Chase Bank, in email notifications delivered to customers, says to click a link if the authenticity of a given message is in question, ignoring (and training customers to ignore) one of the primary rules when it comes to avoiding Phishing attacks - don't click anything.
The notification, as seen in the image sent to Salted Hash by a reader, says:
"If you are concerned about the authenticity of this message, please click here or call the phone number on the back of your credit card. If you would like to learn more about e-mail security or want to report a suspicious e-mail, click here..."
The customer is told twice - twice - to click a link if they feel that the message isn't authentic. Moreover, if the customer isn't sure about clicking on links, the warning tells them to enter a URL in their browser directly. While it's mentioned, realistically the odds of a customer actually calling the number on the card are slim.
This is a problem.
Chase has been told about the potential risk their advice poses, but they've continued to use the same boilerplate in all of their messaging. It's supposed to be a warning, something that will help customers and given them options when it comes to reporting scams and fraud. In reality though, all the advice is doing is training customers to take direction from an email.
Earlier this week, Salted Hash reported on the FBI probe into the possibility that JPMorgan Chase suffered a data breach. However, before that incident was made public, Chase customers were targeted by a Phishing campaign that collected usernames and passwords, while delivering malware.
The campaign was discovered last week by researchers at Proofpoint. The email, which looks like an official communication form the bank, leads victims to a fake login portal that collected authentication data before delivering banking malware in the form of a Java update.
"What’s notable is that this is one of the first times we’ve seen an attacker include exploit code on a credential phishing page. Usually we see attackers use a Traffic Distribution System (TDS) to direct traffic to either a phishing site or a exploit site, but not both," Proofpoint's blog on the attack explained.
Phishing is one of the easiest ways to gain access to a network, system, or individual. The more targeted the message, the easier it is to get a person to do something – such as click a link or enter a URL into their browser.
What Chase has done is desensitize their customers to the risks associated with clicking links within bank-related messages.
This might seem sensational, and it is to a degree. However, Phishing is a serious risk both at home and at the office. It isn't something to take lightly.
It's true. Not everyone will fall for a Phishing scam asking for a link to be clicked - as some will be suspicious no matter what.
At the same time, the people the criminals want - the targeted victim pool in this case - will think nothing of clicking links, or entering URLs into their browser. Why should they? They've seen this request hundreds of times.