This Is Why Phishing Works

The following (sad) letter yesterday from reader H demonstrates why phishing works:

Dear Sir:

I have an e-mail telling me that I have an online banking account with Bank of America. We have never used or will use the internet for banking.The mailing requests information. Is this actually a mailing from your bank?

The email address of the sender is “Bank of America” The underline was put in by my computer. It appears that the email was sent from New Zealand. Is this true? Is the statement that we have an account with you true? I need to know if there has been a theft of our ID. None of the links at the bottom of the email work. Thank you your help.

Please share what you know about phishing with your friends and family. Below are some links that will help educate them so that they don’t have to rely on their instincts to spot a fraud.

Consumer Advice: How to Avoid Phishing Scams [Anti-Phishing Group]
Recognize phishing scams and fraudulent e-mails [Microsoft]
(Photo:The Joy Of The Mundane)


Edit Your Comment

  1. speedwell (propagandist and secular snarkist) says:

    I’m sitting here working through my morning Help Desk tickets and e-mails, and it occurs to me to wonder how much it costs the bank to have people on staff answering the thousands of letters like this they get regularly. Naturally the banks must pass through these costs to their customers in the form of fees and uselessly restrictive policies. So phishing hurts all of us with a bank account, not just the uninformed or clueless.

  2. strangeffect says:

    Phishing will stop working the same day my aunt stops forwarding me shit.

  3. dualityshift says:

    @strangeffect: So, when your aunt dies, phishing will end? What, is she the Big phisher? She’s the Don of the phish mafia?

    *looks for torches and pitchforks.*

  4. ottawa_guy says:

    Oh god! If you have a question call customer service, or better yet visit a branch!

    Usually all of the info you need is right when you logon to online banking in the “announcements” field.


  5. ottawa_guy says:

    oopsy…..e-mail….see I am so angry I dont think straight!

  6. My father got phished last year… Fortunately he was smart enough to realize that ought not be emailing his social security number around, but he still gave them enough info to briefly break into and use his paypal account before he was able to shut it down. The monetary damage was minimal, but as a 60 year old guy who had spent the previous thirty or forty years priding himself on being up with the latest in computer technology, the hit to his pride was enormous. It illustrated to me how important it is to pass on news about the latest scams to everyone, even if it seems completely obvious or inapplicable to particular people.

  7. ChChChacos says:

    @ottawa_guy: actually some banks do use email to contact you. To save on paper, Citizens Bank in Massachusetts sends e-statements.

  8. speedwell (propagandist and secular snarkist) says:

    @bojgen: If every Tom, Dick, and Harry didn’t need your Social Security number to do business with you, then nobody would fall for Social Security number scams. I hate it when people ask for the “last four digits” without even going on to specify that it’s for the SS number… as if it’s so common that anyone would know exactly what they meant.

    Does it occur to anyone else besides me that if everyone asks for the same information (mother’s maiden name, last four SS digits, etc.), then it is almost like having no password at all? Anyone with access to the supposedly “secret” information can use it to gain access anywhere else.

  9. RandoX says:

    @ottawa_guy: Mine does.

  10. bravo369 says:

    I can’t believe people actually fall for these emails. If it was legit, you’d get a letter in the mail. My mom calls me up and asks about emails like these and what I always tell her is even if you think it’s true, never click on the links in the email. Close the email and type in the website manually. If you’ve never heard of the site before, don’t go to it.

  11. Chols says:

    I love getting phishing scams warning you of a phishing scam. That was a big one at my local bank (Hancock Bank).

  12. BugMeNot2 says:


    Maybe you should say “no bank will send you unsolicited email.” Most banks these days send email to their customers, if the customers have approved it. For example, I get my statements online to cut down on the paper I have to keep track of. Once a month, my bank emails me that my statement is ready and I can sign on to their secure site (with no accompanying link, so if there were a link I’d know it a fake) and pull a copy of my statement.

    When I worked for the bank, part of my job was to provide online security courses for our senior citizen customers. The first thing I would tell them was: No bank will ever call or email you asking to verify your account information. They are the bank. They have that information already. The only time they will need you to verify it is if you call them, and then it’s just to make sure you are who you say you are.

  13. Thomas Palmer says:

    @speedwell: That is why I never enter in my mom’s real maiden name or my real last 4 digits. Like a password, I create something new for every other website.

