Helping people with computers... one answer at a time.
A bank sending messages as attachments doesn't understand security. This sounds like phishing.
Recently, two different banks have sent me emails telling me that they want to send me a message in a secure manner. In both cases, the bank's email invites me to open an attached file in order to receive my secure message. I checked externally; the messages seem to have come from the banks. Why can't they just send me the message or send an encrypted file?
As for the files, I was asked to open, they were both large but different HTML files. I did open one of them and a few days later, my periodic Malwarebytes scan found a Trojan. I can't say whether if it came from all this, but I haven't I had a problem before or since. I looked in all the HTML files (four in all) in a sandbox. One had over 30 internal scripts and another had a section that appeared to be machine language code, etc. What would you do with such invitations? I now ask that such messages be sent by U.S. Postal Service over land mail.
In this excerpt from Answercast #82, I look at the possibility that attachments from your bank only look like they are coming from your bank!
Well, this certainly smells suspicious. This sounds not like something from your bank, but something from someone who's trying to make you think it's from your bank.
In other words, this is just a phishing attempt.
Banks don't send attachments ... period. If they do, they're doing it wrong and I'd switch to a different bank. Seriously! They don't get security.
What banks should be doing (and I know that my bank does this; my brokerage house does this, even PayPal does this) is they don't send sensitive information in email ... period.
What they do instead is send an email that says, "Hey, you need to go log into the website to read a message we have for you."
That way, you log into the website (the website is of course https, so it is both encrypted and secure and confirmed to be the site that you think it is) and there in their messaging options will be the message that they're trying to send to you.
Attachments are just wrong. As you've seen, an attachment will probably be full of a bunch of HTML, a bunch of scripting and who knows what else, perhaps with the intent to infect your machine with some form of malware.
So, ultimately, this was nothing more than phishing. Banks should not be sending you attachments at all simply because attachments can so easily be faked by spammers.
(Transcript lightly edited for readability.)
Next from Answercast 82 - How do I change the default settings for my printer?
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.