Really?! Real or phishing? http://boimedia.customerminds.com

ixtlan · 01-06-2016 3:09pm #1

Hi,

Edit: Actually I do have doubts now... maybe this is a scam... must be new though... and it's certainly convincing...

From looking at this mail I've just received, I suspect it's legit, but it's a very poor judgment call if it is, asking people to click on multiple non-BOI links (boimedia.customerminds.com), which appear to redirect to BOI.

The company has some info on what they are doing for BOI here.
http://www.customerminds.com/wp-content/uploads/2015/02/BOI-Case-Study.pdf

I literally cannot believe someone in BOI signed off on this. When you are spending so much effort telling people not to click on suspect potential phishing links...

Ix.

Now there’s an easy way to take greater control over your credit card. With Card Care you can get your up-to-the-minute balance and check transactions, at any time, online. You can also order a replacement card, access your PIN, change your address, tell us if you’re travelling abroad and lots more.

It’s simple, it’s quick and it puts you firmly in control.

Register in Minutes

Bank of Ireland: Evie · 02-06-2016 7:38am

ixtlan wrote: »

Hi,

Edit: Actually I do have doubts now... maybe this is a scam... must be new though... and it's certainly convincing...

From looking at this mail I've just received, I suspect it's legit, but it's a very poor judgment call if it is, asking people to click on multiple non-BOI links (boimedia.customerminds.com), which appear to redirect to BOI.

The company has some info on what they are doing for BOI here.
http://www.customerminds.com/wp-content/uploads/2015/02/BOI-Case-Study.pdf

I literally cannot believe someone in BOI signed off on this. When you are spending so much effort telling people not to click on suspect potential phishing links...

Ix.

Now there’s an easy way to take greater control over your credit card. With Card Care you can get your up-to-the-minute balance and check transactions, at any time, online. You can also order a replacement card, access your PIN, change your address, tell us if you’re travelling abroad and lots more.

It’s simple, it’s quick and it puts you firmly in control.

Register in Minutes

Good Morning,

Thanks for contacting us on Boards.ie and for your feedback. To check the authenticity of this email please forward it to our security team at 365security@boi.com. Thank you for the feedback on this.

Thanks,
Evie

ixtlan · 07-06-2016 5:43pm

As requested I mailed 365security 5 days ago (last Thursday). While appreciating that it was a bank holiday weekend I'm a bit concerned to have received no reply at all. Not even an automated response.

Today I've just received another different mail appearing to be from BOI, and again directing me to click on links to boimedia.customerminds.com (which do redirect to boi).

This is very very bad practice.

Get more from 365 online

It’s as easy as click, click, scroll...

ixtlan · 08-06-2016 9:26am

So as I originally believed this was from BOI (see vague non-committal e-mail response below), but I still make the point that this is not the right thing to be doing. You should not be having third parties act as a conduit into your web-sites. To be clear companies partner with marketeers all the time, but you don't have them send mails directing customers through the marketeers web-site (even if that is just a virtual redirect). You want to train people to hover over a link and make sure it's going where it should, and again... a BOI link that actually goes to boimedia.customerminds.com should be a massive red flag to anyone. I know the reason this is being done is so you can track the number of hits you get from this marketing, but the right way to do that is to send customers directly to you with a marker to identify the source... ie www.boi.ie/customersminds/something/something etc.

This forum is my only avenue to raise this to BOI, so I've done all I can.... So be it...

[font=Arial","sans-serif]Thank you for taking the time to email us in relation to your query.[/font]
[font=Arial","sans-serif]We can confirm the original email is genuine and was issued on behalf of Bank of Ireland.[/font]
[font=Arial","sans-serif] [/font]
[font=Arial","sans-serif]Should you have any queries in regards to the content contained within the email, we would recommend that you contact Banking 365 Customer Services where one of our customer service agents will be in the best possible position to look into this matter for you.

Ix.
[/font]

Bank of Ireland: Alison · 08-06-2016 10:34am

ixtlan wrote: »

So as I originally believed this was from BOI (see vague non-committal e-mail response below), but I still make the point that this is not the right thing to be doing. You should not be having third parties act as a conduit into your web-sites. To be clear companies partner with marketeers all the time, but you don't have them send mails directing customers through the marketeers web-site (even if that is just a virtual redirect). You want to train people to hover over a link and make sure it's going where it should, and again... a BOI link that actually goes to boimedia.customerminds.com should be a massive red flag to anyone. I know the reason this is being done is so you can track the number of hits you get from this marketing, but the right way to do that is to send customers directly to you with a marker to identify the source... ie www.boi.ie/customersminds/something/something etc.

