When are financial services companies finally going to wake up and realize that one of the best tools they have to combating terrible phishers is secure RSS feeds. Take this recent phish email I received from a company posing as PayPal and you decide for yourself whether you would have fallen into this trap. I'll go through what tipped me off so you can learn from this. Please look, this is serious and is less about your PayPal account and more to do with getting your password. Most people use the same password for all of their accounts so now that these evil phishers have a password, they can try logging into your, say, Bank of America account or other checking account. How about getting enough information on you for identity theft? All from an email link. Think about that.
- Email address is phishy because it says firstname.lastname@example.org
- Subject line says Please Restore Your Account Access even though I haven't tried to login in a while.
- In the body of the email they request information from me which most companies never ask for.
- They wrote that my account has limited access but never explained what that means
- Case ID #'s look very odd
- Finally and this WAS THE BIG TIP OFF - the links to logging in were not just links that took me to logging in but the embedded URL has my email address pre-populated in it plus other code. See the screen shot below. This is very, very evil.
I logged into my account, but not via the phishy email link, and behold, full access and no error message. I sent the email to PayPal who confirmed it was a phish.
Now, back to the start of this post. Why doesn't PayPal get it? Obviously by all of the fraud messages on their site, they know they are under attack. Why don't they just force EVERYONE TO OPT INTO A SECURE RSS FEED like the ones available from SimpleFeed? Besides having the unique format of RSS feeds that make them phish-proof (you opt in and they send you an URL to view content), SimpleFeed can also send it password protected too.
Every financial institution should provide secure RSS feeds for customer communications. Otherwise, sadly, they'll probably be forced by a governing body like the NASD to only send emails with no links in it - moving the financial services industry back to brochure ware. Come on people wake UP.