Fascinating phishing attack — the links are fine, but watch out for the toll-free number!

By | July 30, 2008

A phishing message in my spam folder caught my eye today, so I decided to take a closer look at it.

It claimed to be from CapitalOne.  It had a legitimate sender address, a legitimate Subject line (“Please Call Us Regarding Recent Restrictions”), and convincing-looking content that was mostly lifted straight from a real CapitalOne email message.  Most importantly, all of the links in the message were legitimate links pointing at capitalone.com URLs.

The only text in the message that was not boilerplate was this:

Please Call Us Regarding Recent Resctriction [sic]

This is not a promotional e-mail. Please call us immediately at (866) 496-5027 regarding recent activity on your Capital One Card. We’re available 24/7 to take your call.

Please disregard this e-mail if you’ve already call us since the date this e-mail was sent.

We appreciate your prompt attention to this matter.

Thank you
Capital One Card Fraud Prevention Security Department

Here’s what makes this phishing message different from others I’ve seen: the “hook” is the phone number, not the links in the email body.

Here’s what you hear, recited in a female computer-synthesized voice, when you call the number shown above:

Welcome to the the card activation center.  Please remember that we will never ask for your personal information such as your social security number, passwords, card numbers, etc. via email.  Please enter your card number followed by the pound key.

[doesn’t matter what you enter here]

Please enter your personal identification number associated with this card followed by the pound key.

Please enter your four-digit expiration number [sic] (months year) followed by the pound key.

Please hold while your card is activated.

The card number, personal identification number or expiration date doesn’t match with our records.

[starts over]

Obviously, whoever set up this toll-free number is collecting card numbers, expiration dates and PINs, which they will then either sell or use to obtain cash advances from ATMs.

I wish there were somewhere I could report this scam to get the toll-free number taken down, but I honestly have no idea who would be interested in doing something about this and able to act quickly.

Share

15 thoughts on “Fascinating phishing attack — the links are fine, but watch out for the toll-free number!

  1. Kurt

    This scam is back… with a new number: 1-(888) 691-9062
    and a new website… a FAKE capitalone site: http://217.41.36.107/images/home.htm

    ARRGGG! The bastards.

    Reply
  2. Mark

    Actually, I just realized they can’t spell.

    “Please Call Us Regarding Recent _Resctriction_”

    “Please disregard this e-mail if you’ve already _call us_ since the date this e-mail was sent. “

    Reply
  3. Mark

    I just got this e-mail today. It looked entirely legitimate too, except for one small problem… I don’t have a Capital One card. I didn’t call the number so I was wondering what exactly this “spam” e-mail wanted from me. It got through Gmail’s spam filter too… the bastards! Thanks for posting this blog!

    Reply
  4. Sofia

    I got this email today, just hours after I activated my first Capital One credit card. It didnt make sense to me because I had only made a $14 purchase and my online banking looked totally normal. The thing that really caught my eye however, was the fact that “resctriction” was misspelled. That set off lots of bells, so I googled it and came here.

    This is really scary to me. The first day of owning my very first credit card and already im getting hit with scams. I just have to be vigilant I guess. Dont reply to any emails with personal information and always call the number listed on the website, nothing else.

    I forwarded my email to abuse@capitalone.com. I hope some good comes of it.

    Reply
  5. Linda

    I just received the same e-mail. I actually found this page by entering hte phone number in google.
    When I get phishing mail using real company info, I always go to the company’s legit website and search for their phishing contact. Then I forward the complete e-mail, including headers, changing nothing. Sometimes I get a reply thanking me and letting me know it was indead a phishing e-mail.

    Reply
  6. Kiddo

    I just got the same crud email and forwarded it to the addresses Jik pointed out. Just putting my drop in the bucket…

    It really scares me how many folks will fall for this kind of thing.

    Reply
  7. jik Post author

    I just called Capital One at the number on their Web site, 800-955-7070. I was connected to a clueless Indian offshore guy, who put me on hold after hearing my story and then came back and gave me the supposed number for their fraud department, 800-427-9428, and then he transferred me to it.

    After holding for a while, I was connected to another clueless Indian offshore guy, who first showed that he completely didn’t understand why I was calling by trying to get me to give him my social security number so that he could check if the phishing people had created an account in my name. Then he put me on hold too. He came back a few minutes later and told me (a) not to respond to the email message (duh!) and (b) to email a copy of it to abuse@capitalone.com (yeah, right, like that’ll result in any sort of timely response).

    *sigh*

    Reply
  8. jik Post author

    FBI is just as useless as the AG. There’s so much of this crap floating around that the law-enforcement agencies won’t get involved until a lot of people have actually lost money. They’re totally in reactive rather than proactive mode, perhaps because they aren’t funded well enough to be proactive. The state of the battle against on-line fraud in this country is positively atrocious.

    Reply
  9. Rhu/nmHz

    Call Capital One. Ask for the fraud department.

    Reply
  10. Juggling Frogs

    Doesn’t the FBI handle wire fraud?

    I hope your information isn’t compromised, and that someone puts a stop to this.

    Reply
  11. jik Post author

    Prior experience has made it clear that the AG is useless for things like this. I’ve certainly never been able to find anyone in the AG’s office who has the authority and will to act quickly on ongoing fraud complaints.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *