How I Almost Got Duped by a Spammer

June 20, 2012 by 28 Comments

As an email marketing guy, I tend to receive more email than the average consumer. I subscribe to a variety of email newsletters so that I can see the opt-in process, check out the welcome email (assuming they send one), and evaluate/critique all future emails.

If you are responsible for email marketing at your organization, I highly recommend doing this as well. It will give you ideas for subject lines, copy and creative, social connecting and sharing options, and so on.

Because I receive so much email, some legitimate email lands in my Gmail spam folder. I blogged about some of the changes Gmail made recently and shared why I think Gmail spam may be hurting your email marketing program.

Today, I found an email from Bank of America in my Gmail spam folder. See below.

Just looking at this email as shown above … what do you think – Is it spam?

Now let me share a bit more information with you. See if this changes your original answer.

The From Name was “Bank of America Alerts” and the Subject Line read, “Bank of America – Irregular Activity ..” While neither were terrible, it still did set off my “Spam Radar.” I would have expected the From Name be simply “Bank of America.” Also, the Subject Line just seemed spammy. Then I reminded myself that just because a Subject Line sounds spammy, it may not be – sometimes email marketers intentionally break the “rules.” 

However, as I continued to scroll down through the email, there were other red flags that confirmed this email was indeed spam. Check out the short screencast I did below to see what those red flags were. They almost got me! Also in this screencast, I share with you some tricks to determine whether an email is spam or legit.


Having trouble seeing this screencast? View it here.

Have you even been duped by a spammer? I’d love to see the email that you thought was legit. Please share below!

Cheers.
DJ Waldow

———-

Did you know … Jason Falls and I just wrote a new book about breaking the rules of email marketing! In the book, we dedicate an entire chapter to “The Ideal Subject Line.” In The Rebel’s Guide to Email Marketing: Grow Your List, Break the Rules, and Win, we share with you all sorts of email marketing “best practices” individuals and companies are breaking each and every day … and still finding success.

PRE-ORDER YOUR COPY NOW!

Filed Under: Is This Spam?
24 comments
  Livefyre
Newest | Oldest
margaret14
margaret14

So not only is your data at risk with you falling for these emails but it can be at risk with any bank employee that decides to give out to much info. 

RaulColon
RaulColon

 @margaret14 yes the many years working in and with the bank industry that is where most big issues happen. Convincing an employee to give up his access is a bigger prize than targeting a customer. It comes down to risk and return. One employee can give you access to hundreds and thousands of accounts. One person can only give you access to one. 

 

Strange enough most of these employees feel the risk is on the consumers side and more than often they skip procedures opening a huge gap for someone to exploit the vulnerabilities in the system! 

 

chelpixie
chelpixie

I love you but never, ever, ever click a link in email from a bank.

 

I always open a new tab and type in the domain name.  

 

- Chel the Cautious 

djwaldow
djwaldow moderator

@chelpixie Yup. I know. Just warning others and showing how an email like this one could be seen as legit.

cloverdew
cloverdew

@djwaldow Wow! That was one tricksy e-mail. Glad you're so smart!

RaulColon
RaulColon

Great to find this via Suzannevara, I worked for the banking industry in the IT Security side. 

 

The worst part is that consumers fall into these scams but even worst doing assessments for many of our clients the same bank employees also fall for these scams via email. So not only is your data at risk with you falling for these emails but it can be at risk with any bank employee that decides to give out to much info. 

 

I would also emphasize on not clicking any links even when you are completely sure your bank sent you an email. 

 

To prevent phishing I don't know of a banking institution that sends emails requesting for you to login. 

 

So if you get an email of this nature always forward it to your banks management and have them escalate it to their Information Security Team. 

 

Great post! Will be sharing! 

SuzanneVara
SuzanneVara

DJ

 

Great post. I am always weary when I get these types of emails. I am one that is very skeptical so I go to the site directly (especially if it is my BofA accounts) and see if they have alerts. If not and my accounts look ok, I have to be honest, I ignore the email and check back on the site directly for irregular activity. I was frauded on my bank acct from my atm card so I am very cautious when it comes to anything that has to do with this kind of stuff.

