Really?! Real or phishing? http://boimedia.customerminds.com

Bank of Ireland: Darren

Paranoid Bob wrote: »

Tara,

Thank you for the response. Unfortunately it misses the point again. Your message includes:

Bank of Ireland: Tara wrote: »

To reassure you, the links provided in this service email are to our Branch/ATM Locator and locations of External Lodgement ATMs. The other link is to view an online version of the email. Unlike a fraudulent email, neither of these links requests you to enter any account or log in details. 

The problem is there there is no way for the recipient of the email to know that the links will lead them to a Bank or Ireland site until after the links are clicked. If the message is genuine then there is no problem. If the message is not genuine then the customer will not know this until after the attacker has had the opportunity to install malware on their computer.

Bank of Ireland's own advice acknowledges this, and yet the bank persists in sending these messages.

Given that it is now well over a year since this was first brought to your attention on this thread we can only conclude that there is a wilful disregard for the legitimate cybersecurity concerns of your customers.
Can you make a comment on that? Can you reconcile the bank's own advice that customers should not click on links like this with the assurances here that these messages are safe?

For reference; the advice from Bank of Ireland is here: https://www.bankofireland.com/security-zone/personal/safety-online/#panel2

It includes the following:
What to look for: ... Unexpected emails that claim to come from a financial institution.
Tips: ... Check links in email are legitimate by 'hovering' your mouse over the link to view the web address (URL) without clicking. If it is different to what you are expecting, do not click.

The email sent from the bank this week is an unexpected email that claims to come from a financial institution, and hovering over the links shows that the URL is not a Bank of Ireland domain.

Please reconcile this advice with your assertion that the email sent this week should be trusted.
Failing that, acknowledge that the bank is continuing a practice that is not sound and will lead to a reduced cybersecurity awareness among its customers.

Hi there,

Thanks for getting back to me.

We have given all the information we can in relation to this. Thanks for all of your feedback and we have passed this on to our security team.

Thanks again,
Darren.

Paranoid Bob

Bank of Ireland: Darren wrote: »

Hi there,

Thanks for getting back to me.

We have given all the information we can in relation to this. Thanks for all of your feedback and we have passed this on to our security team.

Thanks again,
Darren.

So has the security team signed off on this practice?

Clearly someone in the bank knows it is a bad idea; the advice given is actually OK.
So either the security team has signed off on a practice that they know to be contrary to good advice, or the security team has not signed off on it but the communications team is doing it anyway.

So that bank's security governance is either incompetent or impotent.

To anyone reading this thread; I suggest you do not want to deal with a bank whose security governance is either incompetent or impotent. Don't walk away from Bank of Ireland. Run.

I've already taken my business elsewhere.

ixtlan

Bank of Ireland: Tara wrote: »

To reassure you, the links provided in this service email are to our Branch/ATM Locator and locations of External Lodgement ATMs. The other link is to view an online version of the email. Unlike a fraudulent email, neither of these links requests you to enter any account or log in details.

Sorry guys,

What you have said is not true.

The links provided do not go to Branch/ATM Locator and locations of External Lodgement ATMs. Repeat they do not go to BOI. That's the whole point of this seemingly endless discussion.

The links provided actually go to a third party non-BOI website (as far as we know), which then redirects the user to BOI to the information you mention.

As regards entering account information, from this mail you are 3 clicks away from an account login page. So you are training users to click on an unsafe link as OK... then if they want.. to click Visit BOI and then click login...where they will enter their account details. If you expect users to trust the first URL, why do you not expect them to conveniently follow the link in the mail to login?! Internet scammers are quite adept at reproducing entire web-sites!

The point of internet security training is to get people to be suspicious, while you seem determined to do the opposite.

We understand that you are an interface to the bank, and it may be tiresome that we persist in pointing out the issue here, but I hope you can appreciate that we are trying to help you to have the right security policies. What is frustrating for all of us is that while we believe you that the concerns have been passed up some chain of command, there has been no formal response to those concerns (for 18 months!) other than that they have been passed on. Of course common sense from our point of view is that no IT security group in the world would publicly agree with what BOI is doing so we wonder how this mailing practice can continue.

