Really?! Real or phishing? http://boimedia.customerminds.com

ixtlan

Hi,

Edit: Actually I do have doubts now... maybe this is a scam... must be new though... and it's certainly convincing...

From looking at this mail I've just received, I suspect it's legit, but it's a very poor judgment call if it is, asking people to click on multiple non-BOI links (boimedia.customerminds.com), which appear to redirect to BOI.

The company has some info on what they are doing for BOI here.
http://www.customerminds.com/wp-content/uploads/2015/02/BOI-Case-Study.pdf

I literally cannot believe someone in BOI signed off on this. When you are spending so much effort telling people not to click on suspect potential phishing links...

Ix.

Now there’s an easy way to take greater control over your credit card. With Card Care you can get your up-to-the-minute balance and check transactions, at any time, online. You can also order a replacement card, access your PIN, change your address, tell us if you’re travelling abroad and lots more.

It’s simple, it’s quick and it puts you firmly in control.

Register in Minutes

Bank of Ireland: Evie

ixtlan wrote: »

Hi,

Edit: Actually I do have doubts now... maybe this is a scam... must be new though... and it's certainly convincing...

From looking at this mail I've just received, I suspect it's legit, but it's a very poor judgment call if it is, asking people to click on multiple non-BOI links (boimedia.customerminds.com), which appear to redirect to BOI.

The company has some info on what they are doing for BOI here.
http://www.customerminds.com/wp-content/uploads/2015/02/BOI-Case-Study.pdf

I literally cannot believe someone in BOI signed off on this. When you are spending so much effort telling people not to click on suspect potential phishing links...

Ix.

Now there’s an easy way to take greater control over your credit card. With Card Care you can get your up-to-the-minute balance and check transactions, at any time, online. You can also order a replacement card, access your PIN, change your address, tell us if you’re travelling abroad and lots more.

It’s simple, it’s quick and it puts you firmly in control.

Register in Minutes

Good Morning, 

Thanks for contacting us on Boards.ie and for your feedback. To check the authenticity of this email please forward it to our security team at 365security@boi.com. Thank you for the feedback on this. 

Thanks, 
Evie 

ixtlan

As requested I mailed 365security 5 days ago (last Thursday). While appreciating that it was a bank holiday weekend I'm a bit concerned to have received no reply at all. Not even an automated response.

Today I've just received another different mail appearing to be from BOI, and again directing me to click on links to boimedia.customerminds.com (which do redirect to boi).

This is very very bad practice.


Get more from 365 online

It’s as easy as click, click, scroll...

ixtlan

So as I originally believed this was from BOI (see vague non-committal e-mail response below), but I still make the point that this is not the right thing to be doing. You should not be having third parties act as a conduit into your web-sites. To be clear companies partner with marketeers all the time, but you don't have them send mails directing customers through the marketeers web-site (even if that is just a virtual redirect). You want to train people to hover over a link and make sure it's going where it should, and again... a BOI link that actually goes to boimedia.customerminds.com should be a massive red flag to anyone. I know the reason this is being done is so you can track the number of hits you get from this marketing, but the right way to do that is to send customers directly to you with a marker to identify the source... ie www.boi.ie/customersminds/something/something etc.

This forum is my only avenue to raise this to BOI, so I've done all I can.... So be it...

[font=Arial","sans-serif]Thank you for taking the time to email us in relation to your query.[/font]
[font=Arial","sans-serif]We can confirm the original email is genuine and was issued on behalf of Bank of Ireland.[/font]
[font=Arial","sans-serif] [/font]
[font=Arial","sans-serif]Should you have any queries in regards to the content contained within the email, we would recommend that you contact Banking 365 Customer Services where one of our customer service agents will be in the best possible position to look into this matter for you.

Ix.
[/font]

Bank of Ireland: Alison

ixtlan wrote: »

So as I originally believed this was from BOI (see vague non-committal e-mail response below), but I still make the point that this is not the right thing to be doing. You should not be having third parties act as a conduit into your web-sites. To be clear companies partner with marketeers all the time, but you don't have them send mails directing customers through the marketeers web-site (even if that is just a virtual redirect). You want to train people to hover over a link and make sure it's going where it should, and again... a BOI link that actually goes to boimedia.customerminds.com should be a massive red flag to anyone. I know the reason this is being done is so you can track the number of hits you get from this marketing, but the right way to do that is to send customers directly to you with a marker to identify the source... ie www.boi.ie/customersminds/something/something etc.