  14. RandomHookup says:

    @bravo369: The problem is that they are getting better and better. The ones I’ve seen this week from PayPal are strikingly good and could easily fool those who are not up on the technology. They even got the English and spelling right (at least at first glance) which doesn’t usually happen.

  15. Antediluvian says:

    @strangeffect: Is that you, cousin?
    Nope, wait, it’s my father, not my aunt or mother, who sends me shit.
    Does your uncle also send you crap, or just your aunt?

  16. Fist-o™ says:

    Has anybody ever seen a phishing e-mail where the URL actually appears legitimate? such as “”

  17. BlondeGrlz says:

    My boss forwards all his phishing email to me with the subject “Is this real???” I have to explain on a weekly basis how to tell real from scam. He’s the kind of guy who still reads all those “Dear Sir, I am an African noble forced to leave my country, can you hold my $500,0000,000 for me?” emails, and wonders if he should help the guy out. Some people will fall for anything, but as RandomHookup pointed out, the scammers are getting better too.

  18. Fist-o™ says:

    has anybody ever seen a phishing scam where the URL actually isn’t something weird and wrong-looking??

  19. Fist-o™ says:

    oops sorry for the dupe

  20. leprofie says:

    One of the latest phishing scams was for the West Virginia University Credit Union. They “closed” accounts because of phishing attempts, and asked you to call to reopen them. The phone number was the right area code, but not the right phone number for the credit union. So, don’t even call the phone number in an email, go directly to the website or info you have elsewhere.

  21. B says:

    Those must be the best fish sandwiches ever.

  22. bilge says:

    “Dear Sir”?

  23. nursetim says:

    I got a fake e-mail from BoA last week, which sounds like the same one OP got. We also don’t have any accounts with them, I knew it was fake. This is why I use my Yahoo account when I need to provide an e-mail address, and save my other one for legit stuff.

  24. econobiker says:

    @speedwell: They ask for the typical info in order to voice stress analysis you to determine if you are lying or not. Some companies are finally adding a phone security pass word code to be doubly sure…

  25. FLConsumer says:

    NOT all bank e-mails are scams. For example, I recently received the following:

    From: _Discover Card []
    Sent: Tuesday, March 11, 2008
    Subject: _Discover Card Fraud Prevention Alert


    This is not a promotional e-mail. Please call us immediately at 1-800-347-3723 regarding recent activity on your Discover Card Account ending in XXXX. We’re available 24/7 to take your call.

    Please disregard this e-mail if you’ve already spoken to us since the date this e-mail was sent.

    We appreciate your prompt attention to this matter.

    Thank you
    Discover Card Fraud Prevention Security Department
    My initial thought was that it was a phishing e-mail, but the IPs seemed to match up. So rather than call the # in the e-mail, I called the # on the back of the card. Sure enough, it was legit. Someone had tried to use my card in Miami. I find it odd that they sent an e-mail rather than call, especially with the current state of phishing. They issued a new card.

  26. Beerad says:

    @B: They’re made of endangered fish species.

  27. armour says:

    yes the big bad internet should never be used for banking. sorry couldn’t restrain my self.

    Phishing works because people never read the information the freaking banks give out in thier branches or on their legitimate sites that says they will never request customer information over email. People should have learned long ago but never seam to is that email is not secure.

    Also people also turn off that annoying information bar on the bottom of their browsers because it’s USELESS mean while when you hover over a link it tell the full address of the link and where it would take you. Yes what a useless feature that is.

    Sorry I would take my chances with technology any day over people because human engineering is a lot easier and humans make a lot more mistakes then computers. Majority of the data breaches have been large but how much data loss is there from people freely giving it away with out thinking of what and who they are giving it to?

    Email Phishing is just the same as an old ploy of calling people and asking the same things the email did just more time and human intensive. How many people answer the phone and not think of who is one the other ends because they say they are from your bank and have a few public pieces of information like your name address and obviously your phone number.

    People need to stop being lazy sheep and take an interest in the services and information the supply to them.

  28. 5h17h34d says:

    @ottawa_guy: Wrong. BoA sends me emails all the time. Pisses me off too because they have the last 4 digits of my acct and my card limit right in plain sight.

  29. The Big O says:

    I got the same e-mail from the “fake BOA” yesterday.

    Went to the BOA website I have bookmarked and was able to log in no problem.

    So I just deleted the e-mail.

    P.S. I hate BOA, but it seems like no matter where I take my banking they buy that bank.