Ix

Paranoid Bob

There is some news from the UK recently that is relevant to this thread. It is unfortunate that there is no corresponding recommendations here in Ireland, but this is relevant. It shows the impact of training customers to accept bad practice and says clearly that banks have a particular responsibility to combat this.

The Commons Select Committee says action to combat online fraud must favour customers:
http://www.parliament.uk/business/committees/committees-a-z/commons-select/public-accounts-committee/news-parliament-2017/growing-threat-online-fraud-report-published-17-19/
An extract:
Banks not doing enough and response not proportionate to problem

Banks are not doing enough to tackle online fraud and their response has not been proportionate to the scale of the problem. Banks need to take more responsibility and work together to tackle this problem head on. Banks now need to work on information sharing so that customers are offered more protection from scams.

Campaigns to educate people and keep them safe online have so far been ineffective, supported by insufficient funds and resources.


In Bank of Ireland's case; their campaign is to educate people to accept the worst practices and trust emails that a scammer could duplicate with no effort.

Given the amount of time that has passed since this was brought to the attention of the bank we have to conclude it is a deliberate commercial decision; protecting customers is worth less than using a very slightly more complex way to gather metrics on engagement with customer outreach messages.

Grawns

Just got an email similar and immediately assumed it was a very clever scam. Asking me to upload current I'd to customer minds. Very poor practice if its not a total Scam 

ixtlan

Thanks Grawn,

Your mail prompted me to comment on a text I just received from BOI. I know it's probably from BOI because it comes from the number that sends me comments about bank fees.

However... wearily I have to add, this text is about the Live Life rewards programme, asking me to click on a link to answer a survey... link going to bankofireland.eu.qualtrics.com/jfe/form/SV/******   I mean really... could you make this more suspicious!?

As has been said many times, all we can do is ask our concerns be passed up the chain.

Ix.

NinjaTruncs

I have noticed this too in the past, for a company who should take account security serious their emails are so dodgy. It's gotten to the point where you need to delete any emails from BOI as you've no way of knowing if they are legit or not. 

Alternatively, if everyone reported BOI emails as spam they would be pretty quick to start making changes as email providers would start blocking their emails.

Bank of Ireland: Jennifer

Grawns wrote: »

Just got an email similar and immediately assumed it was a very clever scam. Asking me to upload current I'd to customer minds. Very poor practice if its not a total Scam 

Hi Grawns,

Thanks for getting in touch with us here. We are currently sending emails like this to some of our customers. if you forward the email you received to 365security@boi.com , they will be able to confirm if this is a legitimate email.

Thanks Jen

Paranoid Bob

Bank of Ireland: Jennifer wrote: »

Grawns wrote: »

Just got an email similar and immediately assumed it was a very clever scam. Asking me to upload current I'd to customer minds. Very poor practice if its not a total Scam 

Hi Grawns,

Thanks for getting in touch with us here. We are currently sending emails like this to some of our customers. if you forward the email you received to 365security@boi.com , they will be able to confirm if this is a legitimate email.

Thanks Jen

This demonstrates exactly the problem with these messages.
It is not possible for the customer to tell the difference between what you describe as 'legitimate email' and a scam. The only way Grawns or any other customer can tell the difference between a 'legitimate' email and a scam is to ask 365security@boi.com about every single message they receive from the bank.
Clearly that is not good for either the bank or its customers, so the only reasonable course of action is to distrust all email that appears to be from Bank of Ireland and send it straight into the bin.

mickoneill31

ixtlan wrote: »

Thanks Grawn,

Your mail prompted me to comment on a text I just received from BOI. I know it's probably from BOI because it comes from the number that sends me comments about bank fees.

However... wearily I have to add, this text is about the Live Life rewards programme, asking me to click on a link to answer a survey... link going to bankofireland.eu.qualtrics.com/jfe/form/SV/******   I mean really... could you make this more suspicious!?

As has been said many times, all we can do is ask our concerns be passed up the chain.

Ix.

Don't just trust numbers either



https://krebsonsecurity.com/2018/10/voice-phishing-scams-are-getting-more-clever/

beecee

Bank of Ireland: Jennifer wrote: »

Grawns wrote: »

Just got an email similar and immediately assumed it was a very clever scam. Asking me to upload current I'd to customer minds. Very poor practice if its not a total Scam 

Hi Grawns,

Thanks for getting in touch with us here. We are currently sending emails like this to some of our customers. if you forward the email you received to 365security@boi.com , they will be able to confirm if this is a legitimate email.