This forum is my only avenue to raise this to BOI, so I've done all I can.... So be it...

Thank you for taking the time to email us in relation to your query.
We can confirm the original email is genuine and was issued on behalf of Bank of Ireland.
 
Should you have any queries in regards to the content contained within the email, we would recommend that you contact Banking 365 Customer Services where one of our customer service agents will be in the best possible position to look into this matter for you.

Ix.

Hi ixtlan

Thanks for coming back to us and apologies for the delay in the response received relating to the mail you received. 

We will pass on your feedback and concerns to our Marketing Team and appreciate the time taken to raise this here with us.


Many Thanks
Alison

Doubt.It

I received an email that linked to this address* in the last few days, telling me that my new personal account was ready. Worrying, as I hadn't asked for a new personal account...

When I inquired in my branch they had no knowledge of the email, and told me to ignore it as it definitely was not from Bank of Ireland. Yet now I find that customerminds.com is actually doing this on BoI's behalf.

BoI, you simply cannot do this. It is sheer idiocy to warn is about convincing-looking emails from strange sources on one hand, while on the other sending us emails from strange sources. Teaching customers that peculiar communication from you can sometimes be legitimate completely and utterly undermines securiity.



*To be absolutely clear, the email appeared to come from info@boimail.com and the reply address was donotreply@boi.com, but these can of course be fake. The "open in your browser" link was to www.customerminds.com

ixtlan

Doubt.It wrote: »

I received an email that linked to this address* in the last few days, telling me that my new personal account was ready. Worrying, as I hadn't asked for a new personal account...

When I inquired in my branch they had no knowledge of the email, and told me to ignore it as it definitely was not from Bank of Ireland. Yet now I find that customerminds.com is actually doing this on BoI's behalf.

BoI, you simply cannot do this. It is sheer idiocy to warn is about convincing-looking emails from strange sources on one hand, while on the other sending us emails from strange sources. Teaching customers that peculiar communication from you can sometimes be legitimate completely and utterly undermines securiity.



*To be absolutely clear, the email appeared to come from info@boimail.com and the reply address was donotreply@boi.com, but these can of course be fake. The "open in your browser" link was to www.customerminds.com

It's been 3 months since my last set of posts. All I can do is agree with Doubt.It. Red Flags, sirens, red flags. Clearly the marketing department don't care. I'd encourage the BOI representatives to escalate it to the internal security people in the bank. This is just crazy.

Ix.

Bank of Ireland: Nicola

Hi Doubt.It and ixtlan, just wanted to give you a quick update on this.

I can confirm that Bank of Ireland has a partnership agreement with a third party company (Customer Minds) to transmit email communications to customers on our behalf.

We’re committed to keeping customers information secure and it’s important to note that we’ll never send emails that require customers to send personal information through email or pop-up windows.

Any unsolicited requests for account information received through pop-up windows, emails, or websites should be considered fraudulent and reported immediately.

If you do receive a suspect email please forward it on to 365security@boi.com

I’ll certainly pass on your feedback here in relation to these emails and if there’s anything else that I can help you with please let me know.

Thanks
Nicola

Paranoid Bob

It appears that Bank of Ireland is still sending messages to customers with misleading links in them. The link text is 'bankofireland.com', the reference is to boimedia.customerminds.com.

This is one full year after being advised that this is poor practice that leads to an increased risk of their customers being duped by phishing email. You cannot send this sort of misleading link to customers then be surprised when the same customers fall for other misleading links.

At this point I think it is fair to draw the conclusion that Bank of Ireland does not have a culture of security.

If the bank shows this sort of poor judgement with a very simple issue then they surely cannot be trusted with more complex matters of security.
I've had an account with Bank of Ireland since I was in college almost 30 years ago. It is time to take my business elsewhere.

Bank of Ireland: Kareana

ixtlan wrote: »

Hi,

Edit: Actually I do have doubts now... maybe this is a scam... must be new though... and it's certainly convincing...

