Banks phishes its own customers

Peter Gutmann pgut001 at
Mon Jun 1 09:57:06 EDT 2009

Imagine if you got the following email:

  You may have noticed that we've created a new tool in FastNet Classic called
  the Online Vault. Hopefully you'll find it pretty handy - it allows you to
  securely store important personal information such as:

  - IRD number [equivalent to the SSN in the US]
  - medical details
  - passport number
  - anniversaries, birthdays etc.

  This means that all your important information is in one secure place,
  allowing you to get hold of it easily, anytime you need it.  No one else can
  access this information - only you!

  To see how the Online Vault works, click on the link below to play the 10-
  second challenge

  [Link to the Online vault site].

When you sign in, you're invited to enter (copied from the web page):

  Passport details, drivers licence, accounts, credit cards, next of kin,
  accountant, solicitor [lawyer in the US], medical conditions, allergies,
  vaccination history, doctor details, insurance contacts and insurance
  policies, and [a general-purpose field for anything else you may want to

Surprisingly, this isn't phishing email, it's genuine email from a bank.  
While the bank's security page warns about attacks where:

  A fraudster sends an email to a large number of email addresses.  The email
  may appear to be from the email recipient's bank.  The message urges the
  recipient to click on a link to update their personal profile or carry out
  some transaction.

in this case the users can tell that the email is from the real bank because
they also ask for your credit card numbers, medical history, and drivers
licence, and no phisher would be that blatant.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list