Friday, August 08, 2008

Paper Phishing

So we're all used to identifying and avoiding phishing attempts via email, but what about when it happens on paper? Today I received an actual paper letter, purporting to be from one of my banks, advising me that they had contacted me some time ago and hadn't had a reply, and that the due to a change in the law they needed to update the information about my extra card holder.

The letter looked genuine and included a 'Extra Cardholder Information Form' and a prepaid envelope to provide the details, and a freephone number that I could alternatively call to provide them. It went on to advise me that if I still needed my extra cardholder I must provide the information within 28 days or they would remove the extra card from my account.

So it looked genuine, except it sort of didn't. My finely tuned spider sense was tingling, if this was an email it wouldn't have even made it past my spam filter.

Despite the fact the letter had my account number on it, and was sent to my address, I was suspicious. So I called the fraud division of the bank in question, they had no record on my account of sending out such a letter, and the freephone number didn't, as far as they knew, belong to them. I'd just been the (almost) victim of a paper-based phishing attack.

Both of us were surprised, this is the first example of a paper-based phishing attack that I, and perhaps more worryingly the bank, had come across. If you get a letter that doesn't look quite right from your bank and is asking for personal information that, as far as you know, they should already have, call your bank on a number you know is genuine to confirm that it was actually from them.

It looks like the bad guys just raised the stakes, and we're now playing a new game entirely. It also looks likely that there has been some sort of major compromise with this specific bank, there were too many details in the letter to have come from a retail source. So this is your warning, keep your guard up...