Archive for the ‘information security’ Category

Survey Says! Marketers Make Phishing Easy

February 14, 2014 1 comment

I received an email today from my bank (see below) asking me to take a survey about their service.

Actual email from Wells Fargo

Actual email from Wells Fargo

The email initially appeared to be a phishing attack.  After all, banks are always telling customers not to open attachments or click embedded links, right?

wells alert

After a little bit of investigating I learned that it was a legitimate request to complete a survey.  Now I certainly understand that companies occasionally want to use surveys to better understand their customers.  But it strikes me as incredibly misguided and naive to send a direct email to your customers from a third party with embedded links and passwords to answer a survey, after telling those same customers never to open attachments or click on links in emails that appear to come from them.

Aside from the obvious invasion of privacy, these emails are incredibly easy for the bad guys to duplicate, masking the embedded links and sending customers to bogus websites where they can be infected with malware, keyloggers, and other bad things.  It is as if Wells Fargo is saying “Here you go phishers.  Here is a perfect template for gathering personal information on our customers!”

It is difficult enough to keep the public aware of the many dangers of phishing attacks without violating the company’s own guidelines for interacting with customers.  Shame on you Wells Fargo.  If you really want to perform a survey, it should be done from within the customer’s online banking interface using a secure, encrypted connection. 

I forwarded the email to this morning at 8am but so far I’ve only gotten an automated acknowledgement.  No response related to my inquiry.