Daniel Solove has a good post on “How Companies Help Phishers and Fraudsters.” Companies have trouble being consistent in what they send, and that’s to the advantage of fraudsters. They also have a hard time taking security information from outsiders, however well meaning.
I had an experience with Citi Mastercard. After some problems, I was carefully reconciling bills, and noticed that one of my charges never showed up. That can happen because a merchant is skimming card numbers. To make it harder for Visa and Mastercard to determine where the skimming is taking place, some crime rings will absorb the charges, rather than billing them.
I tried to report this to Citi, and they had none of it. So maybe, rather than talking about training users in “More on Using Email Like a Stupid Person,” I should be talking about training phone support people.
Most people, most of the time, won’t notice problems. Many reported “problems” won’t be security-relevant and real. Even so, the first companies that learn to do this well will have a substantial competitive advantage as we enter into an period of increasing fraud.