Posted by Rob Slade on July 31, 2015.
For a while it was easy to identify phishing email messages. Banks didn’t send you unsolicited email. Period. We told people that.
A few years ago that started to break down. American Express, which has always had a very weird attitude to online security, started to send me reminders when it was time to pay my bill. And then thanked me for paying my bill. It freaked me out at first, but I finally did get confirmation that this was, legitimately, from Amex.
Recently my bank started sending me notifications that my bank card had been used in a transaction. But at least the Website warned me that this would start happening. And it is, actually, a decent security check (as long as I know about it in advance).
But every message I get from a bank I don’t have an account with is obviously phishing, right? So, when I got a message, ostensibly from CIBC, this morning, offering me a credit card, I just passed it along to the fraud centre and a couple of phishing collection sites. We haven’t had an account with CIBC for about 20 years. (We dropped it because of persistent errors and false charges on the credit card we had with them.) And I sent a copy along to the CIBC phish report address.
I expected possibly an auto-response thanking me for the report. But what I got was a little surprising:
Dear Ms. Slade,
I’m not quite sure how I feel about that. On the one hand, at least the information they have on me is inaccurate. On the other hand, the information they have on me is inaccurate.
> Thank you for bringing this e-mail to my attention.
> I can confirm that the mentioned e-mail is legitimate.
Apparently this is, really, CIBC offering me a credit card. By email. Just like the “we’ll give a card to anybody (because our interest rates are so high it doesn’t matter” guys and the flat-out fraudsters.
So how are we supposed to teach people what to look out for?