From looking at this mail I've just received, I suspect it's legit, but it's a very poor judgment call if it is, asking people to click on multiple non-BOI links (boimedia.customerminds.com), which appear to redirect to BOI.

The company has some info on what they are doing for BOI here.
http://www.customerminds.com/wp-content/uploads/2015/02/BOI-Case-Study.pdf

I literally cannot believe someone in BOI signed off on this. When you are spending so much effort telling people not to click on suspect potential phishing links...

Ix.

Now there’s an easy way to take greater control over your credit card. With Card Care you can get your up-to-the-minute balance and check transactions, at any time, online. You can also order a replacement card, access your PIN, change your address, tell us if you’re travelling abroad and lots more.

It’s simple, it’s quick and it puts you firmly in control.

Register in Minutes

Hi ixtlan

Thanks for the post.

We do communicate more via email regarding changes our products and services.

However the difference between a spam and our genuine emails is that we would never ask you to disclose any account or personal details in a email.

If you wish not to receive these emails you can contact us through ask a question or by calling our customer care team on 0818 365 365.

Thank you for the feedback.

Thanks

Kareana  

Paranoid Bob

This is not about whether I'd like to receive marketing messages from Bank of Ireland, it is about Bank of Ireland sending emails that are training people to accept phishing techniques.

Let me try to pose a question that should help:

What is the advice from the bank to customers who receive email that claims to be from the bank, where that email contains links that claim to be to the bank's website, but those links are actually to some domain that is not owned by the bank?
Is it:
a) to trust the email, click the link, and trust that the website they end up on is a bank site?
or:
b) to treat the email as possible phishing and report / delete it?

I hope it is clear that b) is the only safe answer.

Bank of Ireland: Tara

Hi Paranoid Bob,

As mentioned, Bank of Ireland will never email or text asking you to click on a link to confirm or unlock account or card details.

If you do receive a message like this, please do not access any links contained in the message. We would ask that you forward the email, or a screenshot if it's a text, to 365security@boi.com for investigation.

We have information on how to stay safe online here: https://www.bankofireland.com/security-zone/

Thanks
Tara

uck51js9zml2yt

You are obviously not aware that it's possible for links to be a vector for the download of malicious programs.

I came across this thread and its quiet worrying to read the BOI responses.

If I was still working in Cabinteely I'd be raising the issue with the security team.

Bank of Ireland: Tara

Hi tatranska,

Sorry to hear you're unhappy with the replies given here. We can assure you that we are aware that links in phishing messages can contain malware and this is why we have advised here to not access these. We work closely with our security team and they have requested that anyone who receives these messages to please forward them to 365security@boi.com for investigation.

Thanks
Tara

ixtlan

Hi Tara,

We do appreciate that you can't change BOI policy and are constrained in the kind of responses you can give.

All we ask is that you raise this with your manager and try to get our concerns escalated again, primarily with the IT security people at the bank, since for marketing security is clearly not a priority.

As we keep saying:

Sending marketing mails directing customers through a third part site to get to a BOI web site is an appalling practice. It doesn't matter that the link in the mail doesn't directly take the customer to a login page. Clearly once you are on the BOI site you are only a few clicks away from a login... and that site containing the login links might not actually be BOI.

Ix.

Paranoid Bob

Bank of Ireland: Tara wrote: »

Hi Paranoid Bob,

As mentioned, Bank of Ireland will never email or text asking you to click on a link to confirm or unlock account or card details.

If you do receive a message like this, please do not access any links contained in the message. We would ask that you forward the email, or a screenshot if it's a text, to 365security@boi.com for investigation.

We have information on how to stay safe online here: https://www.bankofireland.com/security-zone/

Thanks
Tara

Tara,

Thank you for the reply, and I understand the answer you have given but it is not an answer to the question I have asked.

Can I ask you please to get an answer to the question I have asked:
If I, as a customer of Bank of Ireland, receive an email that claims to be from the bank where that email contains links that purport to be to the Bank's website but are actually to another domain; should I trust that the email is from the Bank and that the links are safe to click?

