I think I'm being scammed. Have you?

Associate
Joined
18 Aug 2017
Posts
35
Hi, I have received email with the name Bank of America, I am curious about it because I had been dealing with them once. Now, I am anxious what to do with it. I read this blog on social engineering attacks and I think it's some kind of phishing. I haven't used my email on some suspicious website, not that I remember. How do they get your email?
 
Associate
Joined
1 Jul 2012
Posts
892
Delete email and move on.
Chances are they bought your details and/or you unwittingly didn’t uncheck a box saying ‘yes pass my details on to basically anyone’
 
Soldato
Joined
10 Jan 2012
Posts
3,683
Location
UK
space-nigerian-scam.jpg
 
Man of Honour
Joined
5 Dec 2003
Posts
20,997
Location
Just to the left of my PC
Hi, I have received email with the name Bank of America, I am curious about it because I had been dealing with them once. Now, I am anxious what to do with it. I read this blog on social engineering attacks and I think it's some kind of phishing. I haven't used my email on some suspicious website, not that I remember. How do they get your email?

Buying it or stealing it, usually. It wouldn't be extremely surprising if they had the password needed to access your email too, given how often company's computer systems are hacked to obtain whatver personal information can be obtained.

We live in a world where a sex toy manufacturer bugged their sex toys to record when they were used, where they were used, how long they were used for, what settings were used and the temperature of the body part they were used on and send all that data in a very insecure fashion over the net to the manufacturer (and anyone else who cared to look). And no, I am not making that up. It was one of the multitude of computer security failures, which are so routine that they get hardly any attention even if they are as attention-grabbing as that one. It's just not news.

It's no longer the case that you have to use your email on a suspicious website (if it ever was) because it's now considered not suspicious for a business (online or offline) to sell personal information and it's not even slightly unusual for a system containing personal information to be hacked and the information copied. If you give any personal information anywhere, online or off, it's very unlikely to be secure. It's more likely that they will sell that information than keep it secure unless they think they can profit more from keeping it to themselves (which they will probably fail to do, sooner or later).

It's still unusual for information that can directly access money (e.g. card details) to be compromised, so there's still a lot of scope for thieves to use other personal information to steal money. Posing as a bank is one way of doing so. A good rule of thumb is to assume that any email claiming to be from a bank is from a thief trying to steal money from you. Same goes for any emails that offer you an opportunity to make money, get rid of fat, get rid of wrinkles, get laid, get married...anything that anyone might want, really. Start from the assumption that it's a con.

If you want to check anything that claims to be from any organisation, obtain contact details for that organisation from another source, not the email claiming to be from them, and ask the organisation.

A quick look online shows that there's currently another spate of "Bank of America" scam emails around. It's a popular target because it's an impressive name and it has a lot of customers. If a thief sends out a huge number of emails (which is very easy to do), they're bound to reach quite a few people who actually have had dealings with Bank of America. Same goes for any major bank, of course, which is why they're often used this way. Even if only 1 in 100,000 people falls for the con, that's 10 successful thefts per million messages and that's well worth it to many thieves. Easy bulk communication and money transfer makes this sort of con far easier and thus far more common, but it even happened in the days of physical letters and cheques and postal orders in the post.

Nowadays, it's a good idea to start from the assumption that it's a con. Whatever it is. Always assume a con. If they want information, it's a con. If they want money, it's a con. If they want to sell you something, it's a con. If they want to give you something, it's still a con to set you up for taking something. The classic example of that is the 419 con, named because it originated from Nigeria where it's illegal under section 419 of their law. But always assume it's a con. However it's worded, whatever it's promising, assume it's a con. You will very rarely be wrong. If it claims to be important in a way that ignoring it would cause you problems if it was legit, check as described above.
 
Last edited by a moderator:
Associate
OP
Joined
18 Aug 2017
Posts
35
Buying it or stealing it, usually. It wouldn't be extremely surprising if they had the password needed to access your email too, given how often company's computer systems are hacked to obtain whatver personal information can be obtained.

We live in a world where a sex toy manufacturer bugged their sex toys to record when they were used, where they were used, how long they were used for, what settings were used and the temperature of the body part they were used on and send all that data in a very insecure fashion over the net to the manufacturer (and anyone else who cared to look). And no, I am not making that up. It was one of the multitude of computer security failures, which are so routine that they get hardly any attention even if they are as attention-grabbing as that one. It's just not news.

It's no longer the case that you have to use your email on a suspicious website (if it ever was) because it's now considered not suspicious for a business (online or offline) to sell personal information and it's not even slightly unusual for a system containing personal information to be hacked and the information copied. If you give any personal information anywhere, online or off, it's very unlikely to be secure. It's more likely that they will sell that information than keep it secure unless they think they can profit more from keeping it to themselves (which they will probably fail to do, sooner or later).

It's still unusual for information that can directly access money (e.g. card details) to be compromised, so there's still a lot of scope for thieves to use other personal information to steal money. Posing as a bank is one way of doing so. A good rule of thumb is to assume that any email claiming to be from a bank is from a thief trying to steal money from you. Same goes for any emails that offer you an opportunity to make money, get rid of fat, get rid of wrinkles, get laid, get married...anything that anyone might want, really. Start from the assumption that it's a con.

