16, October 2018
Why it’s business critical for banks and fintech companies to secure their online brand identity
As is well-known, trust is an extremely important aspect in brand building in general, but especially in the areas of banking and fintech.
Being entrusted to manage something as sensitive as money and/or financial information is not something to be taken lightly. The more sensitive a service is, the more important is the view of security when it comes to trust in the brand of the company you are using or considering. Therefore, at Abion we have chosen to carry out an indicative survey of how Swedish actors in the banking and fintech sector are working doing when it comes to this.
Banks and fintech companies should now be aware of the potentially business-critical consequences that inadequate security may lead to. Because the writing is on the wall. Last year, Cap Gemini released a global report on the relationship between data security and trust in the brand. It found that 74% of all consumers would change banks or insurance company in the event of a computer breach.
Even in the Swedish market, we see the same pattern. According to a recent report from Ipsos, almost 2 out of 3 Swedes would consider changing banks after a serious security incident. In the for banking sector so important age group 18 to 29, where many choose the bank they tend to be loyal to, 72% say they would consider changing banks in the event of a serious security incident. However, the perhaps the most amazing figure of all is what Swedish consumers would do if it was discovered that one's bank leaked or misused personal data. Here, 98% of Swedes state that they would consider changing banks.
Clearly, a high level of trust is of utmost importance to actors in the banking and fintech sector.
Importance of protecting one’s digital brand identity
Banks and fintech companies have long been among the most exposed to data breaches and fraudulent behavior of various kinds. The consequences are harmful to both the consumer and the supplier. As a consumer, you risk everything from being exposed to financial fraud to identity theft.  On the other hand, if it was discovered that the provider of financial services had not done everything in its power (and preferably a little bit more) to prevent any kind of fraudulent involving their brand, the consequences for the brand can be disastrous.
In our survey, we have chosen to focus on two primary aspects that we consider directly linked to trust in banks and fintech companies, and which, if mismanaged, can directly harm the trust in the brand.
As stated before, email fraud is one of the most common ways of misleading customers of banks and fintech companies. There are different types of email fraud, from stating a bank's name as a sender while using an any email address, using a misspelled domain name, to the perhaps most misleading (and therefore most harmful) method of exploiting the fact that the email system in its core lacks authentication mechanisms to ensure that a specified sender of an email message is the actual sender.
The first thing we chose to look at is what is called DMARC. In short, DMARC is a protocol for authentication and email reporting, which, in combination with a number of other security mechanisms, can minimize the risk of your brand being abused by illegitimate mailings. DMARC is by no means a "quick fix" to ensure one's digital brand identity, but in our experience, the use of DMARC provides a very good indication of whether a particular organization takes its digital brand identity seriously.
The other thing we chose to look at is the use of SSL/HTTPS on these companies' external web sites. Having an SSL certificate on an external web in October of 2018 in general, and a bank's external web in particular, may seem evident. For more information about how the survey has been conducted and what tools have been used, see Method below.
The result of our survey and comments
In our survey, we have chosen to look at ten of the most well-known Swedish banks, as well as ten well-known fintech companies on the Swedish market. The survey has focused on HTTPS (or the presence of SSL certificates) and DMARC.
For a long time, the HTTPS protocol (that an SSL certificate enables/validates) was used solely by sites that handled financial transactions and/or credentials of some sort. For these features, there was a need to encrypt the information between the customer and the bank in question, so no one could read the information on the way. Therefore, banks' websites have for a long time been the examples of what an SSL certificate is. The most evident examples is that it states https instead of http, the padlock icon before the address and the green address bar (as the so-called EV certificate with the highest validation enables).
In recent years, HTTPS has gone from being an exception to a rule, not least after Google 2014 announced that HTTPS will be relevant to the rankings in search engine results.
Therefore, it may not come as a surprise that the following results can be reported from the survey:
Anything else than this result would be very remarkable. Even if the survey was conducted in a different industry than the banking and fintech sector, any other result would be equally remarkable.
Looking at the use of DMARC, it is a completely different story:
DMARC, and with that the overall view of email security, has not reached the maturity rate of HTTPS/SSL in Sweden. In some ways, this is explained by the fact that it is a relatively new phenomenon.
An interesting discovery during the survey was that 10% of the organizations we reviewed had included too many "lookups" in their SPF (the feature aimed at preventing illegitimate users from emailing from a specific domain). The result is that the function does not work at all, several of these companies are probably invoked in a false assurance that their digital brand identity is secured. Neither of these companies had DMARC implemented, which in the present circumstances would have been a good thing as potential misuse of the company's digital identity could be detected and acted upon.
Digital protection strategy for the banking and fintech sector
So, what does a holistic protection strategy look like for the banking and fintech sector? A first step is to protect the digital assets that the company owns. This includes domain names, web pages, email and social media accounts.
Looking closer to the sources of traffic to the surveyed companies' main sites, the leading traffic source is still direct traffic, after that comes traffic generated by keyword marketing, followed by traffic linked from other sites.
Looking at the differences between the sectors, the fintech sector drives significantly more traffic through search. It is probably a sign that these new and more digital brands are less well known and therefore need to appear wider in digital channels in order to attract new customers. It is also much more common for fintech companies to drive traffic through social media and mail, which could indicate a wider use of digital channels within fintech.
A digital protection strategy should include monitoring and actions in the digital channels where customers reach one's site. All in order to strengthen the customer experience and the brand.
Outside of customers' web sites, there are also complex digital ecosystems that do not necessarily link back to the company's website, such as direct communication and interaction with customers through apps and social media. Although these channels do not currently generate significant traffic back to the main page, we know that they generate a direct interaction with the customer.
It is therefore crucial to protect the digital brand in these channels.
A comprehensive strategy for the banking and fintech sector can be summarized as follows:
- Ensure secure use of all digital assets you own and control (domain names, websites, email and social media accounts).
- Monitor and counteract risks in the digital channels where you meet your customers.
- Focus on new digital ecosystems such as social media and apps. It is especially important to strengthen the brand and customer experience in these fast-growing digital channels.
Appendix 1 – Method
In our survey we have chosen to look at ten of the most well-known Swedish banks, as well as ten well-known fintech companies in the Swedish market. The survey has included analyzing these organizations' external web sites, more specifically HTTPS and DMARC status, using hardenize.com, as well as the three most common traffic sources with similarweb.com.
The result of this analysis is only to be viewed as an indication of the security state and not as a complete analysis. Abion AB can not give any guarantees that the results are correct due to the information being retrieved from systems outside Abion's management, so no business decisions should be based solely on this review.