One of the problems about trying to teach people to avoid Phishing attacks is that the banks often use the exact same tactics that the phishers use. It is mind-numbingly stupid of them to do so, but still we see emails from banks that contain links in them. As a rule I tell people not to click on the links in these emails, but rather to log into their account by typing in the address of their bank by hand.
I had a question for my credit union about one of my accounts with them. The response came back and contained a link that I had to follow in order to reply. The email specifically said not to reply to the email because it wouldn’t be read. So, how do I know this isn’t a phishing attack? First of all I looked at exactly who the email came from. Believe me, this is far from foolproof. Email addresses can be spoofed. The more important sign was that when I followed the link I was not asked for any information at all. I did not have to login, I did not have to verify anything. In addition to this, the email came in response to an inquiry that I initiated and not out of the blue. The reply was relevant to the question I had asked.
I am a little dumbfounded by the approach the bank used. If I was using my Comcast email account with the configuration that Comcast specifies as being valid for use with a wireless network, then someone could have intercepted the contents of the email and responded to the bank on my behalf.
Between security ignorant ISPs, such as Comcast, and banks using emails with some of the same significant attributes that phishers use, it is no wonder that so many people fall for phishing attacks and have accounts compromised.
So, do as I say and not as I do! Don’t click on the links in the emails. The proper thing for me to have done would have been to call my credit union and responded. I did file another comment asking them to stop teaching people to fall for phishing attacks. I wonder what they’ll say!
To tell the truth, I am seriously considering publishing their reply, including the public link that can be used to reply back to them on my behalf!
Anyone want to tell them not to send links to their customers in email?
Director of Technical Education
Author ESET Research, ESET