Here's something I haven't noticed before (but then I don't pay nearly as much attention to phishing messages as I used to, owing to the need to sleep occasionally).
I've started to receive messages purporting to be from the Alliance and Leicester, in the UK. The messages are much the same, apart from the Subject and the link. As is customary with phish mails, there is no personalization ("Dear Alliance and Leicester Customer...") and I'm informed that every customer has to fill in a form at the link in the message.
(It's rarely a good idea to follow links in messages like this: if you're in doubt as to whether a message is genuine, make contact through site and email addresses, phone numbers etc., that you know to be genuine. If you have a genuine business relationship with a bank, you must have that sort of information on file, surely?)
Here's the interesting bit: "The link is unique for each account holder and expires within a certain period of time. If you don't fill in Alliance & Leicester Confirmation Form before your unique link expires, the system will automatically send you a new notification message."
What do you know? It really does!
I just got a nearly identical follow-up to the same address with a different link. It will be kind of interesting to determine whether the time between updates is constant, and also to see how long it takes the provider for that address to notice this new approach and start blocking it.
I'm guessing that for a someone who really is one of the bank's customers and isn't too knowledgeable about spam and phishing, this neat piece of cyber-bullying might actually convince them that it really is urgent to fill in the form. Furthermore, as I pointed out recently in another blog,it's likely that a such insistently bureaucratic behaviour is actually reassuring. Social engineering takes many forms.
Andrew Lee and I did a white paper on phishing that includes some phish recognition tips. I think I might revisit that topic here in the near future.
Director of Malware Intelligence