Thanks Jen

Might just have to block all emails from BOI. Can't believe no heed has been paid to all the very valid feedback on this thread. Despite assurances given, there's no way I'm clicking on anything in those emails!

kbbucks

Just got one myself this morning looking for photo ID & proof of address. I put it down to a scam straight away but did a quick interweb search of boimedia out of curiosity and ended up here  
I really can't believe a company the size of BOI and with the current profits they are enjoying don't invest in/review their online processes - it just goes to show that in this country they don't have to... Surely any sort of an ISO audit would red-flag this sort of practice - I guess the bank guarantee must have covered audits as well!! ;)  

Umaro

I received one of these email this morning, thought it looked a bit suspicious and it made no sense why it was asking for proof of address and ID... I've been with this bank for 15 years.

Googled around and this thread turned up, and lo-and-behold people were warning BOI not to use these dodgy URLs all the way back in June 2016. It's actually insane that you continue to do this when a load of customers were already on your case about it over 2 years ago.

Squatman

as a BOI customer, i find these practices to be questionable to the extreme.  the answers here, while, i know you are towing the company line, offer little in the way of reassurace to the customer. I will consider moving bank, over this, and BOI's general lack of help to customers

Bank of Ireland: Darren

Hi All,

Thanks for all of your comments and feedback, please be assured that we pass on all the feedback we receive here.
If you have any specific questions about the requests that you've received you can contact that section directly on 0818200339 (or 0035312500399 if you're abroad) and the advisers there will be more than happy help you with this.
If your unhappy and would like to raise this as an official complaint you can do so by calling us on 0818200365 (or 0035314044000 if you're abroad).
You can also do this in writing and send it into the following address below:
Bank of Ireland,
Group Customer Complaints,
4th Floor,
New Century House,
IFSC,
Lower Mayor Street,
Dublin 1
D01 K8N7.

Thanks again for getting in touch.
Darren.

Squatman

Bank of Ireland: Darren wrote: »

Hi All,

Thanks for all of your comments and feedback, please be assured that we pass on all the feedback we receive here.
If you have any specific questions about the requests that you've received you can contact that section directly on 0818200339 (or 0035312500399 if you're abroad) and the advisers there will be more than happy help you with this.
If your unhappy and would like to raise this as an official complaint you can do so by calling us on 0818200365 (or 0035314044000 if you're abroad).
You can also do this in writing and send it into the following address below:
Bank of Ireland,
Group Customer Complaints,
4th Floor,
New Century House,
IFSC,
Lower Mayor Street,
Dublin 1
D01 K8N7.

Thanks again for getting in touch.
Darren.

since BOI do very little face to face transactions, and most contact is done electronically, surely they have an email address to forward complaints to?

Vicarious Function

I never access any account via a link on an email. Got caught on an eir email once and the result was not pleasant.

Bank of Ireland: Darren

Squatman wrote: »

Bank of Ireland: Darren wrote: »

Hi All,

Thanks for all of your comments and feedback, please be assured that we pass on all the feedback we receive here.
If you have any specific questions about the requests that you've received you can contact that section directly on 0818200339 (or 0035312500399 if you're abroad) and the advisers there will be more than happy help you with this.
If your unhappy and would like to raise this as an official complaint you can do so by calling us on 0818200365 (or 0035314044000 if you're abroad).
You can also do this in writing and send it into the following address below:
Bank of Ireland,
Group Customer Complaints,
4th Floor,
New Century House,
IFSC,
Lower Mayor Street,
Dublin 1
D01 K8N7.

Thanks again for getting in touch.
Darren.

since BOI do very little face to face transactions, and most contact is done electronically, surely they have an email address to forward complaints to?

Thanks for getting back to us. I can confirm that there would not be an online option for this process. Please be assured that we will pass on this feedback straight away.
Thanks again for the message.
Darren.

Tavi

I have received an email from BoI confirming application for a current account and when I opened it the antivirus gave the following warning: "aborted connection to boimedia.customerminds.com because it was infected with URL: Blacklist"