Even as details of the fraud were emerging this weekend, phishing emails warning Bank of America customers of a security breach were inundating inboxes. “We have reasons to believe that your account was hijacked by a third party without your authorization,” the email reads, directing the reader to click a link that mimics “onlineid.bankofamerica.com” but instead sends victims to a spoofed page at a server in Korea.
Notifications of compromised accounts are generally delivered via postal mail, as in the recent Lexis-Nexis security breach that exposed 310,000 customers to potential identity theft. A review of dozens of news stories about the New Jersey breach all mentioned customer notifications, but didn’t stipulate the method of contact. Most banks have ceased sending important customer information via email due to the huge rise of phishing scams.
Most, but not all. The Internet Storm Center this week relayed an incident in which a reader received an unsolicited but legitimate e-mail from PayPal directing him to reset his password. After confirming the request by phone, the user returned to his computer to find an almost identical phishing email in his Inbox.
Bank of America carries a prominent warning about phishing emails on its account login page. “Never disclose ANY personally identifying information if requested via an unsolicited email or phone call,” the bank warned, specifically naming a list of details that should never be shared (including your mother’s maiden name, a common data point for security checks).
Not so at Wachovia, whose home page includes no reference to phishing emails, instead offering general cautions to “guard yourself against fraud and identity theft. Wachovia provides the highest levels of protection and stands ready to assist you should you become a victim.”
Officials say there is no sign that any breached data has been used in identity theft incidents, but police are still analyzing data found on a computer seized from Lambo.