Skip navigation.
Home
You'll Feel Right At Home

Verified by Visa PHISHING e-mail - 01/15/2009

I received the following e-mail at work.  TSB Bank does participate in the Verified by Visa program and an e-mail such as this can certainly catch the unwary.

Part of the battle against phishing and other fraudulent e-mail is to know what they look like.  If you know what to look for, fraudulent e-mail is usually fairly easy to detect and ignore.

I have copied the text of the e-mail below in italics and have added my own comments to the e-mail and those will appear in bold print.


 Dear Visa Cardholder,

Continuous Monitoring is an integral part of Visa's multiple layers of security. In addition to other fraud monitoring tools, we can often spot fraud based upon transactions on the card that are outside of cardholders typical purchasing pattern.
This allows us to spot fraudulent activity as quickly as possible and acts as an early-warning system to identify fraudulent activity.

The e-mail starts out well enough.  There are no overt spelling or grammatical mistakes that are common in phishing e-mails, and their description of the way that Verified by Visa works is well done.

During a recent checkout we detected suspicious activity and your Visa card may have been compromised. Fraudulent activity made it necessary to limit your card for online services.
Your Case ID Number is: B955DRT784D8

This is where they are setting out their bait.  The above text is setting up a scenario where the person who receives the e-mail is meant to feel scared, to fear that their card has been compromised. 

The next paragraph is more typical of a phishing e-mail.  The entire paragraph is grammatically odd and they used the word "conform" in place of "confirm"
Conform to our security requirements and in order to continue online services with your card, we must validate your identity.

Please click here to verify your identity

The above link goes to 1.2.3.4/projects/ultra16/mobile.engineroom/app/tmp/sessions/usa.visa.com/personal/security/login/pahandler.lt.htm (I have changed the IP Address - no sense in helping the bad guys out by publishing their IP Address - the address given was traced back to a Washington ISP).  

The following text is meant to make you feel better about the whole e-mail.  Like the beginning of this phishing attempt, the end of the e-mail does not have any overt spelling or grammatical errors. 

Visa takes online security very seriously so that you can shop safely on the Internet. As part of our commitment to fighting fraud we have the right to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or violations of the terms and conditions for using Visa.

Sincerely,
Visa Customer Service.

© Copyright 2001-2009, Visa All Rights Reserved.


A look at the SMTP headers of the message shows that it was sent from:

Received: from [IP Address] (HELO EXC1.zipxpres.cohesion.net)

The IP Address is traced back to an Indiana ISP, which is obviously not from Visa!

The real trick for avoiding falling victim to a phishing e-mail is to avoid clicking links in e-mails.  With modern e-mails, it is very simple to have a link look legitimate (as above), but to actually have it pointing somewhere that is absolutely illegitimate. 

On most modern e-mail clients, you can see the link before you click it.  For example, in Outlook 2007 information on the link will pop up if you hover the mouse over the hyperlink.  Another alternative is to copy the link (again in Outlook 2007, you can right click on the link and select "copy hyperlink") to an open browser and see where the link actually goes to.

Our example (1.2.3.4/projects/ultra16/mobile.engineroom/app/tmp/sessions/usa.visa.com/personal/security/login/pahandler.lt.htm) has a very long URL - but the important part of the URL is everything between the http:// and the first / (an IP address in this case).   If this were truly an e-mail from Visa, I would expect that they would NEVER send me to an IP address, but would instead send me to a site that is like "www.visa.com".  

As you can see, just a small amount of looking under the hood of this e-mail showed us that it was a phishing attempt.

TSB Bank will NOT send you an e-mail asking for your account or demographic information.  If you ever feel that you have received a phishing message that purports to be from us, just contact us and tell us that you've had fraudulent e-mail in our name and we'll investigate what has happened.