Monday, October 12, 2009

Reporting a Phishing Email

So this afternoon I open up my mailbox and oh, look ... "HSBC Bank" has sent me an email. Given that I don't have an account there, and my email client is already telling me this is phishing (well, duh?) I decided that I would give it a read just for the comedic aspect of it.

Honestly, I expected something sophisticated, well-disguised, maybe even official-looking. I was sorely disappointed:
NY 10018. USA

Ref No: HSBC/30A/IPF-09Z


We at this bank wish to congratulate and inform you that after thorough review of your unpaid funds in conjunction with the World Bank Auditors report, your payment file was forwarded to our bank for the immediate transfer of a first installment amount of US$5,000,000.00 to your bank account.

The Auditors reports shows that you have been going through hard times by paying a lot of money to see to the release of your funds, which has been delayed by some dubious officials that dealt with you in the past.

We therefore advice that you stop further communication with any other group, individuals or institutions, since you do not have to pay any money or transfer fee to receive your funds as you have met up with the whole funds transfer requirements.

Should you follow our banks directives, the first installment amount of US$5,000,000.00 will be credited and reflect in your bank account within 3 to 4 bank working days.

For further information on this funds transfer notice, kindly send to me the following:

(1) Your Full Name:
(2) Phone, Fax and Mobile Number:
(3) Company Name, Home Address:
(4) Profession, Age and Marital status:

Yours sincerely,
Mr. Williams Baron
HSBC Bank Plc, USA

The information contained in this e-mail, any attached files, and response threads are confidential and may be legally privileged. It is intended solely for the use of individual(s) or entity to which it is addressed and others authorized to receive it. If you are not the intended recipient, kindly notify the sender HSBC BANK by return mail and delete this message and any attachment(s) immediately.
What disappointed me more, though, beyond the sheer stupidity of the phisher - is how hard it was to report this to HSBC Bank and let them know about it. Why is it difficult to be a good, responsible human these days?!

I thought I'd approach this as a regular person might and not use my mad Google skills ... but rather hit HSBC's homepage first. There's really no link/button that pops out at me (the user) that says "Click here for information on security/privacy". Thinking I may just have to go dig into the specific region I clicked the link for North America ... unfortunately not much changed.

What I did notice after looking around the page is at the very, very bottom of the page, in light gray-on-white font there is a "Security" link. Are people really expected to see this link?! Why is something so important as security buried so far down in the page, and in a color that's so low-contrast that it took me a second look to find it? Now, I don't want to question the good bank's motives here - but do they really want people finding this link and reporting security issues?

Anyway, clicking the link brings you to a page that asks you to either sign in or sign up for personal/business banking... so it looks like all hope is lost if you're not a customer trying to be a good Samaritan and report a problem to them, right? Luckily the menu bar along the left has a nice selection of security topics to choose from so when I clicked the Fraud link I finally found something that looked like I was headed in the right direction (here). Sadly, even though "Phishing Scams" was a big item in their FAQ, and the document gave some really insightful information about how to keep from being a victim of phishing ... I was still baffled as to how to actually report a phishing email I had received. Does HSBC care or even want to know? - I started to ask myself.

Just then my eyes glanced across the page and found a phone number in bold letters ...

Of course I immediately called the phone number! ... and was promptly disappointed to find that I had to poke around the system as this was their main call-center phone number and the only trace of reporting phishing was a message about "support for internet banking or pin reset". Going into that menu left me completely befuddled as I found myself being asked for my account number (or SSN, yikes?) multiple times by the system in order to continue and I almost gave up. Just when I was giving up, I kept pressing numbers in that last menu until I got a voice! The person on the phone was kind enough to direct me to an email I should simply send the phishing email to:

While I had now sent off the phishing email I had received, along with my contact information I still felt unfulfilled. I was curious how this wasn't posted anywhere visible. Curiously ... it was given a little Google-fu. This page [], actually produces a link that clearly asks you to report Phishing and Spoofing scams to that email address - but why couldn't I find it?

Turns out, there are 2 separate things at work here. First off, in my desperate need to find someone in security to send this to, I completely omitted to look at the "Contact Us" page ... where the phishing email link lives. Second, HSBC's site is laid out a little bit strange, and whereas I would suggest that the "Report Phishing" section also be moved under a more "prominent" security heading?

One thing still bugs me ... how much does a major world bank really care about security if they've got the link to it buried down in the page, in an impossible-to-see contrast and font size?

Don't get me wrong, I'm not slamming or singling out HSBC here - just about every bank is like this ... I invite responses, rebuttals or commentary, as always.

... still feel good about on-line banking?


Anonymous said...

Thats not a phish, its a 419 scam, so has nothing to do with online banking. The fraudsters are merely using the HSBC name as a convenient well known bank.

ekse said...

Ran into the same situation a week ago. I couldn't find a specific email to send it to on the bank website's so after 10 minutes I gave up and use the "Report Phishing" option in GMail. Maybe they will have more luck than me (but I'm not counting on it..)