  30. MisterE says:

    Isn’t it odd that banks go through great lengths to educate the public about phishing yet still manage to send millions of unwanted convenient credit card check loans waiting to be cashed?

    Yet, the talking heads on TV can’t figure out why the US is in a credit crunch….

  31. strangeffect says:

    @dualityshift: The sad reality is that she will continue sending me things long after she is dead. It may be a result of scheduled sending, or possibly the supernatural, but there is no stopping it.

    @Antediluvian: Just my aunt, though if you have any questions about Notre Dame football and why racial slurs are a god-given right, my uncle’s your best bet.

  32. NotATool says:

    @schmeckendeugler: Yes, I have seen some which appear to be using a legitimate URL — I don’t save them so I can’t pull one up right now and look at it. I remember getting one and wondering if someone at the legitimate company’s IT department was running a phishing scam!

  33. Dear sir/madam, your account with BoA has been suspended due to suspected fraud! We won’t contact you by your phone number or address you by your name, for SECURITY reasons. Please click the link below labeled . When you do, a new window will pop open, and you’ll see an completely different address in THAT window. Don’t be concerned, once again, security measures. When you try to click links such as “forgot sign in/password” links, they’ll either lead you to a blank page, or the link is unclickable. Don’t worry, just website issues. And please, oh PLEASE provide us with the 3 number security code on the back of your card, so we can verify you ARE the account holder, although it would be on record with us. Those security questions/pictures you set up when you opened the account online? We decided to scrap that system, found it to be unreliable. Once you sign in, and provide us with any and ALL information that COULD be used fraudently (now) we will direct you to the REAL Bank of America homepage.

    At this point… you’d wonder why you signed in, verified all info, just to be made to sign in AGAIN. And you’ll call your credit card company (if you weren’t smart enough to do so before)

    I, personally, LOVE to get these phishing emails, they remind me how gullible the world has become. Want a laugh? Check the phishing email… there are clear MARKERS all over the damn page to show it’s a fake website. Misspelled words are my favorite….

  34. eightfifteen says:

    “You know what Toby, when the son of the deposed king of Nigeria emails you directly, asking for help, you help! His father ran the freaking country! Ok?”

    -Michael Scott, The Office

  35. Niceeeeeeee, eightfifteen.

  36. Maulleigh says:

    I’ve been getting increasingly authentic-looking snail mail.

    My rule of thumb: when in doubt, throw it out. If you owe someone money, etc., believe you me they’ll send another letter/email.

  37. BlondeGrlz says:

    @eightfifteen: You win.

  38. bravo369 says:

    I started tracing emails when I was selling stuff on craigslist. Some emails seemed legit but once you emailed them back, the scam started. It made me think that email programs should incorporate the trace into the email. Each email you bring up could have a little menu on the side with the source IP address of the 1st mail server and traceroute info. Sure scammers would just get around it but at least it would help identifying some emails that say they are from a Bank but originate in Africe.

  39. dualityshift says:

    @strangeffect: That is so awesome. Forwards from the grave.

  40. unklegwar says:

    Good god. That’s some confusing formatting right there. It’s unclear who the “speaker” is. It’s very incoherent. Nice editing. A potentially important point is lost.

    I’m seeing a pattern. Meg is in a big hurry to post stuff, without really editing, formatting or even thinking thru the content of what’s being posted (see the “Amazon ships two completely unrelated items from two different warehouses in two different boxes! Oh noes!!!” article from last week)

  41. dualityshift says:

    and the fact you use Ted Knight as your Avatar makes it even cooler.

  42. Narockstar says:

    I try to be a nice and helpful person. I will forward the fake emails I get to the company’s fraud department. Unfortunately, I have an alternate old email from Lycos and when I started getting tons of Lycos branded emails trying to sell me crap, I alerted them. Their response was “Oh, no, these are real, we’re just letting companies send you sh*t directly through us now, without your consent. Thanks.” Great.

  43. sir_eccles says:

    @bravo369: Some email prgrams do. I’m not sure the exact way Thunderbird does the analysis, but it often either tags those sorts of messages as “junk” or “scam” and puts a banner across the top of the message saying something like “Thunderbird thinks this may be a scam email”.