I understand the answer that the Bank will never send an email or text asking to click on a link to confirm or unlock account or card details, but that does not answer the question. The fact is that I cannot know what the link is asking me to do until after I click it and read whatever page loads. By then I could have loaded some browser-based malware.

So the question is very simple, and I have re-worded it to call for a 'yes' or 'no' answer. Can you please find an answer to that question that the Bank is willing to stand over?

Alun

FWIW AIB do exactly the same, and I received a similar non-answer from them when I contacted them about it.

mickoneill31

Apart from the bad practice your marketing team is wasting their money. People will (or should) bin mails like this. I do security awareness courses in my company. 
One of our business units got  a third party to email the company in a mail. We in the security team got a pile of reports from users of the possible "phising attempt". 

Even if BOI marketing don't care about security they probably do care about throwing money down the drain. 

Bank of Ireland: Darren

Thanks to everyone who has posted on this thread.

All the feedback in this thread has been sent to our marketing team for their attention. If there is any further update we will post it on this thread.

Thanks again,
Darren.

ixtlan

Sorry, I know we should give up at this point, but the irony is just too much!

A mail arrives from BOI today.

Subject:
Improving online security on your debit and credit card.

full of links like this... which appear to bring us through to BOI's web-site, though by then it would be too late to know for sure where you were...

http://boimedia.customerminds.com/lp/l/23613/16c5f0ad5fa7c6378e55fdd16574d1a5/9980029/1903/

They also helpfully include links to download apps for IOS/Android... going through boimedia.customerminds.com

Ix.

BlinkingLights

It annoys me that despite all the talk about security and need for protecting our data ourselves, that banks (and BOI is not unique in this) continue to engage in sloppy practices like this.

If you expect to have a secure system, bot the customers and the bank need to structure all interactions with security in mind.

Paranoid Bob

Just in case some visitors to this thread think we're a few curmudgeons just looking for trouble I took some time to look for expert advice around the Web. Here are a few of the sites I found:

https://www.us-cert.gov/ncas/tips/ST04-014
US CERT advice, under 'How do you avoid being a victim?'
Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain

https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201512_en.pdf
SANS institute advice, incuding:
Tha attacker's goal is to take control of your device. To do this they send you an email with a link. If you click on the link, it takes you to a website that launches an attack on your device that, if successful, infects your system.

Europol:
https://www.europol.europa.eu/activities-services/public-awareness-and-prevention-guides/mobile-malware
Don’t click on links or attachments in unsolicited emails or text messages
Delete them as soon as you receive them.
Double-check shortened URLs and QR codes, they could lead to harmful websites or directly download malware to your device.

... I think that last one from Europol was part of an EU-wide awareness program. An Garda Síochána sent that content to all the major banks in Ireland, so Bank of Ireland should be well aware of the content.

So the bank is sending emails encouraging customers to act against advice from many different experts, including advice given to the bank by the Gardaí.

Darren; you said the feedback on this thread had been sent to your marketing department. Perhaps you or one of your colleagues could let us know how it was received? Maybe score it on this handy 5-point scale:
1: (sound of tumbleweed and crickets)
2: 'Just ignore them ...'
3: meh.
4: yes, there is something in what they are saying ...
5: there is a project being considered or underway to collect the tracking data in a more responsible way.

Bank of Ireland: Sarah

ixtlan wrote: »

Sorry, I know we should give up at this point, but the irony is just too much!

A mail arrives from BOI today.

Subject:
Improving online security on your debit and credit card.

full of links like this... which appear to bring us through to BOI's web-site, though by then it would be too late to know for sure where you were...

http://boimedia.customerminds.com/lp/l/23613/16c5f0ad5fa7c6378e55fdd16574d1a5/9980029/1903/

They also helpfully include links to download apps for IOS/Android... going through boimedia.customerminds.com

Ix.

Hi Ix,

Thanks for your post. We appreciate your feedback regarding this email and we will forward yours and other users comments regarding these links in our emails to the relevant teams. If we can help with any other query please let us know.

Thanks,
Sarah

Paranoid Bob

I think there is finally an answer to this question from Bank of Ireland.

The page at https://www.bankofireland.com/security-zone/personal/safety-online/#panel2 includes advice on how to recognise suspicious email messages.

