I just received a very professional-looking, well written email, purporting to be from Bank of America, advising me that I have "a message from customer service available in [my] Online Banking Mailbox," and that I should follow the conveniently-provided link to see it.
There were no misspelled words or obvious errors to be seen. It was certainly well-faked, but faked nonetheless, which is obvious for three reasons:
- I don't have a BoA account. Duh.
- Mousing over the links I'm supposed to follow (since I don't use Internet Exploder), then reading the status bar, it's obvious they don't lead to BoA's domain or a subdomain thereof, although they do cleverly contain the words "Bank of America.com."
- This is the biggie that everyone needs to know: because of this very threat (called "phishing"), legitimate companies such as Bank of America never ask users to follow links contained in an email, just as they never ask users to open an email attachment. They would, rather, have suggested you simply login to your BoA account and assume that you already know how to do that. PayPal users are often targets of this sort of scam, too. And it used to be that such emails were nearly always poorly-constructed and clearly faked, but obviously thats no longer always the case.
Of course I'm doubtless preaching to the choir here, since Forward Biased readers are way too savvy to fall for something so obvious.
Again, this is a case where simply knowing basic internet common sense would prevent these scammers from being able to con anyone, but they're so successful at it that they keep doing it, and people keep falling for it.
I took a screen capture of the email so you could see it. Click on the image to see the full-size version.
UPDATE: Rob adds, in a comment:
One important thing to know is the concept of subdomains. I can't go out and register bankone.com cause bankone ownes that. I can however, register something like techsupport.com or something like that and THEN register a subdomain bankone in it to make the URL bankone.techsupport.com. Most users would just see the bankone part and assume it's valid. I've gotten several Phish messages like that recently that _I_ was just barly able to prove they were bogus, and I'm in network security. Now, if it was techsupport.bankone.com then it's a bankone domain. Big difference the order can make.
But, the big detail to point out here is that no bank or financial company will EVER ask you to confirm account details like that. SSL is not unhackable but it's close enough. The effort to hack SSL wouln't be worth the time when you can call someone up and trick them into giving you their credit card number (called Social Engineering). Kevin Mitnik's book "The Art of Deception" should be required reading for all companies. (he was the guy that was jailed for the first big internet worm).
document.getElementById('clustrMapsLink').href='http://clustrmaps.com/'">
But, the big detail to point out here is that no bank or financial company will EVER ask you to confirm account details like that. SSL is not unhackable but it's close enough. The effort to hack SSL wouln't be worth the time when you can call someone up and trick them into giving you their credit card number (called Social Engineering). Kevin Mitnik's book "The Art of Deception" should be required reading for all companies. (he was the guy that was jailed for the first big internet worm).
Posted by: rob | Saturday, 26 November 2005 at 01:24 PM