Teach a Man to Phish
Phishing — tricking people into entering their login and password on a fake site, in response to a forged email — is a problem. There are lots of reasons for this; one, though, is that people are trained to respond to phishing messages by legitimate companies that want to make life easy for their customers.
I received just such a message yesterday "from" Amtrak. It almost certainly was legitimate, because they’ve been engaging in this sort of dubious behavior for years. Let’s take a look at the message:
Steven,
CHANGES COMING TO YOUR AMTRAK.COM LOGIN
In an effort to streamline the login process and communicate more
effectively with our customers, we will be changing the way you
access your Amtrak.com account in a few weeks. Prior to this
update, we ask that you log in to verify the accuracy of the
information in your account.
From: Amtrak
To: smb
Subject: Changes Coming to Your Amtrak.com Login
Date: Wed, 13 Feb 2008 17:46:31 EST
Reply-To: amtrak.W….@amtrak.bfi0.com
The first problem is with the From: line. The human-readable name, which is all that some mailers display in the summary area, is "Amtrak". People are being told who the mesage is from — but the actual return address is at bfi0.com. Of course, that’s easy to fake. (In a sense, it’s good that the retun address isn’t something@amtrak.com, since it does show the actual origin of the message. I should add that all of the more subtle indicators in the message header were consistent with bfi0.com as the source of the message; it isn’t faked.)
The next problem, though, is that the message asks people to log in by clicking a link in the message:
Go to Amtrak.com now and update your profile
http://amtrak.bfi0.com/…..
So — we’re told that the login process will change (which is good cover for assorted mischief), but we should click on a link that doesn’t even claim to go to amtrak.com and log in with our Amtrak login and password.
I should note that I’m not in any way claiming that either Amtrak or Bigfoot Interactive (bfi0.com, bigfootinteractive.com, and epsilon.com all appear to be the same company) are in any way acting illegally or unethically. The message is almost certainly legitimate, and it doesn’t make any false claims about its origin. The problem is that the message is teaching bad habits. Neither Amtrak nor anyone else should ever send out messages asking people to click on some link and then log in.
They’re not the only ones, of course. I regularly receive very legitimate emails that ask me to click and then log in. (Shortly after I joined the faculty here, I amused myself teasing the dean about such a note sent under his login.) I wrote about a telephone analog a couple of months ago. But that doesn’t make it a good idea.
Phishing isn’t going to go away, and I don’t have much confidence that any of the much-touted authenticity markers will help, either. But legitimate companies don’t have to make it worse.
