May 5, 2014 Leave a Comment
I received an email today purporting to be from Bank of America asking me to reconfirm my account information for online banking.
Naturally, I would have approached such an email cautiously in any event. I’m familiar with “phishing” scams: Someone sends you an email that appears to be from a trusted institution with a link that appears to be to that trusted institution’s website, and asks you to log in and provide some essential security information. Only the email’s actually from an identity thief and the trusted institution’s website is a clever phony. After you plug in your information, the identity thief will use it to log into the real site, or others, and engage in all sorts of mischief.
But this is the sloppiest attempt I’ve ever seen. The punctuation and formatting were awful, to begin with. How awful? Here’s a sample:
Account Requires Complete Profile Update,
We have recently detected that different computer user had attempted gaining
access to your Online account,
and multiple password was attempted with your user ID.
It is now necessary to re-confirm your account information to us.
If this process is not completed within 24-48 hours.
We will be forced to suspend your Account Online Access as it may have been used
for fraudulent purposes.
Sentence fragments. Strange line breaks. Strange capitalization. English-as-a-second-language phrasing. Nothing about the email seemed legitimate. The phisher didn’t even bother to download a Bank of America graphic to give the email the slightest hint of authenticity.
He couldn’t even use a real copyright symbol. The last line read: (C) 2014 Bank of America Corporation. All Rights Reserved.
But the real topper was this: There was no link to a phishy website. Instead, there was an attachment called Secure Form.html. Because, yeah, that’s how a multi-billion-dollar company like Bank of America rolls.
Yep. This was a complete and total phishing fail.