Scam (?) hiding in Fido email

[ERD50]

Another tool to use to help you figure out if an email is legit is to look at the raw email with all the headers. Most mail apps or webmail services will let you do this. The "From" field can be faked and you will need to look at the routing information. The email spec is from a simpler, less complicated, more trusting time in the internet's history.

Here's a simple introduction on how to do this.
https://www.arclab.com/en/kb/email/how-to-read-and-analyze-the-email-header-fields-spf-dkim.html

Why go through this technical song and dance and analysis instead of simply going directly to your account and sign on normally? If there is something requiring your attention, it will be there.

Misanalyze that header, and you are in trouble. Extra work, and still some risk. Keep It Simple Stanley - just go direct to the account!

-ERD50

 

[scrabbler1]

What about emails containing links to legitimate surveys asking for feedback from an actual in-person visit or a phone call to a financial institution? The emails include the day and, if in-person, the location of my visit, so they are legit. And they never ask for any personal info. Yes, I can always ignore the emails and decline to participate in the surveys.


Have any of you received fake emails asking you to participate in surveys?

 

[Tadpole]

Are you using 2 party authentication with your BOA accounts? If not I would advise you to do so going forward. It's annoying but a good level of added security.

Yes, I meant to mention this. I am using 2 party authentication. So in addition to having already input my id and password, BoA sends me an email with a code number I input before the account page covered by this popover appears.

 

[redduck]

...The displayed arclab link was identical to the embedded link. It didn't contain mush else than a path to a web page. So I risked all.

Ha! Caught you!! I remember we're supposed to looked for misspelled words as an indicator of fraud!!!

note: highlight by redduck

 

[Hyperborea]

After reading all the posts so far in this thread, there's no way I'd click on the above link.

It's just the first decent description I found doing a Google search that tells how to examine the headers. I started to type out how to do that and I realized it was going to take me far longer to do a good job than it would take to find a link.

Yeah, I would still recommend logging into any financial or other important sites directly in most cases and doing the operations directly that way rather than clicking on a link through an email. Examining the headers is just another tool to help you know whether an email is legitimate.

However, it can depend and sometimes it can be better to use the link in an email. Just a recent example, you are traveling and get an email from a credit card provider that you have. They say that they want to verify a purchase and give the purchase details - merchant, date, and amount. They have two links in the email: Yes or No. Do you click one or do you log on to the site? It's highly likely that the email is legitimate since the sender knows two separate facts about you that nobody else is likely to know - your email address and your purchase details. Everybody else at most know one of them. Clicking one of those links doesn't take you to a login page but instead to a custom url that was created just for this email and click that lets the credit card provider know your answer. If instead you log in to your credit card site that carries risk too while you are on vacation and roaming far from home - from the web cafe to the public WiFi that you use while on vacation.

 

[target2019]

They used to have phone numbers on the credit cards. One might call?

 

[Hyperborea]

They used to have phone numbers on the credit cards. One might call?

You're on vacation in France/Japan/Botwana and the phone call will be whatever your roaming fee is. Could be $20 especially if you are on hold.

I feel pretty safe clicking one of those yes or no links. There is no login involved when you do so - just a custom URL that the provider built for this one purpose. You can also set it up so that you get a text and all you need to do is send a reply of 1 for yes or 2 for no. It doesn't seem that you've given up anything secure.

 

[target2019]

We used a Verizon option to add countries to our range. Cost $20, I think. There was some limit, in minutes, but we did not go over. It was useful when wandering streets of Vienna, and we were trying to contact our Euro friends. Included text messages, so very useful.

 

[Sojourner]

Trying to remember the last time I got a phishing email like any of those mentioned in this thread, and I honestly have to say I think it's been a very long time. I believe this might be due to the extremely smart spam/malware filters within Gmail. I'd be curious to know if any of the phishing emails mentioned (including the OP's) were delivered into your Gmail inbox. In my experience, Google has been virtually perfect in keeping phishing and malware emails from showing up in my inbox over the past few years.

 

[Sunset]

After reading all the posts so far in this thread, there's no way I'd click on the above link.

 

[Sunset]

What about emails containing links to legitimate surveys asking for feedback from an actual in-person visit or a phone call to a financial institution? The emails include the day and, if in-person, the location of my visit, so they are legit. And they never ask for any personal info. Yes, I can always ignore the emails and decline to participate in the surveys.

Have any of you received fake emails asking you to participate in surveys?

