striata to achieve unrivaled results in digital transition, adoption and transformation.