As soon as I got the e-mail from BMO Financial Group, I knew it couldn’t really be from BMO Financial Group.
First of all, although I have accounts with that particular financial institution, and even do a lot of online banking there, I am certain they would not use e-mail as their primary channel for contacting me. To that extent, the message was no big deal. A phishing scheme is a phishing scheme. What intrigued me, however, was the approach the phishers took in trying to reel me in – using enterprise IT infrastructure as a means to distract and, ultimately, to deceive.
“Bank of Montreal is pleased to notify our online banking customers that we have successfully upgraded to a more secure and encrypted SSL servers to serve our esteemed customers for a better and more efficient banking services in the year 2008,” the message read. “Due to this recent upgrade you are requested to upgrade your account information by following the reference below, using our new secure and safe SSL servers.”
Okay, so there’s a bit of bad grammar there, and the technology terms are repeated just a little too frequently, but how closely do most of us read these things anyway? That the phishers would refer to SSL servers at all says a lot about how cyber-criminals see the world. I don’t know if some of my friends (and certainly few in my family) would know what a server is, let along one that has been secured through SSL. When you see it pitched this way, however, you could easily imagine a novice user translating SSL to mean something highly protective of their information. Jargon is as much a weapon here as the use of a well-known company and its logo.
The social engineering behind this kind of effort should offer a warning to IT managers that are trying to educate their coworkers about the dangers of clicking on inappropriate URLs. Users are trying, albeit sometimes grudgingly, to understand the technological underpinnings of the enterprise. There are bound to be a few of them who have heard the term SSL bandied about, particularly if they were involved in any kind of project that involved some level of data security. Emboldened by this little bit of knowledge, they might therefore be more susceptible to messages that incorporate IT jargon. A lot of them won’t, but it only takes one to cause a problem.
Time for some homework: what security-related terminology is running through your enterprise, and how might it be co-opted by the phishing schemers to sound more credible to users? The trick to protecting personal and corporate information may not be watching for e-mail riddled with spelling mistakes, poor usage or other ambiguities. The most dangerous messages may end up being those that sound like they could have come straight from the IT manager.