I don't do any of those surveys.
Because if you go to a web site, they can download a virus/trojan to your computer even if you don't do the survey.

I'll do a survey on a cash register receipt.

 

[Fedup]

Yes, I meant to mention this. I am using 2 party authentication. So in addition to having already input my id and password, BoA sends me an email with a code number I input before the account page covered by this popover appears.

I would notify Bankof America immediately if you are in doubt.

 

[nwsteve]

I have never gotten a Docusign document from Fidelity. I didn't even know they used Docusign. Do they?

Regardless, the only reason to get a Docusign notification is because you initiated some major account action somewhere else.

Please forward your email showing the full headers to Fidelity fraud department. They probably have an address fraud@fidelity.com.

We did send the questionable email to Fidelity but rep asked it be sent to phishing@fidelity.com. Probably same group but focus on email phishing.
I think Fido does use DocuSign software but they own the software (like any other major player) so it is embedded in their docs. Likewise, I have also never received a message for a DocuSign doc from Fidelity. (I have gotten them from occasional users of DocuSign who don't own the full DocuSign software) Fortunately, when DW opened her emails and asked me why we were signing new docs again for Fido, the red flags went up

 

[audreyh1]

We did send the questionable email to Fidelity but rep asked it be sent to phishing@fidelity.com. Probably same group but focus on email phishing.
I think Fido does use DocuSign software but they own the software (like any other major player) so it is embedded in their docs. Likewise, I have also never received a message for a DocuSign doc from Fidelity. (I have gotten them from occasional users of DocuSign who don't own the full DocuSign software) Fortunately, when DW opened her emails and asked me why we were signing new docs again for Fido, the red flags went up

OK - good to know that specific email address to report to Fidelity.

 

[redduck]

+1
note to redduck: wait for a translator to interpret the quote above. I do recall seeing this type of communication in the movie, "Arrival."

I have responded with "+1" in an attempt to buy time as I don't want Sunset to feel that I am ignoring him, becoming angry and then destroying the planet.
I also thought that displaying these photos (I figure they are universal objects of pleasure) would indicate an attempt to show hospitality--and what our planet has to offer.

See following photo in post below in a further offer of hospitality and good will.

 

[redduck]

Yet another universal object of pleasure that our planet has to offer.

 

[tmm99]

I'm still wondering what I should do after something happened a couple of hours ago. I logged into Bank of America. Bank of America has this very irritating habit of generating a popover right after login. These are usually just promotions.

Today I logged into BoA and the popup said they were required to verify social security numbers. There was a grey box that, presumably, if you clicked on it, your social security number would appear and you could verify it. Beneath this box was a statement to the effect that BoA had greyed out the number to preserve my security. (How absolutely weird is that.) I didn't click on the box but rather chose the option that it was correct without looking at it.

BoA wouldn't let me close the popover without looking at my SS number but rather let me chose another option for finishing this later. As a sanity check I logged out and back in and the popover appeared again.

Everything in the bank account looks legit. Its https, the address box has the VeriSign approval and Trusteer Rapport which BoA issues says the connection is legit and is not suppose to allow a "man in the middle" of the connection. No alarms from Norton or Malwarebytes but they might not be able to detect this type of thing.

On the other hand, I don't really believe a bank would require you to expose your SS number online when they, themselves, do not think this is a good thing to do.

Very strange.

I am pretty sure it is legit since the verification page is spawned off from the main BOA page. BTW I got the same thing and I kept on ignoring it saying I would do it later, but I had to update it when I got a new debit card and I had to activate it. I think I needed to verify other info like citizenship and place of residence too. When I said I was a resident of Canada, it told me to go to a BOA branch to make the change (there are no BOA branches here though. They will have to wait until I am in the U.S....)


Sent from my iPhone using Early Retirement Forum

 

[Tadpole]

I am pretty sure it is legit since the verification page is spawned off from the main BOA page. BTW I got the same thing and I kept on ignoring it saying I would do it later, but I had to update it when I got a new debit card and I had to activate it. I think I needed to verify other info like citizenship and place of residence too. When I said I was a resident of Canada, it told me to go to a BOA branch to make the change (there are no BOA branches here though. They will have to wait until I am in the U.S....)


Sent from my iPhone using Early Retirement Forum

Thanks, that is reassuring. I decided to do just that. I have a local branch so I am monitoring the account over the weekend and going to the branch on Monday to resolve the SS number issue. I have a joint account and both my husband and I have a login account. His isn't asking for SS number verification.

Thanks! I'm doing just what you suggest.