This just landed in my inbox: more proof, if it were needed, that banks are dumber than a sack of nails when it comes to security. Or they just don’t care:
The email comes ostensibly from HSBC’s Singapore office. But it’s actually mailed by 8rewardsroad.com, a Singapore-based marketing company with a somewhat dodgy website. (As in the pages don’t seem to load without Flash and some pretty awful stuff.) They claim among their clients HSBC and OCBC, another Singapore bank. In other words, no easy way to tell whether the email is really from the bank or not.
The email itself offers up to $S400 per customer, though reading the fine print you—and the person you’re referring–have got to jump through a lot of hoops first.
But that’s not the beef. The beef is that this could so easily be a phishing scam. And even though it’s not, the fact that a bank is sending these emails out contradicts its claims that it won’t communicate by email with customers except to send them notifications of e-statements and other obvious forms of communication. Getting emails like this just lowers customers’ guard. And the tempting element, with the red Refer now button prominently displayed twice on the email, doesn’t help matters.
Worse, if you click on that link you go to a website www.apps.asiapacific.hsbc.com – which to the uninitiated could be any website, and is definitely not the hsbc.com.sg that the bank’s Singapore customers usually go to. There, referring customers are asked to give a lot of detail about themselves, and the person they’re referring, including what kind of bank account they have, their passport/ID number, their banking relationship manager, etc etc. Enough for a social engineer to get somewhere with.
I despair that banks will get the security thing. I really don’t think they care. They certainly don’t seem to care enough to stop their marketing department putting out toxic trash like this.