Tendo City

Look with me at the latest email I recieved.

Quote:Subject: Unauthorized Activity

Dear Bank of America client,

You have received this email because you or someone had used your account from different locations.For security purpose, we are required to open an investigation into this matter.

In order to safeguard your account, we require that you confirm your banking details.

The help speeed up to this process, please access the following link so we ca complete the verification of your Bank of America Online Banking Account registration information.

<a href="http://201.78.78.249/www.bankofamerica.com/sslencrypt218bit/online_banking/">http://201.78.78.249/www.bankofamerica.com/sslencrypt218bit/online_banking/</a>


If we do no receive the appropriate account verification within 48 hours, then we will assume this Bank of America account is fraudulent and will be suspended.

The purpose of this verification is to ensure that your bank account has not been fraudulently used and to combat the fraud from our community. We appreciate your support and understanding and thank you for your prompt attention to this matter.

Okay. That is the bulk of the text.

First, I do not have a Bank of America account, nor have I ever.

Second, the address this came from was no-replymail@google.com. That's not suspicious at all.

Third, and this is purely speculation, but I don't think one of the biggest banks in the country would have something like "sslencrypt218bit" in a link to it's online banking center.

Fourth, it's not very professional. Phrases like "someone had used your account", "different locations.For" and "The help speeed up" make me sad for todays spammers.

Finally, wouldn't you also think there would be some sort of signature, perhaps the name of a CEO or other name (even a fake one!) to lend it at least a little bit of credibility?

Man, what a lazy attempt at spam.

It makes me nostaligic for the days of <a href="http://tcforums.com/forums/showthread.php?t=3650">Leader Next Human Sandwich</a>.

Actually this sort of seems like old school spam.

You know, even if it had some sort of signature, that doesn't do anything but look credible. It's not like people can't just sign random names and pretend they are the president. A picture of someone's signature never sat well with me as proof of.... anything. Heck, if banks did routinely put their president's signature in the email, they could just copy that image into their spam.

The idea just seems to be to scare someone not versed in critical thinking into a "what-if" proposal of "if it's true, it would be bad, I better act on that". This is really no different from the olden days of selling dragon wards and demon excizing seals to people. They couldn't take the chance, even though there's no evidence there even is a chance to be taken.

I mean seriously, why would a bank do anything in the way this letter describes they would? Would a bank actually just "close" an account outright if they think someone is fraudulently taking money? They make it sound like they are just going to take all the money in the account for themselves if they suspect someone else is taking it. Um, I doubt that. More likely they'd invalidate PIN numbers and cards and call the person to inform them of that. Quick conversation on the phone later and it's all back up and running. Also, no information on details? It's not like this person can't just CHECK their account to make sure the balance adds up, and why wouldn't the bank inform them of the details?

These are the sorts of things you have to ask, and then there's the single nitpick that every single bank in the US, in fact EVERY company that lets you make an account with them to my knowledge, now informs their users from the moment they sign up that they will never use email to check account verification.

That's another thing! If they think someone else is frauding you, how on earth is signing into some web site supposed to help verify it? I suppose maybe if they didn't want to share the transactions except on some secure web page, but that's still stupid. If they don't think that email is secure enough, why are they sending this information to it to begin with?

That said, too many people will fall for it. Some people take a laid back "well whatevder it's not MY money" attitude but to be honest I would prefer if people started caring more about these victims. In all honesty I think schools should focus on teaching people how to critically check facts. Too many teach the facts in a text book in a "don't question it" manner. If they taught them as well as the methods used to get to that information, maybe that would help. Heck I'd like to see involved school projects where a teacher provides books with knowingly false information and had the kids do research to figure out what's actually true or not. They wouldn't even need to print new books. Outdated science books STILL teach the false notions of backwards water flushery down south and the whole "regions of taste on the tongue" thing (place salt anywhere on your tongue and you'll see what I mean, salt tasters are all over it, not in regions). These are bits of information that always seem to make their way into the text books, when the thing is, both of those bits have never been accepted facts in the scientific community. Someone managed to get some misunderstanding (maybe they inferred correalis effect worked on small enough a scale to affect drain spin direction as well as hurricanes but didn't check their facts) and it is now in books everywhere. This provides a great opportunity for skeptical teaching though so I say go ahead and leave it there so long as the kids are corrected. Teach them the false notion of water spinning, then get them to experiment in class. Watch for a while as some of them start defending the book when the water sometimes spins the other way by making up excuses why this sink is wrong or the air is wrong, while others suggest that maybe the book is flawed. Point out that making up excuses for failures of claims like that is probably not the best way to go about getting info. Then do a delicious tongue region taste test. These sorts of involved, questioning, THINKING teaching methods would prepair people to perhaps question that odd email from that monolithic company "the bank", questionining perhaps if, say, it isn't even FROM the bank.

And my rant is over.

To be fair, English probably isn't even their first language.

I think the biggest giveaway is the fact that they don't have a fully qualified domain name. Do they honestly expect me to believe that the Bank of America would host a web site by ip only and not register a domain?

Phishing websites almost never register a domain name because the WhoIs server would reveal their identity.

BTW: everything after the IP address is the banks real url to the page. sslencrypt218bit stands for secure socket layer encrypt 218 bit. They probably have script that will accept any domain go out and fetch the real page but postback to their server instead any goodies you type in first, and then fetch the real next page reposting any form data you entered to the real server along the way. Most users never know their on the wrong site.