Apropos of probably the fact that I recently opened a new line of credit, I’ve been phished not once but twice in as many days.
If you’re not up on your InfoSec terminology, phishing is a fraudulent attempt to obtain confidential information. It is a cybercrime perpetrated by someone posing as an authorized entity for the purpose of luring unwary individuals into disclosing sensitive data such as usernames and passwords which the scammer can then use illicitly.
The target is typically contacted via email, telephone or text message disguised as legitimate communication. Save reporting it to the institution that was spoofed–in my case, Wells Fargo bank–there’s not a whole lot can be done about it. (Assuming you did not fall for the con, that is, in which case that is an entirely new level of misery) I’m writing about it as a public service to alert readers that phishing scams are becoming increasingly sophisticated. It’s not enough just to be aware phishing exists. In fact, in order to protect yourself, you have to dig a little deeper than obvious red flags that bludgeon you with comical errors.
At first glance, the two phishing attempts that targeted me looked absolutely legit. Even the telephone numbers checked out but then I’m quite sure the criminal counted on the fact that most people would rather use their shiny eight hundred dollars worth of smartphone technology rather than placing a tired old, antiquated phone call.
Further, there was none of the usual grammar and spelling errors which are part and parcel of a phish attempted by a criminal who does not speak English.
For example, a typical phishing expedition would have included something along the lines of:
If you havent recieve you card call us at 800-WE-GOODE.
Or some other obvious grammatical and/or spelling error.
And a less discerning person may have taken the bait simply by virtue of the fact that not only was his name included in the greeting but it was also spelled correctly rather than the generic Dear Valued Customer which is SOP for scams of this nature. You may be wondering how a scammer would know your name and that you have accounts at Wells Fargo bank but hold that thought.
Behold the Scumbaggery
Exhibit Alpha – Activate Your Card
Exhibit Bravo – Deposit Your Check with a Smartphone
Given my natural state of vigilance and suspicion combined with a heaping helping of information security as a side gig, I don’t want to say that it is impossible to scam me but, in reality, it will be quite the frosty day in Hell when I’d be dumb enough to click on a link contained within an unsolicited message especially from a high profile bank that encouraged me to activate a credit card and another link in another message to deposit a check with a smartphone. Ain’t happenin’, Jimmy. And any bank that sends such correspondence to you should be reported to the state and federal Attorneys General offices accordingly.
Returning to the question of how a scammer would know your personal details such as name and accounts, the answer is they don’t. At least, not usually, unless, of course, your identity has been compromised. But Wells Fargo has a significant presence in financial markets sufficient for scumbags to gamble (and usually guess correctly) that a satisfying portion of their target audience probably would. And even if you did not, there are those out there who may still click on the links anyway because they mistakenly believe that they have hit the FICO jackpot–
Hey, I don’t even have an account at Wells Fargo and I never applied for credit but they want to give me free money, woo hoo! Let me click on that link right now and give my social security number, username, password AND mother’s maiden name! What could possibly go wrong?
Even the return address domain seemed kosher but still smelled like unadulterated dog shit to me.
Always check the headers
A quick trace and peek into the WHOIS database yielded that connect.wellsfargoemail.com resolves back to Cheetahmail which appears to be a legitimate business entity. And presumably, the Cheetahmail domain has been spoofed/hijacked for the purpose of scamming unsuspecting consumers, but I have no way of knowing for sure. Maybe the administrative contact named below in the public record spends his free time perpetrating cybercrime?
Suffice to say, after having forwarded both phishing attempts to Wells, I have not received a response nor do I expect to mostly because the fraud department does not inspire confidence. While I was researching the connect.wellsfargoemail.com domain I found a previous thread in @Ask_WellsFargo twitter feed and its operator either could not or would not answer the question whether connect.wellsfargoemail.com even belonged to the bank. Shouldn’t an account named “Ask Wells Fargo” possess fundamental knowledge about the organization it purports to speak for on social media?
A logical person would assume that Ask Wells Fargo would at least be peripherally aware as to what domains Wells Fargo actually owns, but you’d be mistaken if you thought the official twitter feed served any other purpose than mindless, happy, shiny marketing drivel which is exactly why you have to possess a working knowledge of what are and where to find email headers. In fact, stay tuned for an upcoming tutorial on that particular subject matter. Until next time, don’t click on any links from within your email, especially for special deals and services from financial and banking entities.
Posted by Prattle On, Boyo 
Prattle On, Boyo 