The bank sent online customers a message that looked an awful lot like a common fraud. "That's insane," says an expert.
The e-mail immediately raised flags for John Hanner. Seemingly from his bank, it directed him to change his user ID and password at its Web site.
"I thought, that's a scam right there," said Hanner, 60, of St. Petersburg.
So Hanner, a contractor who specializes in building inspections, heeded advice he had read from security experts. Instead of answering the e-mail or clicking on the link to a Web site in it, he called Wachovia Bank and got another surprise: The e-mail was legitimate.
Wachovia this week notified its online customers that they would have to change account information. By using e-mail, however, Wachovia upset some of its customers, such as Hanner, who have been warned repeatedly in recent years about how online con artists have used e-mail and fake Web sites to steal personal information in a technique called "phishing."
According to a study released Thursday by the Gartner Inc. research firm, 57-million Americans probably have received phishing e-mails, about 11-million people have clicked on the bogus links in such messages, and about 1.8-million people have given out personal information. Gartner said phishing attacks cost banks and credit card issuers $1.2-billion last year.
As millions of people have become victims of identity theft and Internet scams, the traditional rule has been that most legitimate businesses won't ask for such personal information by e-mail.
"That's insane," said Winn Schwartau, a nationally known Internet security expert from Seminole, after learning of Wachovia's message. "I've gotten a bunch of them, and some of them are very well done. And the casual user can't tell the difference. I think it was a very poor choice and mechanism."
While Wachovia initially thought e-mail was just a quick and convenient way to get the word out, it has learned a lesson in e-commerce, says the bank's spokesman, Doug Caldwell, in Charlotte, N.C.
"This is going to open a whole question," Caldwell said. "How do you communicate to your customers in the online channel with all the phishing and spoofing? Therein lies the trick."
Bruce Cundiff, an analyst with the Jupiter Research, says Wachovia should have known better. "As an industry professional, I wouldn't have trusted that e-mail."
He says Jupiter recommends to its financial institution clients that they take great caution in using e-mail, in particular not to embed links to a Web site in any messages.
"What Wachovia did sort of laughs in the face of proceeding with caution," Cundiff said.
The bank received about 700 calls after the e-mail went out. Roughly 25 percent were from people checking to see if the message was authentic, Caldwell said. Most asked about the timing of the conversion, and about 14 percent simply didn't want to change.
After getting the calls, Wachovia sent out a second e-mail to verify the legitimacy of the first. The number of calls dropped substantially after the explanatory e-mail.
Some recent surveys have shown that people are using e-mail less, their trust in it is fading and the combination of junk e-mail and scams has made going online more unpleasant.
The fear of phishing also is affecting banks and their online services, according to a survey released this week by Cyota, an Internet security software company that works with banks such as Bank of America, Bank One and U.S. Bank.
The survey showed that 75 percent of account holders said they are less likely to respond to e-mail from their banks because of scams, and 65 percent said they were less likely to begin or continue using online financial services from banks.
In the past month, Cyota has logged about 400 phishing scams worldwide, according to Lisa Bennett, Cyota's director of corporate marketing. And only about 30 percent of the people surveyed said they had enough confidence to tell the difference between a real e-mail from a bank and a fraud.
"It's a huge hit to brand and reputation," Bennett said. "It's a big threat to online trust and consumers' trust in their banks and the Internet as a whole."
Not all are pessimistic about e-mail's future. According to surveys by Jupiter Research, half of online consumers have signed up for e-mail newsletters in the past six months, 30 percent have clicked on e-mail marketing offers and 13 percent have made purchases from such promotions, according to David Daniels, an analyst with the firm.
In addition, Daniels says, Microsoft's deal this week with IronPort Systems Inc. that sets up a "white list" of approved bulk senders and other similar plans may help. In Microsoft's case for its Hotmail and MSN services, bulk senders will post a bond. If a mailer draws too many complaints from recipients, money is deducted and donated to a charity committed to fighting spam.
For Wachovia customer Hanner, though, the bank's actions left him unsettled.
"They're not plugged in to what's going on out there," Hanner said. "They made a mistake, no doubt in my mind about it."
- Information from Times wires was used in this report. Dave Gussow can be reached at firstname.lastname@example.org or 727771-4328.