My wife gets emails from the Bank of America telling her to look at her statement online. Fair enough. However, these (legitimate) emails always contain a link to the login site. She always clicks on the link to view her statement. If I should notice what she did, I caution her that she should never click on links in such emails because it might be a phishing expedition. She usually gets upset at my suggestion that she did something wrong and she points out (quite rightly, so far) that it was indeed a communication from the bank and she was right (meaning, of course, that I was wrong). Now it is true that BofA has a two part login that includes a sitekey (a picture selected by you) and my wife claims that she always looks for this.
Now it seems to me that all bank emails should instruct you to go to the banking site via your own bookmark, or, if you don’t have one, to search on Google. By including a link, they are basically training people to be victims of phishing. I intend to write them a letter about this, but wanted to see what Dopers have to say.
My WAG is that even Googling may produce a phishing site instead, especially if you click on the sponsored links. Yes, even for sites like major banks. (My 20-something coworker Googled something about how to change your address and just blindly clicked on the first link that Google gave her; she ended up blithely giving up her info and credit card number to some non-USPS site that charged her for the privilege of what the USPS would do for cheaper online/free in person.)
Plus, I suspect most average bank customers don’t have a bookmark for their bank.
So savvy customers will be wary and go to their bookmark or carefully Google. Less-savvy customers will click the link (even if the bank has previously warned them), but because this is actually the bank’s real e-mail and site, they’ll be safe.
<tinfoil hat mode>
It’s actually a false-flag operation by undercover operatives of the spammers, training people to be good phishing targets.
</tinfoil hat mode>
The link is a convenience for the BOA customers. They have already instituted the security protocol that you mention in your OP of a sitekey image. I’m pretty sure that whoever gets your letter at BOA, is going to dismiss it.
I would however recommend that you provide your wife with the following LINK.
But… put yourself in the bank’s position. You need to communicate with your customers. They expect email. If you don’t include a link they’re likely to use Google, as FH says. What else do you do?
I don’t work for a bank, but I do work on a web site that sends emails to customers. We’ve experimented with removing links from most emails for precisely this reason, and it was basically a disaster. Without a link people couldn’t figure out how to log in, so their accounts would lapse, or they’d blindly reply in email (sometimes sending credit card numbers or other sensitive info in the clear).
No. I didn’t request a password reset. So I get a random e-mail that says I did, and just click here to sort it all out (by giving them my “old” passcode). Oh and it came through on a Saturday night and the link is set to expire at 7AM on Sunday? Yeah, there’s no way this thing is legit.
I contact Hulu. They tell me it’s their e-mail. What the hell Hulu? I’m still not clicking on your link.
Totally normal. Almost every website has a system for recovering a forgotten password. They work by sending a confirmation link exactly like that one to the email address registered to the account. That way if someone else attempts to reset your password, they can’t because they can’t read your email.
If someone happens to know your email address and requests a password reset, that’s exactly what you’ll see. Maybe it was someone with a similar address to yours who made a typo. Maybe it’s someone trying to get into your account. As the email says, if it wasn’t you then just ignore it.
Either way, posting the link in public is not a good idea.
These institutions have to balance between your concerns about phishing and the actual utility of the email. As tellyworth mentioned, if they neglect to include the link in the email, their userbase will howl and scream about how incompetent BOA is for not providing a convenient means to get to their website. The average user does not know how to google for the legitimate, official site of any given company. So BOA has made the decision to include the links and that’s pretty much what everyone else does, too. Think about it, what organizations do you deal with that make it a point not to include any links to their websites in email communications with you? I’ll bet almost no one.
Again as tellyworth said, this is a very common method of password recovery. Many, many legitimate sites do it this way.
I got an e-mail from Canadian Tire Financial Services the other day. There was this paragraph in the small print (loosely translated into English by yours truly):
Phishing protection: To help you protect yourself against fraud, Canadian Tire Financial Services Ltd. and Canadian Tire Bank never send e-mails containing links to sites where you would be asked to enter personal information. If we need personal information about you, we will ask you to type an address into your browser. Our addresses always start with ctfs.com. To manage your account on line, visit ctfs.com.
I started to write back to them, to point out the flaw, but then I figured they wouldn’t understand the problem and gave up.
Enderw24, I left the link intact, but put it in a spoiler box with a note for the unwary. As a general rule, please deliberately break links that may be harmful or unsafe to avoid accidents.
I can answer this. It’s because banks want to make things easy for their customers. By clicking on a link the customer isn’t just brought to the main page. They are probably brought specifically to a page that helps them with whatever they were doing. Say a “forgot password” page or something.
They can put keys in the link in the email that allow users to have information included in the link which can help to identify them. So not as many security questions need to be asked.
Also, it’s better to put a link in an email which brings the user to a secure site that has password protection than it is to just send an attachment. You’ll notice basically nobody does this anymore.
Sure going to Google for the site is less likely to be a fishing site. However, if you take that approach all the customers should just call every time and not use the internet at all.
That of course is what the bank is trying to avoid. Having users self serve on the net saves them money in operational costs.
Those things don’t really provide any security at all against a man in the middle attack. All the attacker has to do is feed the user name you give them to the real website, then show you the sitekey.
They do this because few people really care about security, and because many people just couldn’t find their bank’s website without a link.
The credit card people are training people to be phished over the phone as well. When they call me about some fraud thing, they then start asking me questions about my account. They always seem surprised when I tell them that I’m not going to give my account information to some random person on the phone. I’m going to call the number on the back of my card and ask to speak to the fraud dept. Which is the what they should tell me to do when they call. And they should do it so often that people get used to the idea that you can’t trust that someone who calls or emails you is who they say they are.
Not to badger this, but this really does make perfect sense. If I send a password reset request, I expect the reset e-mail to come right away, and any password reset link to expire shortly thereafter, so it is good and reasonable that an e-mail generated Saturday night would include a reset link set to terminate several hours later.
You are right. Some banks just don’t have a clue what the Internet is or how to use it safely.
Bank emails tend to include something that only they should know, like your full name. I don’t find that sufficient, but it’s a start.
Some time ago, I got some obvious phishing emails supposedly from my bank touting brave new features on their website. Problem was, it wasn’t from a bank address or anything remotely like it.
Apparently the bank had hired out some publicity to a PR firm. It was legitimate. But it looked so suspicious that I originally called the bank’s security department to alert them. Telling me “Oh, that’s OK, you can click on it” is not a safe way to do business, and I told them so. I haven’t received any more ads from that source, but for all I know, they just might have taken my name off the list rather than revising policies.