Got this email in my inbox this morning, and at first blush it looks pretty convincing.
So the important question is, how do you know if it’s real or not? There’s no single point of failure here, an element that says it’s a scam for sure, but let’s look at a non-exhaustive list of what’s wrong with this email.
Which Inbox
First look at your own inbox. Is this the email address that your bank has on file? Is this where they usually send their email?
In this case, the answer is no. I don’t use my hotmail account for any mail that I actually want to receive, so this email is showing up in the wrong place.
Why did they use my hotmail account this time?
Who Is It?
Do you even have an account with this company? If so, check who the email is actually from. Not the friendly name, but the actual email address. Is this the address that your bank sends email from?
I do have a Chase account, and the email address even looks good, but email addresses can easily be spoofed when sending so it looks like it’s coming from a different place than it actually is.
The Language of Fear
If you read through the email, your first reaction is probably one of fear. Oh No! Somebody has been trying to hack my account. Communications from your own bank will never have this underlying tone of fear.
And if they’re that worried about it, they’ll send you mail, even if you’re on paperless statements. They might even call you, that’s what my credit card company does.
Why is the bank trying to scare me like this?
Second Language
If this was really your bank, they’ve got templatized email to send to someone when something goes wrong, and you can bet that it’s been scrubbed over by linguists to make sure that every word is in place and used properly.
If the sentences sound like they were written by someone who doesn’t speak English very well, it was probably written by someone who doesn’t speak English very well. Your bank speaks English. I promise.
Something is definitely fishy here.
Logical Flaws
My account as Chase has apparently been disabled, so what am I supposed to do to unlock it? Go to www.chase.com and log in immediately. Wait a minute, if my account has been disabled, how am I supposed to access it?
Links
Most browsers have a feature, that when you hover over a link, it will show you the destination in the lower right corner of your browser. The kicker for this particular scam is revealed. I’m supposed to go to www.chase.com, but that link actually takes me to rotarylamarsa.org. Huh?
Secure Communication
Now let’s say that I actually click on that link. It takes me to rotarylamarsa.org where they have essentially ripped off Chase’s website and it’s a pretty good ripoff. The form on the link asks me to enter some personal information. Before you ever, ever do this, look at the URL. The very front part says http:// or it says https://. The ‘s’ means it’s secure. Encrypted from your browser all the way to the server.
There are methods to beat the encryption, but it’s difficult and most scammers don’t have the resources to do something like that. If the ‘s’ is not there, never put in any personal information and never ever put in a credit card number.
What Do They Want?
Now here on the rotarylamarsa.org site that looks a lot like www.chase.com there’s a form to fill out. What does it want? Well it wants my username, password, name, address, city, state, zip, email address, email password, account number, credit card number, CVV2 number (the credit card security number), ATM pin, social security number, mother’s maiden name, and date of birth.
Wait, what?!
Some of these things you could make a case for. Likely your financial agency already knows most of these things about you, but they’re not going to ask you for them on a non-secure site and all in one place. And why do they want your email password? Don’t they already know your account number and your credit card number? What does my home address have to so with this?
What Should You Do?
So what should you do about this? Use common sense. And if you don’t want to, then the other answer is don’t click on links in your email, even if it looks like it’s coming from someone you know.
Even if I had been fooled by this email, if I had gone to chase.com instead of clicking the link in the email, I would have been just fine. I would have logged into my account just fine. I’d have been completely fooled by the scam, but my identity would still be mine.