Why Is My Credit Card Company Trying to Phish Me?
Online banking has really taken off in recent years, and with it has come the rise of e-mail phishing scams. However, it doesn’t help that your own bank is compounding the problem instead of working towards a solution.
Phishing is the practice of conning an unsuspecting victim into giving away sensitive information such as usernames, passwords, and banking details usually via fake e-mails. Phishing has gotten so bad that Robert Mueller, former head of the FBI, was nearly phished himself. The problem with phishing is that with a cursory glance the message and links provided look perfectly legitimate, which is exactly what the attacker relies on.
The headaches come from trying to sort out the legitimate messages from the fraudulent ones, and as Capital One’s email alert system demonstrates it’s not as easy as it looks. I received this notice [presumably] from Capital One yesterday evening, and while it’s not the first time I’ve gotten one of these from them it is the first time I’ve taken serious issue with it. The image below is the original with some personal details blurred out.
At first this looks pretty innocuous. Until, that is, you look at Capital One’s own guidelines for detecting a phishing scam. When you compare their own mailing to their guidelines, the message is fraught with problems.
Going through the characteristics of a phishing scam listed on the website, it becomes apparent that Capital One is not only hypocritical, but encouraging their customers to trust emails without a second thought. From Capital One’s website:
1. Sender’s e-mail address. To give you a false sense of security, the “From” line may include an official-looking e-mail address that may actually be copied from a genuine one. E-mail addresses can easily be spoofed, so just because it looks like it’s from someone you trust, you can’t always be sure.
At face value this is helpful information. In practice it is absolutely useless. Zero information is provided as to what a valid e-mail address from Capital One looks like. Is capitalone@email.capitalone.com a valid e-mail address, or is it from a phisher? How is anyone supposed to know? To compound the issue the reply-to address is a comically long string of characters followed by the same domain. Do you feel more comfortable e-mailing an address that looks like this:
uhfughga8968632jbbadbfjakjgy@email.capitalone.com
or this?
abuse@capitalone.com
My guess is most people would opt for the latter.
2. Attachments. Similar to fake links, attachments can be used in fraudulent e-mails. Never click on or open an attachment. It could cause you to download spyware or a virus. Capital One will never e-mail you an attachment or a software update to install on your computer. In general, never open unexpected attachments from anyone.
I viewed the mailing using Mac OS X’s built-in Mail client which is capable of showing HTML messages. However, some clients either do not have the capability or the user has them turned off, conditions under which the HTML would appear as an attachment. In addition to this, sending out an HTML-encoded e-mail seems unnecessary. If your goal is to simply inform me that my online statement is ready, you don’t need HTML or any other markup to get the message across.
3. Generic greeting. A typical fraudulent e-mail will have a generic greeting, such as “Dear Account Holder.”
The message did include a personalized greeting with my name and even the last four digits of my account number in the body of the e-mail. I’d give them credit for not violating #3 on their list, except that names are fairly easy to come by these days. My name is literally in more databases on the web than I can count, and the last four digits of the account number? At first glance I didn’t even notice it, and even if I had it would have taken me a second to verify if it was correct or not. How many people think to themselves, “Oh good- my account indeed ends in 8371 so this e-mail must be real.” when they probably have multiple credit cards, bank accounts, or other personal identification numbers to remember as well?
The generic subject line is suspect also, although this one I’m not as annoyed about because it’s hard to personalize a subject line informing someone their statement is ready to view. “Your statement is ready” is hardly any better than the following selection from my GMail spam box:
Immediate payment notification
Specialized account Offer
Pending Payment Authorization
Your input requested
4. False sense of urgency. Most fraudulent e-mails threaten to close your account or assess some penalty if you don’t respond right away. An e-mail that urgently requests you to supply sensitive personal information is typically fraudulent.
5. Typos and grammatical mistakes. Such mistakes are a dead giveaway in fake e-mails.
#4 and #5 are not evident in the message, thankfully. These indeed are common ways that phishers try to trick you.
6. Fake links. Many fraudulent e-mails have a link that looks valid, but sends you to a fake site that may or may not have an URL different from the link. Always check where a link is going before you click. Move your mouse over the URL in the e-mail and look at the URL in the browser. As always, if it looks suspicious, don’t click it. Open a new browser window, and type http://www.capitalone.com.
This is, in my opinion, the worst offender of them all. The e-mail includes a direct link to a site where you can provide your login credentials, presumably out of convenience. Too bad that’s exactly what a phisher would do also, and how many people would really notice whether or not you are connecting to an http: (common) or https: (secure) website?
To make things worse, even if you did want to check if it’s a valid web address you need to take an extra step (if your browser displays HTML) to see where the HTML-marked-up hyperlinks are leading to. How many people know how to actually do this? How many of those will actually do it?
Assuming a user gets as far as viewing the message as plain text, all of the addresses are formatted much like the reply-to email; for example
http://email.capitalone.com/123a9795elayfiusubezmygaaaaaabtxm5tkanfsnhiyaaaaa
We’re left with the same problem we had back up at #1- how do we tell if email.capitalone.com/abunchofrandomcharacters is legitimate or fraudulent? Why even bother masking the true destination this address points to in the first place other than to make your message seem less legitimate than it actually is?
I realize that Capital One and probably many other banks only mean well by providing a convenient means to access one’s account when they have an existing balance, but this is just ridiculous. While I believe the above email is real (and yes, I’ve e-mailed abuse@capitalone.com with a more direct version of this post), the scary thing is that phishing scams look real as well. Sadly even those consumers trying to protect their account information by actually following up on security guidelines are stonewalled by corporate hypocrisy.
If you take anything away from this post, use caution when asked for login or account information online, no matter how legitimate the source might seem.
I’m curious if any other credit cards or major banks send similar notices with similar problems. If you have a glaring example (or even a minor one), feel free to leave a comment. If you want to have an example posted here, send me an e-mail and we can work out the details. Also if you receive an email with similar problems from your bank, I’d urge you to contact their fraud department and cite the issues above.
Leave a Reply