If you want to check anything that claims to be from any organisation, obtain contact details for that organisation from another source, not the email claiming to be from them, and ask the organisation.

A quick look online shows that there's currently another spate of "Bank of America" scam emails around. It's a popular target because it's an impressive name and it has a lot of customers. If a thief sends out a huge number of emails (which is very easy to do), they're bound to reach quite a few people who actually have had dealings with Bank of America. Same goes for any major bank, of course, which is why they're often used this way. Even if only 1 in 100,000 people falls for the con, that's 10 successful thefts per million messages and that's well worth it to many thieves. Easy bulk communication and money transfer makes this sort of con far easier and thus far more common, but it even happened in the days of physical letters and cheques and postal orders in the post.

Nowadays, it's a good idea to start from the assumption that it's a con. Whatever it is. Always assume a con. If they want information, it's a con. If they want money, it's a con. If they want to sell you something, it's a con. If they want to give you something, it's still a con to set you up for taking something. The classic example of that is the 419 con, named because it originated from Nigeria where it's illegal under section 419 of their law. But always assume it's a con. However it's worded, whatever it's promising, assume it's a con. You will very rarely be wrong. If it claims to be important in a way that ignoring it would cause you problems if it was legit, check as described above.

Thanks for the detailed advice! I was confused about it so I contacted the bank through their support center. Shouldn't the businesses be held responsible for even selling the information? Are there any regulations for that?
 
Associate
Joined
28 Nov 2015
Posts
1,425
Location
Tewkesbury, UK
Hi, I have received email with the name Bank of America, I am curious about it because I had been dealing with them once. Now, I am anxious what to do with it. I read this blog on social engineering attacks and I think it's some kind of phishing. I haven't used my email on some suspicious website, not that I remember. How do they get your email?

They just buy your details/ trawl the internet for pastebins etc etc
 
Man of Honour
Joined
5 Dec 2003
Posts
20,997
Location
Just to the left of my PC
Thanks for the detailed advice! I was confused about it so I contacted the bank through their support center. Shouldn't the businesses be held responsible for even selling the information? Are there any regulations for that?

If there are, they don't work.

Information giving direct access to money is tightly controlled, although I don't know if that's regulated or internally enforced by financial institutions because it's good for them. Some personal information is controlled, though less and less as time goes on. Medical details are still mostly secure in the UK, for example, although the NHS does supply them to businesses in some cases. Most patients will have agreed to that without knowing what they're agreeing to. For example, when I recently joined a different medical practice the receptionist gave me false information about what I was agreeing to. I knew the information was false, but that's only because I care a little bit about security and privacy. Most people don't nowadays, so they just tick boxes without reading anything or at most don't check anything they're told. The receptionist told me both data sharing agreements on the form were about sharing data between doctors, which wasn't true. One was for data sharing between doctors and the other was for data sharing with whoever. Both were vague, devoid of any information and implied the data sharing was for the patient's benefit. Maybe deliberately misleading, maybe just incompetently written, maybe written by someone who didn't know what each section was agreeing to and therefore couldn't describe it accurately even if they wanted to and were allowed to.

Everything else is fair game, apparently. Email addresses, webpages you visit, your physical location when you use any computer for any reason, anything you click on, etc. Some of the biggest businesses in the world exist solely for the purpose of gathering information about you and selling it either directly or indirectly (by selling advertising). Google and Facebook are the biggest (with Microsoft going to great lengths to catch up), but it's commonplace. It's also becoming ever more all-encompassing as the fetish with data-gathering grows and becomes cheaper. So, for example, some TVs now listen to everything said within range and upload it (insecurely, of course) to...somewhere. Some washing machines monitor your use of them and upload that information (insecurely, of course), to...somewhere. Etc, etc. It goes the other way as well, of course, since security is rubbish or non-existent. So a random person within range might be able to gain access to your entire home network through your washing machine/TV/"smart" meter/kettle/alarm/etc. Or they could remote control your sex toys. Or your car. Or your baby monitoring camera. Etc, etc. None of this is conspiracy blather or even just theoretical. I'm only referring to things that have already happened and I've no doubt there are many more I haven't heard about.

There's nowhere near enough power and will to control it, so it isn't controlled in any meaningful way. A few companies get fined for being particularly careless about data security, which does nothing much.

EDIT: You'll probably see some reassurances that data traded to another business is anonymised. This is usually not very true in practice. There are a variety of ways of de-anonymising anonymous data. The simplest way around it is to buy more than one set of data and combine them. One set is missing some data, the other set is missing some other data. Correlate the two and you have all the data. If you can gather enough anonymous data and combine it, it's not anonymous any more. Other methods are more complex and less than 100% successful, but they work well enough to be used, often over 90% successful. Here's a very brief introductory summary: https://en.wikipedia.org/wiki/De-anonymization
 
Last edited:
Associate
Joined
17 Sep 2010
Posts
1,762
It's a scam, just like the one "You have parked in a Boots car park, you now owe us £100, or £50 if you pay within 14 days. Here is a pic of your car"
You would be surprised how many people actually fall for it too.
 
Back
Top Bottom