 

The comments here are great as while typos happen, there is also the compliance dept that BofA has and would review the email before it went out (or so I would hope) so that is a big red flag.

 

My biggest concern here is that how easily people would believe this email who are not as savvy in scams and spammers. I guess this is why spammers exist. I guess there is still a lot of work to be done on educating people on spammers/scams and what to look for.

Thanks for sharing your experience DJ.

djwaldow
djwaldow moderator

 @SuzanneVara Thanks for your comments (and Tweet!).

 

"I guess this is why spammers exist." <---BINGO.

EmailKarma
EmailKarma

Another tip - Banks/paypal etc... don't typically ask you to "Sign in" directly from an email either.

 

In the header you also see the domain authentication failed "BOA.com does not designate ##.##.##.## as a permitted sender".

 

A much easier, less technical, method of verifying the messages intentions are to hover over the call to action links and review the domain names closely in the bottom of your browser (most show up in the bottom left of the screen). Be wary if this though as some spam will have real links in footers and headers but the call to action link is changed to a Phishing page.

 

Bank of America also makes it really hard for user to tell if their messages are truly valid owning a few hundred domains... see Phish or Fair from John Levine - http://jl.ly/Internet/porf.html.

djwaldow
djwaldow moderator

 @EmailKarma Good call on the "sign in" stuff. However, I wonder if the average consumer knows this. My bet? Nope.

 

As far as the header, another good call. I was going to call that out too (but forgot!).

 

And yeah, hovering over links is also a great way. Again, just not sure the average consumer would know about this.

Hmmm ... sounds like a GREAT guest post. Matt? You in?

AdamBritten
AdamBritten

 @EmailKarma That's my trick to get around these - I never click anything inviting me to sign in, I just go into the website from it's homepage. Then, if anything appears odd on my account, I deal with it internally. (Hovering over usually reveals some phishy behavior, as you mentioned as well.)

djwaldow
djwaldow moderator

Thanks for weighing in, @AdamBritten  . As I asked @EmailKarma , I wonder if the average consumer has the same behavior as you. 

JimmyVinicky
JimmyVinicky

It also read "Do to unusual number of invalid log in attempts on "you" account, instead of your account. Since this is supposed to be a form from BofA it would be highly unlikely that there would be a grammatical error.

djwaldow
djwaldow moderator

 @JimmyVinicky Good catch. However, I would not say *highly* unlikely as typos do happen.

djwaldow
djwaldow

@QueenofBrandon Thanks Irma!

justinromack
justinromack

@djwaldow Man, I always double-take when I get email from a bank. Spammers are getting slick enough to evoke the second glance.

djwaldow
djwaldow

@justinromack Very very true.

JoeManna
JoeManna like.author.displayName 1 Like

Another thing, most legitimate senders have your name and include that in their messages. However, with the trend of spear phishing, data compromises and sophistication in phishing techniques, this isn't the most reliable way to determine if a sender is legit.

JoeManna
JoeManna

I always check the headers of seemingly-legit bank or other emails.Usually it's obvious they are not mailing from a legit bank's email server or they fail SPF. Big red flags for me.

 

Regardless, whether an email from a bank is legit or not, I *never* click the links. I would rather go to the bank's website, sign in and verify the status of my account. This falls under the rule of thumb, "trust but verify.

djwaldow
djwaldow moderator

 @JoeManna Totally with you on that. However, I'm pretty sure you are in the VERY minority. You are an email guy!

djwaldow
djwaldow

@PRcom Appreciate that. Thanks. Hope it was helpful to others!

SoniaSimone
SoniaSimone like.author.displayName 1 Like

I've gotten into the habit of just going to my bank's website if I get a message like this. PayPal and I did a dance for months because they kept sending a spammy looking mail that was actually legit. 

djwaldow
djwaldow moderator

Hey @SoniaSimone . Thanks for your comment. I should have added that advice to the blog post. EXCELLENT point. I'm always weary of clicking on*any* links from a bank email. It has to really suck for the legit bank emails though, right? I wonder how they deal with that.

 

Even as someone who sees this stuff all the time, even I was nearly duped. Hopefully this post (& screencast) helps some folks identify what possible "this is SPAM" signs are.

 

Thanks again for weighing in.