It includes four tips, two of which seem very relevant to this thread:

• Be suspicious of unsolicited emails. Listen to your instincts. If something doesn’t feel right then stop and question it.
• Check links in emails are legitimate by ‘hovering’ your mouse over the link to view the web address (URL) without clicking. If it is different to what you were expecting, do not click.
  

[*]

So there you have it. The advice from Bank of Ireland is to avoid clicking on the links in unsolicited email messages from Bank of Ireland.

matildajane

Another email received from some staff in my organisation today from customerminds.  The email advises people how to lodge their water charges refund cheque.  Again the links are urls that resolve to bank of Ireland site but when you hover over the url the link is to boimedia.customerminds.com/....

I advised staff to delete the email but when you are trying to educate staff around the area of security this is extremely annoying. Also can Bank of Ireland point to where customers gave consent for their email address to be passed on to a third party for marketing purposes?  Under data protection legislation consent must be explicit and also customers must have the right to opt out.  At the very least there should be an easy opt out link at the end of the email. I am tempted to blacklist info@boimail.com 

Bank of Ireland: Darren

matildajane wrote: »

Another email received from some staff in my organisation today from customerminds.  The email advises people how to lodge their water charges refund cheque.  Again the links are urls that resolve to bank of Ireland site but when you hover over the url the link is to boimedia.customerminds.com/....

I advised staff to delete the email but when you are trying to educate staff around the area of security this is extremely annoying. Also can Bank of Ireland point to where customers gave consent for their email address to be passed on to a third party for marketing purposes?  Under data protection legislation consent must be explicit and also customers must have the right to opt out.  At the very least there should be an easy opt out link at the end of the email. I am tempted to blacklist info@boimail.com 

Hi matildajane,

Thanks for getting on to us here.

I can confirm that this is a service email and not a promotional or marketing email and for this reason does not require an opt out option. Customerminds is run and operated by Bank of Ireland, so no customer information is given to any 3rd party organization in relation to this. Please be assured that the email was sent out purely to help our customers.

Thanks again for the message.
Darren.

ixtlan

Bank of Ireland: Darren wrote: »

I can confirm that this is a service email and not a promotional or marketing email and for this reason does not require an opt out option. Customerminds is run and operated by Bank of Ireland, so no customer information is given to any 3rd party organization in relation to this. Please be assured that the email was sent out purely to help our customers.

Hi Darren,

It seems unlikely that customerminds (the company) is under BOI control, since it's a marketing/communications company with many clients of which BOI is just one. Certainly it would be a strange business for BOI to get involved in and there is no indication that BOI is involved in any way apart from being a customer. I am open to correction on that, maybe you were an investor in the business but even then I'd be questioning a statement that you "run and operate" it.

The mails do originate from
mtaserver1.customerminds.com

so it seems likely that they have the emails of BOI customers. If they are indeed a third party then there may be data privacy issues. Does the fact that it's a service mail related to your service and products negate data protection. I don't know.

I am not an expert here. There may be factors which absolve BOI. In particular I note customerminds have both a managed and self-service option. One would image that the self-service option would keep the data in-house. However you would then expect the mails and links to reference BOI and not customerminds.

Regardless of the details this is just a plain ridiculous policy. You say to people check links before you click them! Don't click on any suspicious links! Make sure the URL matches the text in the message!

and now, in effect you are saying.... Here click this oddly named link which does not match the referenced text! Follow this link through to BOI where you can enter your bank details!
"http://boimedia.customerminds.com/lp/l/27585/d7d3489340a67c61ee13a56e53e39d0d/12215311/1923"

On the privacy issue can you confirm a few things?

Is customerminds a third party or a BOI entity?
Have they received a list of BOI emails?
Were mails sent from BOI owned systems?
Do you believe or not that permission was required to send them those email lists?

I may follow up with some journalists on this to see if they are interested in doing a story on BOI's careless security stance.

Ix.

