Given that OnStar is dedicated to “safety, security and communication” it seems a little strange that they would make it so easy to phish their accounts.
But that’s what they do.
This “important account notice” is just asking for a thousand email phishers to jump on it.
Here’s what we’re talking about:
Subject: IMPORTANT ACCOUNT NOTICE
From: “OnStar Subscriber Services” <firstname.lastname@example.org>
Next they give you a huge, orange button that says “UPDATE YOUR ACCOUNT”. This is nice from a usability perspective but it makes life really easy for phishers. Especially after OnStar has trained you to click that button.
If you’re not already phished they provide another opportunity. Under the bold and capitalized heading “CONTACT US IMMEDIATELY TO UPDATE YOUR CREDIT CARD INFORMATION” (Phishers like to create urgency. Oh wait, this is not a phishing message. Sorry.) they list three contact options:
- Call 1.888.281.5662 – We searched the web and the main OnStar site for this phone number and didn’t find anything. On one hand, it’s not associated with any known phishing campaigns. On the other hand, we can’t prove it belongs to OnStar.
- Press your blue OnStar button – Under the circumstances this is by far the safest way to contact them since they’ll know it’s you and you’ll know it’s them.
- Log in to your account at onstar.com – This is how phishing campaigns work. They use link text that says one thing while the link goes somewhere else. This link actually goes to OnStar but we knew that because we know how to check link targets.
We checked out the web site where you log in and it would also be very easy to duplicate. Not that there’s really any way to prevent that. The point is that this message is a perfect template for a phishing campaign.
How Do I Know It’s Not Phishing?
Now that we’ve listed a bunch of suspicious behaviors evinced by this email you’re probably wondering how to prove it’s real.
The most outstanding clue is the amount of sensitive personal information included (the “Redacted” parts):
- Your name
- Your credit card type and the last four digits of the account number
- Your OnStar account number
- Your vehicle make and model
- It’s Vehicle Identification Number (VIN)
- Your OnStar plan
A typical phishing campaign is unlikely to know this much about you. Phishers tend to gloss over these things so if this was a phishing email these bits would probably be left out.
Of course by emailing this stuff, OnStar makes it considerably more likely that a phisher could have this information.
What Could OnStar Have Done Better?
Here’s what we would prefer to see in this type of message:
- No clickable links – Provide fully qualified URLs (e.g. https://www.onstar.com/web/renewal/login?a-non-reversable-ID) in the text of the message but do not make them links. Yes some of your customers will have difficulty pasting the URL to the address bar of their browser but a lot less of them will end up with their accounts stolen. You decide which is important. (Also see point #5.)
- Name and last four digits of credit card number are probably sufficient to make the messages hard to fake. The rest, account number and so forth, is overkill and should not be sent in un-encrypted email messages.
- A less phishy subject would be nice but that’s really difficult for this type of message. Using mixed case would help since all caps, in our experience, is overwhelmingly indicative of fraud.
- Lighten up the internal bolding, capitalization and overall urgency of the message. “CONTACT US IMMEDIATELY”, as noted above, is a favorite phishing trick and actually using this phrase in your correspondence is inviting phishing.
- Instead of giving contact options in the email, provide easily accessible contact information in billing statements and refer the client to these. As in, “See your most recent statement for contact information.”
OnStar probably won’t follow these suggestions so see the next section to find out how to protect yourself.
How Can I Avoid Phishing?
Most phishing emails are easy to identify if you know where to look. We’ve written several posts on how to avoid phishing and will probably write many more but you can start with this one:
You might also consider not doing business with companies that value marketing over security. Unfortunately, in the case of OnStar, there’s really no one else that provides the same service. Good luck with that one.
OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.
Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."
OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.