Today, for the first time every, I got a phishing spam from a spammer targeting a bank that I actually use. A couple of months ago, Washington Mutual held a "contest" where if you opened an account and put at least $100, they’d also contribute $100. Wanting to double my money for almost nothing, I took advantage of it. My only goal for doing this was to collect my 100% rate of return.
Well, a few weeks later, in one of my many email accounts, I noticed that I got an email notice from Chase, with the subject line Chase Bank Security Service Notification (IMPORTANT). Here’s the message:
When I saw the message in my inbox and I glanced over the subject line, my first thought was "How did they get my email address? I never gave it to them." Yes, that was the first thing I thought, it was completely instinctual. It only lasted for a brief moment because I immediately realized that I was being phished.
Tsk, tsk. If only the spammers knew who they were dealing with… not that they care. But the point is that it goes to show that things like this operate on an emotional level. People see that a message comes from their bank and they are interested in seeing what is going on. The threat to take action, particularly about fraudulent action, scares people into taking action on it. This is nothing new and is an example of social engineering action, it is a spam technique that has been around as long as I have been fighting spam. But as I said, it’s the first I have ever been phished from a bank I use.
Incidentally, both Firefox and Internet Explorer blocked the site and reported them as unsafe. It’s a good thing both browsers did that because the site is very well polished and looks real.