This forum is my only avenue to raise this to BOI, so I've done all I can.... So be it...

Thank you for taking the time to email us in relation to your query.
We can confirm the original email is genuine and was issued on behalf of Bank of Ireland.

Should you have any queries in regards to the content contained within the email, we would recommend that you contact Banking 365 Customer Services where one of our customer service agents will be in the best possible position to look into this matter for you.

Ix.

Hi ixtlan

Thanks for coming back to us and apologies for the delay in the response received relating to the mail you received.

We will pass on your feedback and concerns to our Marketing Team and appreciate the time taken to raise this here with us.

Many Thanks
Alison

Doubt.It · 07-09-2016 12:59am

I received an email that linked to this address* in the last few days, telling me that my new personal account was ready. Worrying, as I hadn't asked for a new personal account...

When I inquired in my branch they had no knowledge of the email, and told me to ignore it as it definitely was not from Bank of Ireland. Yet now I find that customerminds.com is actually doing this on BoI's behalf.

BoI, you simply cannot do this. It is sheer idiocy to warn is about convincing-looking emails from strange sources on one hand, while on the other sending us emails from strange sources. Teaching customers that peculiar communication from you can sometimes be legitimate completely and utterly undermines securiity.

*To be absolutely clear, the email appeared to come from info@boimail.com and the reply address was donotreply@boi.com, but these can of course be fake. The "open in your browser" link was to www.customerminds.com

ixtlan · 07-09-2016 9:55am

Doubt.It wrote: »

I received an email that linked to this address* in the last few days, telling me that my new personal account was ready. Worrying, as I hadn't asked for a new personal account...

When I inquired in my branch they had no knowledge of the email, and told me to ignore it as it definitely was not from Bank of Ireland. Yet now I find that customerminds.com is actually doing this on BoI's behalf.

BoI, you simply cannot do this. It is sheer idiocy to warn is about convincing-looking emails from strange sources on one hand, while on the other sending us emails from strange sources. Teaching customers that peculiar communication from you can sometimes be legitimate completely and utterly undermines securiity.

*To be absolutely clear, the email appeared to come from info@boimail.com and the reply address was donotreply@boi.com, but these can of course be fake. The "open in your browser" link was to www.customerminds.com

It's been 3 months since my last set of posts. All I can do is agree with Doubt.It. Red Flags, sirens, red flags. Clearly the marketing department don't care. I'd encourage the BOI representatives to escalate it to the internal security people in the bank. This is just crazy.

Ix.

Bank of Ireland: Nicola · 07-09-2016 11:57am

Hi Doubt.It and ixtlan, just wanted to give you a quick update on this.

I can confirm that Bank of Ireland has a partnership agreement with a third party company (Customer Minds) to transmit email communications to customers on our behalf.

We’re committed to keeping customers information secure and it’s important to note that we’ll never send emails that require customers to send personal information through email or pop-up windows.

Any unsolicited requests for account information received through pop-up windows, emails, or websites should be considered fraudulent and reported immediately.

If you do receive a suspect email please forward it on to 365security@boi.com

I’ll certainly pass on your feedback here in relation to these emails and if there’s anything else that I can help you with please let me know.

Thanks
Nicola

Paranoid Bob · 23-06-2017 12:09am

It appears that Bank of Ireland is still sending messages to customers with misleading links in them. The link text is 'bankofireland.com', the reference is to boimedia.customerminds.com.

This is one full year after being advised that this is poor practice that leads to an increased risk of their customers being duped by phishing email. You cannot send this sort of misleading link to customers then be surprised when the same customers fall for other misleading links.

At this point I think it is fair to draw the conclusion that Bank of Ireland does not have a culture of security.

If the bank shows this sort of poor judgement with a very simple issue then they surely cannot be trusted with more complex matters of security.
I've had an account with Bank of Ireland since I was in college almost 30 years ago. It is time to take my business elsewhere.

Bank of Ireland: Kareana · 23-06-2017 9:00am

ixtlan wrote: »

Hi,

Edit: Actually I do have doubts now... maybe this is a scam... must be new though... and it's certainly convincing...

From looking at this mail I've just received, I suspect it's legit, but it's a very poor judgment call if it is, asking people to click on multiple non-BOI links (boimedia.customerminds.com), which appear to redirect to BOI.

The company has some info on what they are doing for BOI here.
http://www.customerminds.com/wp-content/uploads/2015/02/BOI-Case-Study.pdf

I literally cannot believe someone in BOI signed off on this. When you are spending so much effort telling people not to click on suspect potential phishing links...

Ix.

Now there’s an easy way to take greater control over your credit card. With Card Care you can get your up-to-the-minute balance and check transactions, at any time, online. You can also order a replacement card, access your PIN, change your address, tell us if you’re travelling abroad and lots more.

It’s simple, it’s quick and it puts you firmly in control.

Register in Minutes

Hi ixtlan

Thanks for the post.

We do communicate more via email regarding changes our products and services.

However the difference between a spam and our genuine emails is that we would never ask you to disclose any account or personal details in a email.

If you wish not to receive these emails you can contact us through ask a question or by calling our customer care team on 0818 365 365.

Thank you for the feedback.

Thanks

Kareana

Paranoid Bob · 01-07-2017 9:00am

This is not about whether I'd like to receive marketing messages from Bank of Ireland, it is about Bank of Ireland sending emails that are training people to accept phishing techniques.

Let me try to pose a question that should help:

What is the advice from the bank to customers who receive email that claims to be from the bank, where that email contains links that claim to be to the bank's website, but those links are actually to some domain that is not owned by the bank?
Is it:
a) to trust the email, click the link, and trust that the website they end up on is a bank site?
or:
b) to treat the email as possible phishing and report / delete it?

I hope it is clear that b) is the only safe answer.

Bank of Ireland: Tara · 01-07-2017 9:21am

Hi Paranoid Bob,

As mentioned, Bank of Ireland will never email or text asking you to click on a link to confirm or unlock account or card details.

If you do receive a message like this, please do not access any links contained in the message. We would ask that you forward the email, or a screenshot if it's a text, to 365security@boi.com for investigation.

We have information on how to stay safe online here: https://www.bankofireland.com/security-zone/

Thanks
Tara

uck51js9zml2yt · 01-07-2017 10:00am

You are obviously not aware that it's possible for links to be a vector for the download of malicious programs.

I came across this thread and its quiet worrying to read the BOI responses.

If I was still working in Cabinteely I'd be raising the issue with the security team.

Bank of Ireland: Tara · 01-07-2017 10:41am

Hi tatranska,

Sorry to hear you're unhappy with the replies given here. We can assure you that we are aware that links in phishing messages can contain malware and this is why we have advised here to not access these. We work closely with our security team and they have requested that anyone who receives these messages to please forward them to 365security@boi.com for investigation.

Thanks
Tara

ixtlan · 01-07-2017 7:39pm

Hi Tara,

We do appreciate that you can't change BOI policy and are constrained in the kind of responses you can give.

All we ask is that you raise this with your manager and try to get our concerns escalated again, primarily with the IT security people at the bank, since for marketing security is clearly not a priority.

As we keep saying:

Sending marketing mails directing customers through a third part site to get to a BOI web site is an appalling practice. It doesn't matter that the link in the mail doesn't directly take the customer to a login page. Clearly once you are on the BOI site you are only a few clicks away from a login... and that site containing the login links might not actually be BOI.

Ix.

Paranoid Bob · 02-07-2017 2:25pm

Bank of Ireland: Tara wrote: »

Hi Paranoid Bob,

As mentioned, Bank of Ireland will never email or text asking you to click on a link to confirm or unlock account or card details.

If you do receive a message like this, please do not access any links contained in the message. We would ask that you forward the email, or a screenshot if it's a text, to 365security@boi.com for investigation.

We have information on how to stay safe online here: https://www.bankofireland.com/security-zone/

Thanks
Tara

Tara,

Thank you for the reply, and I understand the answer you have given but it is not an answer to the question I have asked.

Can I ask you please to get an answer to the question I have asked:
If I, as a customer of Bank of Ireland, receive an email that claims to be from the bank where that email contains links that purport to be to the Bank's website but are actually to another domain; should I trust that the email is from the Bank and that the links are safe to click?

I understand the answer that the Bank will never send an email or text asking to click on a link to confirm or unlock account or card details, but that does not answer the question. The fact is that I cannot know what the link is asking me to do until after I click it and read whatever page loads. By then I could have loaded some browser-based malware.

So the question is very simple, and I have re-worded it to call for a 'yes' or 'no' answer. Can you please find an answer to that question that the Bank is willing to stand over?

