Email spam is something that I typically ignore. I may occasionally pay attention to something that looks like a scam, just to learn from it so that I don’t fall for any fraudulent email in the future. Yesterday night, however, I came across a very sophisticated example of social engineering that I simply could not pass without studying more carefully. I got an email in my mailbox, stating that my Chase credit card account may have been compromised. The tone of the email was very professional, there were no spelling or grammar mistakes, the formatting looked similar to official communications I have received from Chase in the past.
The email informed me that my online account had been locked since someone had erroneously tried to log in more than the maximum amount of attempts allowed. For a few moments, my heart beat rose and hundreds of thoughts went through my head. I started asking myself who might have tried to hack into my account, whether they had tried to log into some of my other credit card accounts, what the damage would be, how much time it would take me to reopen all accounts, etc. Then, I calmed myself down and continued reading the email.
The “fraud notification” went further ahead to assure me that my credit card number had not been compromised, apologized for the inconvenience, and advised me to reset my online account. Instructions on how to do that were helpfully offered in an attached “secure form.”
Those last two words — “secure form” — raised the first warning flag in my mind. This did not sound right!
- Why would the bank attach a “secure form” to help me re-instate my online account?
- Why wouldn’t it just prompt me to visit the secure web site and re-register there?
I quickly scrolled down to the bottom of the message to take a look at that “secure form.” I expected some sort of a PDF. Instead, it was an HTML file, casually called Chaseonline.html. That raised early-warning flag #2 in my mind.
- How can a simple HTML file be a “secure form?”
- Why would they ask me to open an HTML file in my web browser, when they could simply direct me to the web site?
I scrolled back up to the top of the message, already knowing what I would see. The email address in the “To:” line was not mine. It contained my name’s initials, and was addressed to one of the big and well known U.S. universities. Now that did not look right at all!
The final blow to this scam came when I double-clicked on the “Chase” alias to reveal the actual email address. Not surprisingly, it was extremely generic and did not belong to the Chase.com domain at all!
Having read The Art of Intrusion, the book on social engineering by the famous hacker-turned-writer Kevin Mitnick, I had started paying attention to identifying telltales of potential hacks or scams. In the past, email scams were relatively easy to identify by their use of incorrect English, weird formatting, strange use of punctuation. This time around, however, the scam looked very polished and professional. And it sounded real.
Scammers are becoming increasingly sophisticated, my friends. Beware of their social engineering skills!
Below is the full email — I thought I’d share it here to help others avoid falling in this pitfall.