Sunday, January 29, 2006
Sunday Morning Phishing
When I receive a scam email -- or phish -- that purports to be from a legitimate financial institution, I always report it. It's usually a pretty simple task: I go to the institution's website, look for a "contact us" or "report fraud" link, and forward the message. I take the time to copy the phish's fraudulent link (which usually is different from the words of the link -- a standard phishing trick) and paste that at the top, because when these messages are forwarded that data often goes away. I don't know if the companies I send them to look at these messages, but I feel virtuous for sending them along.
This morning I had an ominous email from Chase: "For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us." And on it goes, four paragraphs of legalese. Pretty convincing -- it doesn't have the gross typos that many of these scams have.
But I knew this one was fake, because I don't have an account with Chase. So I went to Chase.com and looked for a link to report it, and there is none. I did a really thorough search. Bad form, Chase. I'd like to help you, but you won't let me. I'm sure I'm not alone. Many other financial institutions make it really easy to deputize the world of well-intentioned internet users. Washington Mutual, Wells Fargo, and Bank of America have it on their front page. PayPal has a "Security Center" link on its front page, with an email address for reporting spoofs easy to find. VISA has a link on the front page; MasterCard burys it a bit, but it's findable.
Here's the closest thing I can find on the Chase.com website, behind the Privacy & Security link: "If you suspect suspicious or fraudulent activity related to your Chase account(s), please let us know right away. You should also contact your Internet Service Provider so they may block suspect companies from your e-mail inbox. To learn more about how to control and manage your incoming e-mails, please refer to your Internet Service Provider’s online resources."
There isn't an email address or link. And in the "contact your Internet Service Provider" wording, I detect a bit of a punt. Chase customers should encourage their institution to be more helpful to people -- customers and non-customers alike -- who would help them catch phishers.
This morning I had an ominous email from Chase: "For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us." And on it goes, four paragraphs of legalese. Pretty convincing -- it doesn't have the gross typos that many of these scams have.
But I knew this one was fake, because I don't have an account with Chase. So I went to Chase.com and looked for a link to report it, and there is none. I did a really thorough search. Bad form, Chase. I'd like to help you, but you won't let me. I'm sure I'm not alone. Many other financial institutions make it really easy to deputize the world of well-intentioned internet users. Washington Mutual, Wells Fargo, and Bank of America have it on their front page. PayPal has a "Security Center" link on its front page, with an email address for reporting spoofs easy to find. VISA has a link on the front page; MasterCard burys it a bit, but it's findable.
Here's the closest thing I can find on the Chase.com website, behind the Privacy & Security link: "If you suspect suspicious or fraudulent activity related to your Chase account(s), please let us know right away. You should also contact your Internet Service Provider so they may block suspect companies from your e-mail inbox. To learn more about how to control and manage your incoming e-mails, please refer to your Internet Service Provider’s online resources."
There isn't an email address or link. And in the "contact your Internet Service Provider" wording, I detect a bit of a punt. Chase customers should encourage their institution to be more helpful to people -- customers and non-customers alike -- who would help them catch phishers.