  44. ottawa_guy says:

    @ChChChacos: I would not even start to believe that a financial institution would send e-statements via unencrypted e-mail. I can see if it was just a reminder that a statement is available, but why would you need a statement when you can see your banking history anyways when logging on.
    @5h17h34d: Talk about a security breach! I am very very very happy my bank (TD Canada Trust) sends me NO MAIL regardless of what it is. If I want to read announcements, news, or otherwise, I must logon to online banking to see it.

  45. SOhp101 says:

    @ottawa_guy: Banks send me e-mail all the time… telling me to sign up for their paperless services, balance transfers, and other products that they sell.

  46. katylostherart says:

    @ottawa_guy: my banks email me to let me know my statements are ready.

    and i always get so hopeful when i get the lotto notifications.


  47. Zimorodok says:

    In the last week I’ve gotten two phishing phone calls at home. The first guy claimed to be from a US district court, checking on jury duty notifications (which I obviously never received). He asked a bunch of “jury-selection-like” questions such as “Have you ever worked for an insurance company” and “Have you ever been sued” before I put a stop to it. He wouldn’t leave a number where I could call him back after checking out his story, which is a huge red flag. This was also on a Saturday morning. After googling what info he had mentioned, the judge he claimed to work for didn’t exist.

    The second one was 10:30 PM the next Saturday night, and I can’t decide if it was a phish or a prank call. Some kid was “verifying my delivery” from a lingerie store. “Some lady” “placed the order today” for delivery to my house. He claimed he couldn’t cancel the order; that I had to call an 800 number for corporate to cancel it. He hung up after I asked who was whispering in his ear. I wish I’d written down that 800 number, what are the odds they would immediately ask for a credit card number for “verification purposes?”

  48. brennie says:

    @FLConsumer: Same thing happenend to me and my dad when I became a co-signer on his accounts. It was a ‘letter’ but with no letterhead and a return phone in Arizona or something. The rep when contacted had no method to verify that she was actually from fraud control (knew no numbers, passwords, etc.) we also finally worked it out backwards through the branches to discover she was legit. Poor girl sent us multiple mailers and called us frequently with what turned out be real concern. Who knew? My dad and I enjoy wasting the time of such folks and were dragging it out for fun. Quicker and easier if BofA had written us to contact our local branches directly.

  49. “The 3rd Annual Nigerian EMail Conference
    Write better emails. Make more moneys.”
    funny stuff []

  50. Murdermonkey says:

    I fill them out completely using insulting statements about the phishers mother and/or ancestry.

  51. hossfly says:

    #1 Why the hell do people STILL open (and READ!!)e-mails from an unknown source?
    #2 If you KNOW you don’t have an account;what’s the big friggin deal?

  52. SamuraiAZ says:

    Call their customer service number to double check

  53. WolfDemon says:

    The great thing I love about my bank is that they tell you clearly that they will NEVER email you. They will ONLY use the messaging system in their site.

  54. Her Grace says:

    @ottawa_guy: BofA actually does send me mail, thanks. They email me to let me know my statement is ready for viewing, and tell me to go to the website by actually typing in the real address and logging in.

  55. Foneguy says:

    I have received e-mails with legitimate looking URL’s. Check the following…. Hover your cursor over the URL, then right click, then click on “properties”. The real URL should show up, and it probably will not match the orignal. Also, you should always look for the “S” at the end of the [] Ie, [] this indicates at least a secure encrypted connection, but phishers can use this too, so it is not a failsafe. My Chase mortgage does not use encryption, but they do monitor what IP address I am on and will not allow access if they do not recognize it. They force you to go through a verification and send you a code via your registered e-mail. Hope this helps.

  56. synergy says:

    I got two phishy phone calls today allegedly from Sprint today. They didn’t call when I told them to call me at my cellphone. Hmm…

  57. xtron says:

    I got a email from PayPal about my account. The fools! I don’t have a PayPal! :P

  58. @speedwell: Oh, so true… Just yesterday I used those same four digits to get access to my bank account by phone. Then again, I can’t think of any other way via phone to prove who I am to my bank, aside from my account number, which is equally vulnerable. Bah.

    In my old job I had to take peoples credit card number over the phone, and at one point while I was there we updated the system to take the security code as well. Many people pointed out when I asked for that code that it wouldn’t be much of a security code if they had to give it every time they used the card. I could not agree more! But it’s the same basic catch-22 – every time you use it it increases the chances someone who is not you will get their hands on it and use it to pose as you, but if you never use it, just exactly how is it providing you with security against fraud?