I received an email from Charles Schwab (the bank, not the guy) today.

It started off with “We’re making some exciting changes that will make your online banking experience even better, We therefore request your to verify your location.”

Later it goes on to describe a “verification” that is needed, and has a link that says “Go To Verification Process” with a destination of: http://www.schwab-verification.com/public/schwab/home/welcomep.html

Here’s a screenshot of the email:

Looks relatively legit right?  A few red flags go off right away when anyone, especially a bank, asks you to “verify” something.  You’ve probably guessed already, that this email wasn’t from the bank.

What did the destination (www.schwab-verification.com) look like?  It was an exact copy of what schwab.com looked like.  How scary is THAT!?

Go Phish?

It’s called a phishing scam and it involves bad guys asking hundreds of people for their login information to online accounts such as banks.

The concept of phishing can be thought of by a big fishing net cast out to the sea.  The hope is that while most fish will escape, a few might get caught.

That fake Schwab message was sent to hundreds of thousands of email addresses.  The villain sending it realizes that a small percentage of people opening it will actually *have* an account with Schwab, and then a much smaller percent of account holders will actually fall for it.  But that’s okay because 1 big account may be all he needs to pimp out his evildoer lair for the upcoming year.

5 Phishing Scam Red Flags

  1. Ask Not… This first one is key: No financial companies will ever ask you to do or confirm anything requiring login details online.  Verify, confirm, and words like these are instant flags because they’re requesting you tell the bank’s site what it already knows!
  2. No Site Key.  Lots of banks (Bank of America for example) are now instituting Site Key images.  Before you log into your account, the bank will show you an image that you previously picked out.  If you go to log in and see the wrong image- or no image at all (when you know your account has one), stop!  This one helps stop phishers in their place.
  3. Fake Urgency! OH NO. Our mainframe had a 409XB error at the same time your Debit card was used in Boca Raton, Florida- quickly confirm your details so we know your account hasn’t been compromised.  How about no?  If the issue at hand was *that* serious, they would call you.
    I’ve gotten calls before from a fraud team asking if I’ve been to Connecticut lately as fraudulent behavior was identified there.  Even these departments won’t ask you for vital information- if they do, ask for a number to call them back.  And remember, sending an email for something serious is like emailing all workers in a building that there is a fire and to get out.
  4. Funky Destinations. Just like in the example above, the website I went to from clicking the link was not the actual website of the company that emailed me:  www.schwab-verification.com is not www.schwab.com.  This one is pretty clever, but you have to ask yourself why there would be a separate address just to verify- there won’t be!  Some URLs are a lot more blatant like: bankofamerica.verify.systemconfirm.ru   This is an example of a Russian website (.ru) with plenty of garbage thrown into the web address to confuse you- it’s definitely not a bank!
  5. “English! Do you speak it?!” Samuel L Jackson says this famous movie line- of course, his version is littered with more colorful language…  If you actually take the extra 5 seconds to read a suspicious email you’ll be surprised at how often they’re poorly written.  Real companies, banks, and firms often have teams of employees who come up with multiple drafts of the same email in order to make it clear and professional.
    Here’s an example from the above email: “We’re making some exciting changes that will make your online banking experience even better, We therefore request your to verify your location.”  Seriously? You used a comma instead of a period and you THEREFORE request YOUR to verify?  Oh please!  If something like this ever left Schwab, whole departments would be getting fired as droves of investors ran for the hills.  “If you can’t write an email, how are you going to manage my money?”

Phishing scams are not new and sadly they are not going away soon.  Our best bet is to share what we know about them with friends and family.  As our world’s digital experience matures and fewer people fall prey to online scams, phishers may have to pick up real fishing nets and try a new career.

  • Adam

    Good post Casey – something for people to bookmark when a suspicious email like this comes along and they need to reference!!

  • http://www.CaseyCheshire.com/ Casey Cheshire

    Thanks Adam! Good idea about bookmarking & using the article for reference.