A phishing message in my spam folder caught my eye today, so I decided to take a closer look at it.
It claimed to be from CapitalOne. It had a legitimate sender address, a legitimate Subject line (“Please Call Us Regarding Recent Restrictions”), and convincing-looking content that was mostly lifted straight from a real CapitalOne email message. Most importantly, all of the links in the message were legitimate links pointing at capitalone.com URLs.
The only text in the message that was not boilerplate was this:
Please Call Us Regarding Recent Resctriction [sic]
This is not a promotional e-mail. Please call us immediately at (866) 496-5027 regarding recent activity on your Capital One Card. We’re available 24/7 to take your call.
Please disregard this e-mail if you’ve already call us since the date this e-mail was sent.
We appreciate your prompt attention to this matter.
Capital One Card Fraud Prevention Security Department
Here’s what makes this phishing message different from others I’ve seen: the “hook” is the phone number, not the links in the email body.
Here’s what you hear, recited in a female computer-synthesized voice, when you call the number shown above:
Welcome to the the card activation center. Please remember that we will never ask for your personal information such as your social security number, passwords, card numbers, etc. via email. Please enter your card number followed by the pound key.
[doesn't matter what you enter here]
Please enter your personal identification number associated with this card followed by the pound key.
Please enter your four-digit expiration number [sic] (months year) followed by the pound key.
Please hold while your card is activated.
The card number, personal identification number or expiration date doesn’t match with our records.
Obviously, whoever set up this toll-free number is collecting card numbers, expiration dates and PINs, which they will then either sell or use to obtain cash advances from ATMs.
I wish there were somewhere I could report this scam to get the toll-free number taken down, but I honestly have no idea who would be interested in doing something about this and able to act quickly.