Phishbait: not so much a Smile as a rictus

Below, you can see the textual part of a bank phishing email I received today (it also contained a Smile logo, which was the only graphical content). 

Here’s the message text from the phishing email: 

Dear Account Holder,

Do you know that with Smile Internet banking, you can eliminate
the cost of receiving and transferring funds from or to your account?

Smile Bank has introduced a new scheme for all account holders to
receive a return on incurred charges over the year. This benefit is
available to all internet banking subscribers with a minimum balance
of 200 pounds.

You are hereby advised to verify your account and update your billing
record in other to qualify for this benefit.

Please Log On Here to verify your Online Banking account.

Thank you as we work together to protect you.

Smile Banking.

However, this is just one example of a type of phish that’s been reported affecting several banks – and their customers –  in the past few months. In this case, the email was pretty easy to recognize as a phish (despite the spoofed headers) because I don’t have a Smile account and in any case my name isn’t Account Holder.

Or does that latter heuristic (i.e. if your bank doesn’t know your name, it probably isn’t your bank!) still hold? Not altogether. Unfortunately, even though it’s pretty bad practice for a bank to send email to customers without some form of personalization (name, bank account number, some other form of unique identifier), it’s far from unknown for banks, like other companies and organizations, to send advertising material out without such personalization. But this isn’t advertising – though it might look a little like it at first glance – and it certainly isn’t from Smile. 

Even if you do get advertising mail apparently from a company you trust and with which you have an account, you shouldn’t log into its site via a link in an unverified email – log in from a link that you know to be genuine.  

So what’s going on here? For the scammer (as is usual with phishing emails), the important thing is to get you to log into ‘your account’ by clicking on Log On Here. (If you do that in tctv9vze text below, it’ll simply take you to a mock phish page I set up a while ago for another article on phishing.)

However, whereas it’s common – even usual – for phishing emails to try to scare you into clicking by threatening to stop your access to your account if you don’t log in, this one uses the carrot rather than the stick. Namely, it offers you a refund on your bank charges, but first you have to log in and verify your account. Well, we all know what happens next.

You haven’t really logged into your account: you’ve simply given your log-in credentials to the phisher, who is now able to plunder your account.

You may not have seen this approach to tricking the victim before, but it’s neither brand new, nor unique to Smile: for example Millersmiles (no relation to Smile!), a site that puts up information about known phishing scams, has similar examples for Lloyds TSB and Tesco. (I found those examples using the search string “Bank has introduced a new scheme for all account holders to receive a return on incurred charges over the year”, by the way. A less specific search finds lots of rather similar examples) 

Here are a couple of phishing-related papers you might find interesting/useful:

Henceforth to be known as Account Holder and ESET Senior Research Fellow

Author David Harley, ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.