It’s a rehash of the same story you see every day. ABC 27 reports:
…It seems as soon as Fulton [Bank] shuts down one of the “phishing” websites, another one sets up shop. It all starts with a bogus email…with a fake warning.Laura Wakeley/Fulton Bank: “They copy our website so they look very official and they have some call to urgency. We’ve detected some unauthorized use of your account and for your protection we’ve locked that account. You’ll need to go on and click on this link and enter personal account information. User I.D…pass codes to unlock the account.”
As Ms. Wakeley says,”It all starts with a bogus email…”
No bogus email, no phishing expedition.
How can humans smart enough to keep Windows updated be so continuously bamboozled?
Simple. In a misbegotten effort to pump up sales, their bankers set them up with a non-stop flood of messages prettified with graphics, flashy fonts, and links hidden beneath cute little “Click Here” buttons.
Want to be a world-class phisher? Follow these steps to your personal pot o’ gold:
- Create your scam site by copying your bank’s website to yourFakeBank;
- Copy one of your bank’s original glitz-filled email messages;
- Change the link beneath that “Click Here” button to yourFakeBank;
- Buy a geographically compatible spam list & hire a zombie army;
- Collect victims’ account names and passwords as they type them at yourFakeBank;
- Sell your bounty to a thug who advertises at the same place you hired the zombies.
It’s much easier than building a fake bank next door… and cheaper.
Of course, your bank can put a stop to this nonsense today. Right now. This minute. How? Simply by instituting and publicizing Email Battles’ Patent Pending Plain Text Policy:
We send only plain text email messages (no HTML) with no clickable links. For your convenience, we provide one link only, to the main page of our web site.
Any sales missed due to Email Battles’ Patent Pending Plain Text Policy should be more than made up for by the money that actually stays put in your bank… and the time saved by not having to justify your incompetence to ABC 27.
See Also:
3 comments
Comments feed for this article
October 20th, 2005 at 4:24 pm
TimW
Our network security guy has the ultimate solution. He removes all that junk from incoming email before we ever see it. I’m not sure what he uses but, by the time he gets done, there’s not much left. He won’t let us open attachments either.
October 21st, 2005 at 6:22 am
Julian Field
But you can easily craft an HTML email message that looks exactly like a plain text message to most of the popular email apps. So only using plain text doesn’t help at all.
What you need is a decent phishing detector that optionally (1) highlights the link with a clear warning message, (2) adds a tag to the subject line and (3) disables the link altogether so there is nothing to click on.
MailScanner does all this very nicely.
October 24th, 2005 at 5:10 pm
Editor
Hopefully, you noticed that the article is targeted at SENDERS, as opposed to RECEIVERS.
Plain text looking HTML that has no clickable links is not clickable; thus, non-phishable by click.
Your product is one of hundreds, if not thousands that exposes and/or disables INCOMING message links. Check with any of our advertisers.