Have banks learned nothing? According to Gartner, U.S. computer users lost $929 million to phishing scams from May 2004 to May 2005. In response, major banks have launched aggressive campaigns to educate customers about how to defend themselves and recognize fraudulent emails.
Their recommendations to customers are simple and easy-to-follow. If someone calls you on the phone asking for your ATM number, don’t give it to them! Only divulge secret information when you initiated the phone call. Be wary of emails asking for your social security number or credit card numbers. You know the drill.
So, why is Wells Fargo undermining all of these self-defense measures by sending out emails with hyperlinks to a Web site asking for your online banking username and password?!
It’s easy to get fooled
My step-mother is timid about computers, but last year she entered the brave new world of online banking. At about that time, I received a phishing email from a scammer masquerading as Chase Bank. The email was slick. It had all the images and logos copied from the legitimate Chase Web site. When you clicked the embedded link, it brought up a beautifully forged Chase Web site with a login screen.
Well, I knew it was a fraud – mostly because I’m not a Chase customer. The embedded links were pointing somewhere besides Chase.com, but that was hidden in the HTML. All in all, it was a high quality fake. But I wondered “what happens if I play along?”
I clicked a link that brought up a login page. I entered bogus credentials and voila! I was “authenticated”. Obviously, they let any username/password combination get through. The next screen asked for my credit card number, ATM number, mother’s maiden name, etc. At this point, had I been a real Chase customer, the hucksters would have had my login credentials and complete control over my online account.
Adding to their cleverness, they set a cookie in my browser so subsequent clicks on the email link would cause me to be redirected to the real Chase Web site. I guess this was just in case their “mark” got suspicious and wanted to check out the link a second time. By getting sent to the real Chase site when the scam was over, you’d see your real account information and, ostensibly, not get suspicious.
As a techie, I was pretty impressed with their ingenuity. I was so impressed that I had to admit, in a weak moment, I could easily have been snookered. Heck, it only takes a momentary lapse of judgment to type in your password.
So, I told my step-mother and a few other family members about it to show them just how convincing a hustle can look. Not all criminals are bad spellers (one of the most common hallmarks of a phishing scam). I wanted to sensitize them to the danger.
Wells Fargo gets stupid
I’m not a Chase customer, but I am a Wells Fargo customer. Click on the thumbnail on the right to see a screen shot of an email they recently sent me. While telling me my “privacy is assured,” they invite me to click on an embedded hyperlink and “Sign On To Online Banking.”
My spidey sense went off on this. Large lights spelling “Danger! Danger!” flashed in my headed. I couldn’t imagine this being anything other than a trick to get me to divulge my online banking credentials to a cyberhoodlum.
But, the email looked eerily familiar. This August 9th email looks similar to an email I received on June 14th. Scammers seldom try the same shtick for too long, so a two-month-old scam seemed unusual. Also, I had recently received a third, similar email that had my full name embedded in it (an unlikely mass-emailed phishing scenario).
So, I dug into the raw contents of the email. Here are the SMTP headers:
Received: from om-wellsfargo.rgc3.net ([188.8.131.52])
by smtp.gavaghan.org (JAMES SMTP Server 2.2.0) with SMTP ID 571
Thu, 9 Aug 2007 17:58:11 -0500 (CDT)
Received: by om-wellsfargo.rgc3.net id hnee720664ov for
Date: Thu, 9 Aug 2007 16:00:00 -0700
From: "Wells Fargo Online"
Reply-To: "Wells Fargo Online"
Subject: Online Banking Basics - Privacy
James-RelayLocation: id=38045;country=US;region=CA;city=Redwood City;postalcode=94065;latitude=37.5331;longitude=-122.247;
dmacode=807;areacode=650;isp=Exodus IDC - SV/SC8;organization=Responsys;error=;
What can we glean from the headers? Most importantly, the IP address of the server that sent the email. I traced the IP address back to a Redwood City, California-based marketing company called Responsys. (Many thanks to the geolocation technology at MaxMind for making this possible!).
Is it possible Responsys had their email servers compromised by a hacker and turned into spam zombies? I was opened to that possibility, but ruled it out once I realized, from the raw HTML in the email, that this email was definitely legit.
When I looked at the raw HTML to see where the links were really pointing, I saw they were all pointing to the legitimate Wells Fargo domain name. You can see the raw contents of the email for yourself by clicking here.
Conclusion: this is not a phishing scam. This is a legitimate email from Wells Fargo, sent on their behalf by Responsys, as part of a marketing campaign.
Marketing email from banks is bad juju
What were they thinking? The IT security folks at Wells Fargo must be going nuts! They need to give a stern lecture to the brainless suits in marketing who thought this was all a good idea.
My favorite is their page that characterizes some of the common attributes of fraudulent email. Many of the attributes pertain to Wells Fargo’s own marketing campaign! Let’s take a look:
Fraudulent emails will often:
“Ask you for personal information” Their email contains links to pages that ask for your username and password.
“Appear to come from a legitimate source” Well, duh! It is coming from a legitimate source.
“Link to fraudulent websites” The text goes on to say “fraudulent emails may direct you to counterfeit websites carefully designed to look legitimate”. The world is filled with spammers who can’t spell and who do amateurish hack jobs on forged sites. But, Wells Fargo acknowledges that some fraudulent Web sites are so elaborate they’re nearly indistinguishable from the real thing. The bogus Chase site I went to was probably a copy-and-paste job directly from the actual Chase site.
The moral of the story? There are no easy ways – particularly for those who aren’t as tech savvy as the readers of this blog – to distinguish legitimate marketing from phishing.
What Wells Fargo ought to do
Stop sending email that asks for passwords.
Banks don’t call you on the phone to ask for your ATM number. That’s a cardinal rule. Banks always advise you not to give away secret information, like your social security number, over the phone unless you place the call. Assume anyone that calls you is a hustler.
This is easy advice to follow – and it works. Banks would be ill advised to start initiating legitimate phone calls to customers asking for personal information. It would cause customers to let their guard down if some calls are real.
So, why does Wells Fargo insist on muddying the waters with regard to email? It would be most secure to simply tell customers “we’ll never send you email asking for personal information.” Assume all such email is a scam. Period.
Unfortunately, Wells Fargo is telling customers “some email that looks like it comes from us is real, and some isn’t.” The burden is on the customer to discriminate. But, by Wells Fargo’s own admission, that’s pretty hard to do!
Why am I picking on Wells Fargo? It’s solely because I happen to be a customer (and, despite this rant, I’m a very satisfied and happy customer). Perhaps Chase, Bank of America, Citibank, and every other major financial institution operates like this. I don’t bank with them, so I’m not in a position to know.
But, if other banks send out email like this, they should stop. If not for me, do it for my step-mother and all the other less-geeky folks who could use a hand defending themselves in the sometimes dangerous online world.