Monday, September 17, 2007

Shame on Wells Fargo or Shame on Me?

Friday was a busy day, but I found a little time to check my gmail account. My peak performance brain has been trained to immediately key on certain words that appear in my inbox and classify them as threats, either phishing or spam. You know words such as “Alert”, “PayPal”, “Warning” and “eBay”? This time my brain tells my eyes to check out this email labeled “Wells Fargo Online Notification of New Legal Notices”.

There are three primary reasons why I am particularly interested in this email. One, I am a Wells Fargo customer. Two, I signed-up for email updates and regularly get emails from the company. And three, gmail typically does a great job of filtering out phishing attempts from my inbox. So I open the email.

The email looks legit to me.

A Phish is a Phish?
I have been training users for the last couple of years to NEVER click on a link in an email to a login page, then proceed to login. I assumed that this is a “best practice” to protect oneself from phishing. I am always skeptical. Did this email really come from Wells Fargo? I check the header of the email, looks good. I check the links, look good. I check the html code, still looks good.

This legitimate Wells Fargo email goes against what I thought were best practices in regards to phishing prevention. Being the concerned (paranoid) information security guy that I am, I emailed with the following:

date Sep 14, 2007 1:50
subject Fwd: Wells Fargo Online Notification of New
Legal Notices

To whom it may concern:

It appears that the email depicted below actually came from Wells
Fargo. The email contained links that went to your login page and
asked people to sign in. Wells Fargo should not be sending emails
like this to your customers! It goes against everything that we try
to teach people with respect to phishing.

Concerned customer

Surely Wells Fargo knows much more about phishing than I ever could, so am I wrong?

No comments: