We’ve all been reading about the DDoS attacks that have hit most of the major American banks in the past month or two. Just for a moment, let’s put aside the technical aspects of how these attacks happened and think more about how they have affected the banks’ customers. More specifically, I want to explore how these financial institutions (and other companies as well) communicate with the public when an attack or other conditions make critical business applications inaccessible.
The Wall Street Journal recently reported on the case of a Wells Fargo customer who spent 3 hours trying to access the bank’s website. Unbeknownst to her, the bank was under DDoS attack and access to the online banking website was effectively denied to everyone. When she called the bank’s customer service line for help, she was told that the access problem was with her own computer. In essence, the message she heard was “it’s your fault.” Later she saw a news report about the attack on the bank and knew her PC wasn’t the cause of her lockout. Her response: "It's really annoying that I had to go to other sources to find out what was going on with my bank. It doesn't inspire a lot of confidence."
If information about this attack was already making its way into public news sources, then surely the bank could have prepped its customer service team on what to tell customers when they called. A simple and honest “our computer systems are temporarily down” would have been better than “your PC has a problem that’s keeping you out.” To its credit, Wells Fargo did post information on its outage on Facebook and Twitter, but I have to wonder why the customer service rep was left out of the loop.
I had a similar situation when I tried to pay my Kohl’s bill online the other day, but with a better outcome. I clicked on the link in my emailed Kohl’s bill to check my account balance. I got an error message instead of the familiar Kohl’s website. I tried the link again, and then typed it into my browser—both times with the same failed result. I called the Kohl’s customer service line and when I finally got through to a person, he told me the computer systems were down and asked me to try again in a few hours. A simple and honest “it’s our problem” put my mind at ease. I have no idea why the Kohl’s website was down that day, but I was able to login later that afternoon.
Whether it’s a DDoS attack or some other problem, we all recognize that customer-facing websites go down from time to time. As soon as the affected company recognizes the problem and understands that the outage may last an hour or more, it’s important to communicate openly and honestly with customers in order to sustain trust. The communication doesn’t have to be deeply detailed, but it should be enough to convey to customers “we know there’s a problem, we’re on top of fixing it and your account is still safe with us.”
In an article published by Bank Info Security, research analyst Gregory Nowak with the Information Security Forum says that the banks affected by the DDoS attacks need to take extra measures to inform and educate their customers about what has happened and how a DDoS attack is different from a hacking attack that puts customer information at risk. Nowak advises:
The banks that have been affected are missing a great opportunity to communicate and educate their users. I tried visiting the sites, and there's nothing on any of the bank sites that says, "Here's what's going on. Here's how you can understand it. Your information is safe." Sitedown.co has provided some up-to-date information about which sites are available, but the banks themselves are not doing a good job of communicating. They seem to be regarding it as a secret. They're saying some people have access issues. People know they have access issues. They should be taking the opportunity to explain to their customers the difference between denial-of-service attacks and some sort of hacking attack that actually puts information at risk, because their customers are worried and they don't need to be.
I agree. Open and honest communication that allays customers’ confusion and fears can not only preserve but even enhance a company’s reputation. It’s bad enough to suffer through a DDoS attack. There’s no need for a company to make it worse by telling customers something that’s entirely false.