Home > information security, IT controls, PCI > Survey Says! Marketers Make Phishing Easy

Survey Says! Marketers Make Phishing Easy

I received an email today from my bank (see below) asking me to take a survey about their service.

Actual email from Wells Fargo

Actual email from Wells Fargo

The email initially appeared to be a phishing attack.  After all, banks are always telling customers not to open attachments or click embedded links, right?

wells alert

After a little bit of investigating I learned that it was a legitimate request to complete a survey.  Now I certainly understand that companies occasionally want to use surveys to better understand their customers.  But it strikes me as incredibly misguided and naive to send a direct email to your customers from a third party with embedded links and passwords to answer a survey, after telling those same customers never to open attachments or click on links in emails that appear to come from them.

Aside from the obvious invasion of privacy, these emails are incredibly easy for the bad guys to duplicate, masking the embedded links and sending customers to bogus websites where they can be infected with malware, keyloggers, and other bad things.  It is as if Wells Fargo is saying “Here you go phishers.  Here is a perfect template for gathering personal information on our customers!”

It is difficult enough to keep the public aware of the many dangers of phishing attacks without violating the company’s own guidelines for interacting with customers.  Shame on you Wells Fargo.  If you really want to perform a survey, it should be done from within the customer’s online banking interface using a secure, encrypted connection. 

I forwarded the email to reportphish@wellsfargo.com this morning at 8am but so far I’ve only gotten an automated acknowledgement.  No response related to my inquiry.

  1. Fred Lojo
    February 14, 2014 at 3:57 PM

    This is a great example of where Security Awareness Training in a large organization falls short. I am particularly surprised that they included a password in the same email that contains the link. Not a best practice for a major bank.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: