boimail.com - is this really genuine?

Jurusz

Received a LONG html-encoded email from boimail.com, with many requests to download images 
from servers at other domains. Ironically, it purports to be about detecting fraudulent emails (reading plain
html is a bit of a puzzle but one can do it.)


I notice in this forum that Bank of Ireland have been castigated for this kind of practice before, for over two years now. Whereas most savvy users know not to display html etc messages rendered as html, many don't and
would be open to malware being downloaded through mischevious links that their mail browser would request
automatically.


My question: how can Bank of Ireland assure clients that the fancy, clever emails that clients receive really
do originate from BOI? Wouldn't it be much simpler to put all this stuff on a https BOI page and simply
send a 'go to' message to the clients???

Bank of Ireland Reps

Hi Jurusz, thanks for getting in touch with us here on Boards.ie. 

Please be assured that this is a genuine email sent from BOI in order to advise and help customers to identify fraudulent texts. 

You can certainly link in with us here, or on any of our other social platforms, if you receive any correspondence from BOI that you’re unsure or concerned about and we’d be happy to confirm it for you. 

We do appreciate you taking the time to share your feedback with us here and we’ll be sure to pass it on to the relevant team. 

Thanks, Eve 

Paranoid Bob

Bank of Ireland Reps wrote: »

Hi Jurusz, thanks for getting in touch with us here on Boards.ie. 

Please be assured that this is a genuine email sent from BOI in order to advise and help customers to identify fraudulent texts. 

You can certainly link in with us here, or on any of our other social platforms, if you receive any correspondence from BOI that you’re unsure or concerned about and we’d be happy to confirm it for you. 

We do appreciate you taking the time to share your feedback with us here and we’ll be sure to pass it on to the relevant team. 

Thanks, Eve 

A follow-up question:
How do you know that the message received by Jurusz is actually from BOI?

If you are giving advice that the email can be trusted and all the links in it are safe then you would want to be fairly sure of that.

Looking at the information available:
- The message is from boimail.com. That is a domain that BOI uses. I note that there is SPF (but no DMARC) for that domain, but you have no information about whether Jurusz email server respects those standards. The SPF configuration allows messages to be sent from boimail.com using servers that are outside the control of the bank.
- The message is described as having images and other resources loaded from various other domains, just like a scammer would do for convenience. A scammer would even use exactly the same images as you have in the genuine message (why pay for hosting copies when you can just reference the same resources).
- The general description matches a message that was actually sent recently. Again; a clever scammer would use that.

So how do you know that the message received by Jurusz is actually from BOI?

Bank of Ireland: Tara

Hi Paranoid Bob,

Thanks for your post.

We have launched a fraud awareness campaign in light of a recent increase in smishing attacks. The campaign includes emails and letters issuing to customers, reinforced through a social media campaign and extensive fraud advice on www.bankofireland.com/security-zone


Just to reiterate, Bank of Ireland will never call, email or text a customer looking for their confidential banking details.

We have been provided with information on the communications being issued about this to help with queries such as the one posted above.

Thanks
Tara

Tow

Hi BOI,

It was a mistake for BOI to move from .IE domains to .COM.  This was done in the boom years when management had visions of becoming an international bank.  The current reality is the international 'crown jewels' have been sold off...  So why not revert back to IE domains?  Even with new relaxed requirements, to register an .IE domain is a far more controlled process than a .COM

Bank of Ireland: Tara

Tow wrote: »

Hi BOI,

It was a mistake for BOI to move from .IE domains to .COM.  This was done in the boom years when management had visions of becoming an international bank.  The current reality is the international 'crown jewels' have been sold off...  So why not revert back to IE domains?  Even with new relaxed requirements, to register an .IE domain is a far more controlled process than a .COM

Hi Tow,

Thanks for your post. 

We're not aware of any plans to move domains but we will ensure to pass on all comments received here in relation to this.

Thanks
Tara

SOPHIE THE DOG

Dear Sirs

I sent the following email message to BoI (and I have attached to this message the screenshot referred to) on 10th Aug 2020
despite two follow up emails I have received no reply.

I'm now asking that
1. you tell me why i have received no reply
2. you provide me with the transcript i have asked for
3. you give me the explanation that I asked for in the last sentence on the message below.


++++++++++++++++++++++++++++++++++++++++++++

Dear Sirs
 
I called your Group Head Office this morning and my call was taken by Craig.
I asked for his surname but he would not give it.
I asked to be put through to his Supervisor.
He asked that I tell him what my question was to see if he could help before he would let me talk to his supervisor.
 
I told him that I had received a text message (photo of phone screen is attached).
I said that I was keen to work with BOI and make available what information I had to help track down the people that are behind this.
He said he would put me through to the Fraud Team.
This was at 9:35am this morning.
The line was silent from then on.
Craig did not come back to me to keep me updated on what was going on.
I held on until 9:50am and hung up.
 
This is all disappointing.
I’m trying to help you.
I’d like a transcript of my phonecall with Craig.
 
 
I have been a Bank of Ireland 365 on line user for many years and have a lot of text messages from BOI in my phone all under a heading of BOI.
 
You will note that the attached message appeared under a heading of “DEFAULT” in my phone rather than in my “BOI” message stream.
This is different to what I was hearing on Liveline last week.
 
I haven’t clicked on the link (and I won’t).
I haven’t deleted the text in case its helpful for you in your work.
I am prepared to loan my phone to BOI (you will have to send someone I know from BOI locally to collect it from me) if that helps.
 
Despite listening to what was said on Lifeline I still have no clear understanding of what happens after the link in the text is clicked by the victim.
I think its important that this is spelt out simply and clearly so that others can avoid this happening to them.
 

SOPHIE THE DOG

The email address that i sent my message to was       365security@boi.com

Bank of Ireland: Tara

Hi SOPHIE THE DOG,

Thanks for contacting us here on Boards.

We're sorry to hear you did not receive a reply when you contacted our security team. When emails are received to the security inbox an auto reply is issued and this will advise on steps you need to take if you have entered details on a phishing website. Can you please check junk and spam folders for the auto reply? The 365 Security email address is for reporting phishing emails or texts only and they only require a screenshot of the message received to investigate. They would not require the device the message was received on to complete this. Just to mention, the team would not be in a position to raise complaints or arrange transcripts of calls. To do this, you can lodge a formal complaint on the link here.

For more information on phishing and online fraud we would recommend viewing the Security Zone section on our main website. We have just launched a Fraud Awareness Campaign to make customers aware of the different types of online fraud.

We hope this helps and please feel free to contact us here if you have any other questions.

Thanks
Tara

Paranoid Bob

That security email address has a history of ignoring emails from people raising this issue.
The last few messages I sent there were ignored. That was just before I closed my account with Bank of Ireland over two years ago.

I speculate that they know this practice is indefensible so they don't try to defend it...

SOPHIE THE DOG

Tara

Thanks for your reply and thanks for your guidance in relation to accessing Junk folders. I had received the automated reply. I expected this to be followed by a meaningful reply and if that is as much as I get from BOI security then I am underwhelmed to say the least.

I can not make out how the scam works, it may have been explained on Liveline but I missed it. I thought BoI would be keen to explain how it works so as to help people be on their guard.

 I notice you did not bother giving me any help in relation to my request for a explanation of how it happens

I have since come across the attached screengrab and this shows how people are tricked into giving away their vital information.

The points to look for (and I am sure the next version of this from the criminals will be subtly different):
1. The website address (the real BoI site is www.365online.com (the attached one has boi at the end)
2. There’s 3 boxes to fill in, (the real BoI site has two, and if you don’t fill them in correctly you are not taken to the second page; you are taken back to the beginning and you get another chance, more about this below)
3. The real BoI first page asks for your ID number and either the last four digits of your contact number OR you date of birth, if you get your date of birth wrong, it gives you another chance and asks for the last four digits of your contact number
4. The real BoI site will only ask for a random three digits of the six digit PIN; on the second page, never the first and never the full six digits

So how it works and how people are taken advantage of:
(a) you give your ID and full PIN and the last four digits of your contact number
(b) the criminals then log onto the real BoI Banking 365website, they have your ID so they enter that, they will then be asked for either your date of birth or the last four digits of your contact number, if they are asked for your date of birth, they can enter any date they wish and get it wrong and then BoI give them a second chance and this time they will be asked for the last four digits of your contact number, which they have
(c) this gets them to the second page on the real (your) BoI website, where they are asked for three of the six digits of the PIN (as they have all six, this will be no problem for them)
(d) so the criminals are now into your account, setting up a new payee is straightforward enough and BoI will be kind enough to send you a text message with a one time code to complete this, I am lost at this point because the criminals can not proceed until they enter this code and its you that has it and not them, so they have to convince you by phonecall (??) to divulge this (maybe Tara you could explain how the rest of this works, I feel I have done more than my share)

Also, my (086) mobile number begins with an 8 so its an old one (as am I), so I feel its likely the criminals are random texting numbers of this vintage as they feel they will get older people who will be easier to hoodwink
Also, the amounts involved (I have not heard of any over EUR5,000) are probably pitched at such a level as to keep them under a figure that would trigger an automatic suspicious activity alarm in BoI.

Again Tara, you might come back to me on the above two points as well.

Bank of Ireland: Richard F

[font=Arial","sans-serif]Hi SOPHIE THE DOG,[/font]

[font=Arial","sans-serif] [/font]

[font=Arial","sans-serif]We appreciate you sharing this here. We’re sorry to hear you did not receive a response and we’ll certainly pass your feedback on to the team.[/font]

[font=Arial","sans-serif] [/font]

[font=Arial","sans-serif]This code can be asked for on the same fraudulent web page that asked for the rest of the details.[/font]

[font=Arial","sans-serif] [/font]

[font=Arial","sans-serif]These texts would be sent out to mobile numbers at random and we had received several reports of both BOI and non-BOI customers receiving them. [/font]

[font=Arial","sans-serif] [/font]

[font=Arial","sans-serif]We hope this information helps.[/font]

[font=Arial","sans-serif] [/font]

[font=Arial","sans-serif]Thanks,[/font]

[font=Arial","sans-serif]Richard[/font]