Is Your Bank Phish-Bait?

Today’s Phishing (identity theft) campaigns requires three main ingredients to be successful:

  1. A gullible user
  2. A fake web site where the user can enter their login info
  3. An email message to lure the user the the web site

If the user is extremely gullible, the email and the fake web site can be of very low quality and still generate good results.

However, in order to spread a wider net and snag more phish, it helps to have a high quality fake web site email message too.  What really helps is if the financial institution you’re trying to phish co-operates by training their users to click on links in the email they themselves send out.

Using the Internet to communicate with customers requires businesses to find a balance between security and convenience. Linking to the company web site from email correspondence increases convenience by allowing customers to get from the email message to the site in one click. On the other hand, linking to a web site that requires the user to enter sensitive information also invites phishing attempts.

For example, Bank of America (BoA) includes a “Sign In” link in all of their “Online Banking Alerts”. They have implemented the SiteKey challenge in which you look for your personal SiteKey before entering your sensitive data (account ID and password).

Nevertheless, this is still a Phisher’s dream email. Despite BoA’s note reminding users to “look for your SiteKey” many recipients of a decently crafted phishing email will just click the emailed hyper-link and then enter their confidential login info.

Users are especially cooperative if the Phishing email says something scary like: “You’ll be locked out of your account if you don’t sign in right away using this link.”

While the “SiteKey” tool might may be helpful to savvy users, Phishing emails target unsophisticated users by definition, and for them, the “SiteKey” probably makes very little difference.

The real problem begins with the fact that BoA is training their users to expect email with links to their site. Our anti-spam system sees almost as many fake messages using the BoA format as it does real messages from BoA.

chase linkChase is also guilty of aiding and abetting phishing campaigns. You might think that since their link doesn’t go straight to the login page it’s not as bad but the problem is the same as the one above: By leading users to expect (and trust) the email links to connect them to the site these banks make Phishing scams easy to perpetrate.

All the Phisher has to do is make an email that looks just like this one and link it to a web site that looks just like Chase’s.  Both of these tasks are pretty easy if you know what you’re doing.

The only chance the victim has to discover the fraud is to hover their mouse over the link and look at the address the browser shows them in the status bar (assuming they even have the status bar displayed) or to look at the source HTML of the message. Neither is very likely, and some fraudulent emails even block the display of hyperlinks regardless.

None of the above should be construed to mean that putting links in email messages is bad per se. The business sending the email has to weigh the likelihood of being a phishing target against customer convenience. If you run a small local business and link to your web site in all of your correspondence you are unlikely to be a phishing target even if your site does have a place for users to log in. On the other hand, if you are among the largest banking institutions in the WORLD, it might be a good idea not to encourage phishing.

Note that BoA and Chase are not the only ones doing this. Many other businesses come down on the side of convenience in the security vs. convenience calculation. BoA and Chase are just easy examples of financial companies that should know better.

As a customer of a large banking institution (insurance company, hospital or any other business that handles a lot of sensitive data for you) you have a few alternatives:

  1. Be extra vigilant about emails that come from any service provider that has access to sensitive information about you. You’ll need to learn to spot phishing attempts on your own since they’re inviting phishing.
  2. Bring these stupid practices to the attention of the institution. Call and ask if they can deliver email in a different format, without the links. For this you’ll need to get used to spotting emails that invite phishing. (We’ll be writing more on this subject, but hopefully the information above will get you started.)
  3. Sever relationships with businesses that put convenience ahead of security. You should only do this after attempting the second alternative above. That way these businesses will get the idea that they’re losing more business over bad security than they’re gaining from convenience.

For more information on this topic, keep an eye on our “Phishing Lessons” category.

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.


Comments are closed.