When it comes to phishing, financial institutions and their customers are targeted more often than others. Digital credentials solve this problem and provide customers with a better user experience when logging into their bank accounts.

By Tim Spring

Phishing is where someone pretends to be from an organization you know and requests information from you that allows them to steal your login data. This might be in the form of an email requesting that you reset your password, a text message, or even a phone call.

Phishing is on the rise because it works: 22% of data breaches can be attributed to phishing.

Phishing in finance

In finance, phishing often involves someone pretending to be a customer trying to retrieve their account details by contacting their bank. Bank call centers receive thousands of deepfake calls per year, wasting time and resources, and requiring vigilance on the part of the employee to spot the scams and stop the call. As deepfake technology becomes more dynamic this will be much harder for a human to do.

The other common vector for phishing attacks is that of a scammer pretending to be a bank. Financial institutions are the most impersonated organizations by scammers. These attacks often come via an email, text, or even a call from the bank saying that there is something wrong with the customer’s account and they need to log in immediately. Unfortunately, the link provided by the scammer will steal the personal account information of the customer when they try to use it.

Stop phishing with verifiable credentials and decentralized identity

The reason phishing works is because there is currently not a good way for identifying who people claim to be online. Passwords and logins are prone to being lost, stolen, or copied, and even assuming they are secure, they are only effective in one direction — when the customer is trying to reach out to the bank. If a bank, or someone pretending to be the bank, tries to reach out to the customer, due diligence is required on the customer’s part to make sure the message is authentic.

Decentralized identity solves this problem. A bank can be absolutely certain that an account holder really is an account holder, and an account holder can be absolutely certain that they are interacting with their bank — and this mutually assured authentication is proven instantaneously by cryptography, and occurs before any information is shared.


A bank customer’s digital wallet software is able to create a secure communications channel directly with their bank. The customer’s wallet creates a decentralized identifier (a DID) and uses this DID to connect to their bank’s DID. DIDs enable public key cryptography.

Each party uses the other party’s cryptographic keys to send encrypted messages to each other. Only the bank can decrypt the message sent by the customer because the customer has encrypted a message with the bank’s key; only the customer can decrypt the bank’s message because the bank has used the customer’s key to encrypt its message.

In reality, this is instantaneous. But it means that when a customer uses a DID to connect to their bank and then presents a verifiable credential for their bank account, the bank knows its their customer. It is more effective than adding multi factor authentication because it doesn’t require customers to jump through hoops, allows both parties to verify who they are interacting with, and even enables passwordless login by default.

To learn more about how this all works you can see demonstrations of the technology in action.

If you have questions about the technology or would like to discuss how to best get started the Indicio team is happy to help, you can get in touch here.


Sign up to our newsletter to stay up to date with the latest from Indicio and the decentralized identity community