Paranoid Bob

Yesterday there were reports in Irish national papers of an email scam; an email apparently from Irish Water offering information about a refund. That email contained a link to a site that was apparently an Irish Water site, though looking carefully at the URL would indicate otherwise.
https://www.thesun.ie/news/1864151/irish-water-warns-customers-are-being-targeted-in-new-email-scam-asking-for-bank-details-for-long-awaited-water-charges-refunds/
http://www.irishmirror.ie/news/irish-news/consumers-warned-irish-water-refund-11602820
http://www.thejournal.ie/irish-water-phishing-scam-3721505-Nov2017/

Today there is an email apparently from Bank of Ireland offering information about the Irish Water refund. The email contains links to a site that is apparently a Bank of Ireland site, though looking carefully at the URL would indicate otherwise.

Bank of Ireland would have us believe that what they are doing is obviously different to what the scammers are doing. How exactly is it different?

Advice from various experts including the SANS institute, CERT and Europol tells us to avoid clicking on links in unsolicited emails, most especially when the actual domain of the URL does not match the apparent sender. Even Bank of Ireland give the same advice, though from the evidence of this thread I'd hesitate to call them experts. customerminds.com does not match bankofireland.com.

Paranoid Bob

ixtlan wrote: »

On the privacy issue can you confirm a few things?

Is customerminds a third party or a BOI entity?
Have they received a list of BOI emails?
Were mails sent from BOI owned systems?
Do you believe or not that permission was required to send them those email lists?

I may follow up with some journalists on this to see if they are interested in doing a story on BOI's careless security stance.

Ix.

Ix,

Another question you may want to add to the list:
How did Bank of Ireland compile the list of email addresses to receive this message?

I know people who are not Irish Water customers (because they live in rural areas and have private water supplies) who did not receive this message. The message was apparently targeted at Irish Water customers. What data did Bank of Ireland process in order to come up with a list of Irish Water customers, and did they have permission from those customers to process data for that purpose?

That is a question that the Data Protection Commissioner might be prompted to ask.

Bank of Ireland: Tara

Hi all,

Thanks for taking the time to post your comments and feedback on this matter which we have forwarded on to our communications team.

To reassure you, the links provided in this service email are to our Branch/ATM Locator and locations of External Lodgement ATMs. The other link is to view an online version of the email. Unlike a fraudulent email, neither of these links requests you to enter any account or log in details. 

If you are one of our customers who has received this email but are unhappy with this, please see our complaints process here. As for your other questions, we are unable to provide that level of information.

To check how your email address was obtained, please submit a query using the Ask a Question option in Service Desk on 365 Online.

Just to reassure you once again, the email was sent to help our customers who may not receive cheques very often and to offer options on how the cheque can be lodged.

Thanks
Tara

Paranoid Bob

Tara,

Thank you for the response. Unfortunately it misses the point again. Your message includes:

Bank of Ireland: Tara wrote: »

To reassure you, the links provided in this service email are to our Branch/ATM Locator and locations of External Lodgement ATMs. The other link is to view an online version of the email. Unlike a fraudulent email, neither of these links requests you to enter any account or log in details. 

The problem is there there is no way for the recipient of the email to know that the links will lead them to a Bank or Ireland site until after the links are clicked. If the message is genuine then there is no problem. If the message is not genuine then the customer will not know this until after the attacker has had the opportunity to install malware on their computer.

Bank of Ireland's own advice acknowledges this, and yet the bank persists in sending these messages.

Given that it is now well over a year since this was first brought to your attention on this thread we can only conclude that there is a wilful disregard for the legitimate cybersecurity concerns of your customers.
Can you make a comment on that? Can you reconcile the bank's own advice that customers should not click on links like this with the assurances here that these messages are safe?

For reference; the advice from Bank of Ireland is here: https://www.bankofireland.com/security-zone/personal/safety-online/#panel2

It includes the following:
What to look for: ... Unexpected emails that claim to come from a financial institution.
Tips: ... Check links in email are legitimate by 'hovering' your mouse over the link to view the web address (URL) without clicking. If it is different to what you are expecting, do not click.

The email sent from the bank this week is an unexpected email that claims to come from a financial institution, and hovering over the links shows that the URL is not a Bank of Ireland domain.

Please reconcile this advice with your assertion that the email sent this week should be trusted.
Failing that, acknowledge that the bank is continuing a practice that is not sound and will lead to a reduced cybersecurity awareness among its customers.