Recently, two different banks have sent me emails telling me that they want
to send me a message in a secure manner. In both cases, the bank’s email
invites me to open an attached file in order to receive my secure message. I
checked externally; the messages seem to have come from the banks. Why can’t
they just send me the message or send an encrypted file?
As for the files, I was asked to open, they were both large but different
HTML files. I did open one of them and a few days later, my periodic
Malwarebytes scan found a Trojan. I can’t say whether if it came from all this,
but I haven’t I had a problem before or since. I looked in all the HTML files
(four in all) in a sandbox. One had over 30 internal scripts and another had a
section that appeared to be machine language code, etc. What would you do with
such invitations? I now ask that such messages be sent by U.S. Postal Service
over land mail.
In this excerpt from
Answercast #82, I look at the possibility that attachments from your bank
only look like they are coming from your bank!
Bank sending messages as attachments
Well, this certainly smells suspicious. This sounds not like something from your bank, but something from someone who’s trying to make you think it’s from your bank.
In other words, this is just a phishing attempt.
Banks don’t send attachments … period. If they do, they’re doing it wrong and I’d switch to a different bank. Seriously! They don’t get security.
No sensitive information through email
What banks should be doing (and I know that my bank does this; my brokerage house does this, even PayPal does this) is they don’t send sensitive information in email … period.
What they do instead is send an email that says, “Hey, you need to go log into the website to read a message we have for you.”
That way, you log into the website (the website is of course https, so it is both encrypted and secure and confirmed to be the site that you think it is) and there in their messaging options will be the message that they’re trying to send to you.
Attachments can contain malware
Attachments are just wrong. As you’ve seen, an attachment will probably be full of a bunch of HTML, a bunch of scripting and who knows what else, perhaps with the intent to infect your machine with some form of malware.
So, ultimately, this was nothing more than phishing. Banks should not be sending you attachments at all simply because attachments can so easily be faked by spammers.
(Transcript lightly edited for readability.)
Next from Answercast 82 – How do I change the default settings for my printer?