Alun · 02-07-2017 2:27pm

FWIW AIB do exactly the same, and I received a similar non-answer from them when I contacted them about it.

mickoneill31 · 02-07-2017 2:32pm

Apart from the bad practice your marketing team is wasting their money. People will (or should) bin mails like this. I do security awareness courses in my company.
One of our business units got a third party to email the company in a mail. We in the security team got a pile of reports from users of the possible "phising attempt".

Even if BOI marketing don't care about security they probably do care about throwing money down the drain.

Bank of Ireland: Darren · 03-07-2017 2:45pm

Thanks to everyone who has posted on this thread.

All the feedback in this thread has been sent to our marketing team for their attention. If there is any further update we will post it on this thread.

Thanks again,
Darren.

ixtlan · 13-07-2017 4:45pm

Sorry, I know we should give up at this point, but the irony is just too much!

A mail arrives from BOI today.

Subject:
Improving online security on your debit and credit card.

full of links like this... which appear to bring us through to BOI's web-site, though by then it would be too late to know for sure where you were...

http://boimedia.customerminds.com/lp/l/23613/16c5f0ad5fa7c6378e55fdd16574d1a5/9980029/1903/

They also helpfully include links to download apps for IOS/Android... going through boimedia.customerminds.com

Ix.

BlinkingLights · 13-07-2017 4:48pm

It annoys me that despite all the talk about security and need for protecting our data ourselves, that banks (and BOI is not unique in this) continue to engage in sloppy practices like this.

If you expect to have a secure system, bot the customers and the bank need to structure all interactions with security in mind.

Paranoid Bob · 13-07-2017 7:24pm

Just in case some visitors to this thread think we're a few curmudgeons just looking for trouble I took some time to look for expert advice around the Web. Here are a few of the sites I found:

https://www.us-cert.gov/ncas/tips/ST04-014
US CERT advice, under 'How do you avoid being a victim?'
Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain

https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201512_en.pdf
SANS institute advice, incuding:
Tha attacker's goal is to take control of your device. To do this they send you an email with a link. If you click on the link, it takes you to a website that launches an attack on your device that, if successful, infects your system.

Europol:
https://www.europol.europa.eu/activities-services/public-awareness-and-prevention-guides/mobile-malware
Don’t click on links or attachments in unsolicited emails or text messages
Delete them as soon as you receive them.
Double-check shortened URLs and QR codes, they could lead to harmful websites or directly download malware to your device.

... I think that last one from Europol was part of an EU-wide awareness program. An Garda Síochána sent that content to all the major banks in Ireland, so Bank of Ireland should be well aware of the content.

So the bank is sending emails encouraging customers to act against advice from many different experts, including advice given to the bank by the Gardaí.

Darren; you said the feedback on this thread had been sent to your marketing department. Perhaps you or one of your colleagues could let us know how it was received? Maybe score it on this handy 5-point scale:
1: (sound of tumbleweed and crickets)
2: 'Just ignore them ...'
3: meh.
4: yes, there is something in what they are saying ...
5: there is a project being considered or underway to collect the tracking data in a more responsible way.

Bank of Ireland: Sarah · 14-07-2017 10:20am

ixtlan wrote: »

Sorry, I know we should give up at this point, but the irony is just too much!

A mail arrives from BOI today.

Subject:
Improving online security on your debit and credit card.

full of links like this... which appear to bring us through to BOI's web-site, though by then it would be too late to know for sure where you were...

http://boimedia.customerminds.com/lp/l/23613/16c5f0ad5fa7c6378e55fdd16574d1a5/9980029/1903/

They also helpfully include links to download apps for IOS/Android... going through boimedia.customerminds.com

Ix.

Hi Ix,

Thanks for your post. We appreciate your feedback regarding this email and we will forward yours and other users comments regarding these links in our emails to the relevant teams. If we can help with any other query please let us know.

Thanks,
Sarah

Paranoid Bob · 05-09-2017 10:16pm

I think there is finally an answer to this question from Bank of Ireland.

The page at https://www.bankofireland.com/security-zone/personal/safety-online/#panel2 includes advice on how to recognise suspicious email messages.

It includes four tips, two of which seem very relevant to this thread:

Be suspicious of unsolicited emails. Listen to your instincts. If something doesn’t feel right then stop and question it.
Check links in emails are legitimate by ‘hovering’ your mouse over the link to view the web address (URL) without clicking. If it is different to what you were expecting, do not click.

[*]

So there you have it. The advice from Bank of Ireland is to avoid clicking on the links in unsolicited email messages from Bank of Ireland.

matildajane · 29-11-2017 3:37pm

Another email received from some staff in my organisation today from customerminds. The email advises people how to lodge their water charges refund cheque. Again the links are urls that resolve to bank of Ireland site but when you hover over the url the link is to boimedia.customerminds.com/....

