« Clueless in Bethesda | Main | Scary Stuff »

September 09, 2006

I had heard of this ploy, and now I've finally seen one in the wild.

Even without diving into the source code, the email message has all the hallmarks of a phishing message from a financial institution. But instead of directing the recipient to click a link to a fraudulent site, the message provides a toll-free (in the U.S.) phone number to call.

Here's what the message looks like:

I haven't called the number for a couple of reasons. First, Caller ID is not blocked when phoning toll-free numbers, so I don't want to give my number away to crooks. Second, it is possible to have toll-free calls diverted to very costly international calling services without the caller's permission (this is illegal, but, hey, these are crooks).

From what I've heard, however, a call to this number would get me a recording that requests personal identification data. My responses would be recorded and picked up by the crooks who will then use or sell the data at my peril.

Because I didn't have any business with MBNA, I knew right away this was a hoax. The message's opening "Dear customer!" is also a dead giveaway to those who see lots of phishing messages. But to the uninitiated, it sounds legit. And the 800 number makes it sound even more so.

The truth, as always, lies in the one piece of message header information that is very difficult to forge. Something tells me that MBNA (now a part of Bank of America) would not send customer advisory email messages from Dutch cable/DSL provider chello.nl.

UPDATE (15 September 2006): I just received one of these claiming to come from PayPal. Watch out!