Mon, October 27, 2008
Great Example of Social Engineering/Phishing Fraud
Today I received another bogus e-mail claiming to be from Melrose Cooperative Bank, a bank with which I do no business. It's such an excellent example of the application of social engineering to phishing fraud that I decided to share it....
------------------------------------------------------------------------------------------------------------------
From: Melrose Cooperative Bank [mailto:survey@melrosebank.com]
Sent: Monday, October 27, 2008 8:45 AM
Subject: Security Measures: Your MasterCard has been deactivated.
Melrose Cooperative Bank has been notified by numerous members that they have received e-mail requesting account information. We will never ask you to verify your account information via e-mail.
Due to increasing number of fraudulent e-mails claiming to be from Melrose Cooperative Bank, all MasterCards, including yours (5515-1400-XXXX-XXXX) have been deactivated.
We understand that having limited access can be an inconvenience, but protecting your account is our primary concern. We apologize for any inconvenience this may cause.
To activate your card, please follow the link bellow:
[bogus link deleted]
We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account.
Sincerely,
Melrose Cooperative Bank Security Department
---------------------------------------------------------------------------
The senders have no way of knowing whether I have an account at this bank, but if you send out a million of these, some of them may reach someone who does. If you did have a credit card or maybe even just an account with this bank, this message would definitely make you feel you should do something to make sure everything is OK. The e-mail gives you a convenient thing to do: click the link. Undoubtedly if you did, something bad would happen. You’d probably be exposing yourself to a phishing scam, a virus, or some other form of trouble-making software.
The random credit card number is interesting; I suppose even though there is no chance that it is a correct number, its presence makes the message seem more authoritative. The message is also clever in that it begins by “warning” the recipient of fraudulent messages sent out in the bank’s name, and assuring that they will never ask for information via e-mail. This has the potential to create a level of credibility that I’ve never seen in a phony e-mail before.