Banks told to 'do their bit' to fight phishing attacks

The owner of an internet domain address can specify who is allowed to send email using that domain address

New Zealand banks could protect customers from phishing attacks by making a simple change to their internet address protocols at little or no cost, says Thom Hooker, director of operations at SMX, an Auckland based anti-spam and anti-virus email service provider.

“They’re putting a lot of onus on the users but they should be doing their bit at their end,” he says.

The owner of an internet domain address can specify who is allowed to send email using that domain address. Internet service providers such as Xtra can then identify and reject as spam emails which purport to be from banks.

A protocol, known as SPF (Sender Policy Framework), is already available to do this and is widely used by ISPs, including Xtra, making it a highly effective way of stopping phishing attacks getting through.

Hooker says not one New Zealand bank is using the protocol, whereas, overseas, large organisations such as Citibank and eBay do.

“Security in New Zealand is quite a lot less than it should be. Banks here are behind the times. I don’t quite know why — maybe it is because they’re owned out of Australia and not as much thought and energy goes into the New Zealand operations.”

Hooker has been monitoring phishing incidents for a year. He says the latest research shows there are 26,000 active, individual phishing scams a month worldwide.

Westpac's head of e-business, Stu Woollett, says he is aware of SPF and some of Westpac's technical people have had an initial look at it.

"It has been discussed between the banks as a potentially valuable tool," he says. "We're definitely interested, ubt it's still a developing story."

Woollett says he understands the protocol needs to be adopted by ISPs. He understands some have and some haven't started using it.

"We're keen to pursue anything that can harden our customers against social engineering-type attacks," he says, adding Westpac wants to preserve email as a communications channel with customers "rather than shutting it down".

Hooker says it is “fairly easy” for a hacker to spoof a bank’s domain, and send a phishing email, he says. Appearing to be a legitimate communication from a bank, not only does the email look authentic, it appears to have come from the bank’s own domain.

These emails, he says, often request the customer to follow a link to an often convincing replica of the bank’s website and enter personal details, allowing the hackers access to their account.

“What is really concerning is that 8% of people will act on a phishing email,” Hooker says. ”The NZ Banking Association is looking to bring in a new online banking code. This could see banks checking that the security on customers PC’s is adequate before compensating customers for online fraud.

“But the banks need to be taking advantage of every opportunity to protect customers," he says. "I'm surprised that SPF is not commonly adopted by financial institutions in New Zealand. This is something that could be done immediately, at little cost, and which would dramatically reduce phishing attacks,” Hooker says.

Full information on SPF is available at

Additional reporting by Rob O'Neill