Banking on a Genuine Phishing Email

My bank emailed me this week to remind me of how to keep my savings secure online. The headers looked genuine and it was properly addressed with decent grammar and spelling. So, at first glance it didn’t seem to be a phishing attack. But, I figured a bank shouldn’t be emailing me at all unless it’s via its logged in secure website channel, after all anyone snooping on my internet connection will now know I have a bank account.

Anyway, I called the bank’s press office to offer them some advice about how they should and shouldn’t be contacting us.

As I said, other banks use an inline communication system to send messages only once you’re logged into your account. This ensures that communications to and fro are genuine, encrypted and hopefully secure. There are occasions when a bank may need to contact you via regular email if you have not logged in for a while and it’s an important message they need to get to you. Regardless, my bank’s email, at the very top of the message offered a link that they suggested I click if I was having “difficulty viewing this newsletter”. Another big no-no. That’s a common ploy in phishing bait-mail. Needless to say, I clicked nothing. How would a less experienced user know this to be genuine?

Anyway, the email itself was all “In the interest of improved online security for our valued customers, we thought we’d give you some helpful pointers on how to ensure that your online savings are kept secure.” (Oh, there is a grammatical error in there, “in the interest”, should be “interests”, maybe it was a phish, after all, grammar is not a strong point with phishers of men, and women). Apparently, this security thing is “scary”!

But, the scaremongering message then goes on to calm the reader down again: “It’s nothing to lose sleep over, just basic housekeeping really.” They suggest the following, which has to be the most contrived and useless piece of advice regarding password generation:

When setting your password, make sure it’s something memorable to you, so that you don’t have to write it down. Try steering clear of the obvious, like your kids names or pets… anything that is an obvious link to you or your family really.

Usually, for a password to be memorable, it’s going to have to be something you can remember like a name or a something similar. But, making passwords memorable is not what anyone should do. A password needs to have mixed characters, letters, and numbers, be fairly long and have no personal relevance that might be guessed. It’s also best if it has no repeating letters, no real words, and passes the general password strength tests. Otherwise, bruteforce or guesswork could allow anyone who gets hold of your username access to your account. Much better is my passwords for scientists approach coupled with a service like Passpack.

The final piece of advice in the bank’s thrilling “newsletter” is that “if you do think that someone has been using your password, change it immediately and contact us on this number. They cite a phone number. Of course, if this were a phish, then who’s to say that it’s a genuine bank call center number. How would you know for sure that you were speaking to your bank when you called? You might call the number thinking your password has been compromised, and hand over all sorts of details on request. The only numbers you should ever call to contact your bank are those you can read once you’re genuinely logged into your account or the one found on legitimate printed statements and literature from your bank.

Maybe I’m being a little unfair on the bank in question, but I don’t think so, they’ve had many years now to get the security and privacy policies honed and it’s not as if banking fraud is something novel to the online realm. This kind of email from a bank really is inexcusable. The only redeeming feature is a not at the foot of the email that does offer some useful advice to the gullible, read it or weep (we’ll ignore the shoddy grammar):

It is also important to remind you that we will never email you asking you for your account number or log on details, so if you do receive an email claiming to do so from us, please contact us straight away. And make sure that you never respond to any such unsolicited email with PINs, log in details or passwords, no matter who they claim to be from.

UPDATE: The Official Google Blog just posted on the subject of genuine phishing emails as opposed to the kind that come from one’s bank that are actually genuine emails.