I advised staff to delete the email but when you are trying to educate staff around the area of security this is extremely annoying. Also can Bank of Ireland point to where customers gave consent for their email address to be passed on to a third party for marketing purposes? Under data protection legislation consent must be explicit and also customers must have the right to opt out. At the very least there should be an easy opt out link at the end of the email. I am tempted to blacklist info@boimail.com

Bank of Ireland: Darren · 29-11-2017 3:56pm

matildajane wrote: »

Another email received from some staff in my organisation today from customerminds. The email advises people how to lodge their water charges refund cheque. Again the links are urls that resolve to bank of Ireland site but when you hover over the url the link is to boimedia.customerminds.com/....

I advised staff to delete the email but when you are trying to educate staff around the area of security this is extremely annoying. Also can Bank of Ireland point to where customers gave consent for their email address to be passed on to a third party for marketing purposes? Under data protection legislation consent must be explicit and also customers must have the right to opt out. At the very least there should be an easy opt out link at the end of the email. I am tempted to blacklist info@boimail.com

Hi matildajane,

Thanks for getting on to us here.

I can confirm that this is a service email and not a promotional or marketing email and for this reason does not require an opt out option. Customerminds is run and operated by Bank of Ireland, so no customer information is given to any 3rd party organization in relation to this. Please be assured that the email was sent out purely to help our customers.

Thanks again for the message.
Darren.

ixtlan · 29-11-2017 8:12pm

Bank of Ireland: Darren wrote: »

I can confirm that this is a service email and not a promotional or marketing email and for this reason does not require an opt out option. Customerminds is run and operated by Bank of Ireland, so no customer information is given to any 3rd party organization in relation to this. Please be assured that the email was sent out purely to help our customers.

Hi Darren,

It seems unlikely that customerminds (the company) is under BOI control, since it's a marketing/communications company with many clients of which BOI is just one. Certainly it would be a strange business for BOI to get involved in and there is no indication that BOI is involved in any way apart from being a customer. I am open to correction on that, maybe you were an investor in the business but even then I'd be questioning a statement that you "run and operate" it.

The mails do originate from
mtaserver1.customerminds.com

so it seems likely that they have the emails of BOI customers. If they are indeed a third party then there may be data privacy issues. Does the fact that it's a service mail related to your service and products negate data protection. I don't know.

I am not an expert here. There may be factors which absolve BOI. In particular I note customerminds have both a managed and self-service option. One would image that the self-service option would keep the data in-house. However you would then expect the mails and links to reference BOI and not customerminds.

Regardless of the details this is just a plain ridiculous policy. You say to people check links before you click them! Don't click on any suspicious links! Make sure the URL matches the text in the message!

and now, in effect you are saying.... Here click this oddly named link which does not match the referenced text! Follow this link through to BOI where you can enter your bank details!
"http://boimedia.customerminds.com/lp/l/27585/d7d3489340a67c61ee13a56e53e39d0d/12215311/1923"

On the privacy issue can you confirm a few things?

Is customerminds a third party or a BOI entity?
Have they received a list of BOI emails?
Were mails sent from BOI owned systems?
Do you believe or not that permission was required to send them those email lists?

I may follow up with some journalists on this to see if they are interested in doing a story on BOI's careless security stance.

Ix.

Paranoid Bob · 29-11-2017 9:23pm

Yesterday there were reports in Irish national papers of an email scam; an email apparently from Irish Water offering information about a refund. That email contained a link to a site that was apparently an Irish Water site, though looking carefully at the URL would indicate otherwise.
https://www.thesun.ie/news/1864151/irish-water-warns-customers-are-being-targeted-in-new-email-scam-asking-for-bank-details-for-long-awaited-water-charges-refunds/
http://www.irishmirror.ie/news/irish-news/consumers-warned-irish-water-refund-11602820
http://www.thejournal.ie/irish-water-phishing-scam-3721505-Nov2017/

Today there is an email apparently from Bank of Ireland offering information about the Irish Water refund. The email contains links to a site that is apparently a Bank of Ireland site, though looking carefully at the URL would indicate otherwise.

Bank of Ireland would have us believe that what they are doing is obviously different to what the scammers are doing. How exactly is it different?

Advice from various experts including the SANS institute, CERT and Europol tells us to avoid clicking on links in unsolicited emails, most especially when the actual domain of the URL does not match the apparent sender. Even Bank of Ireland give the same advice, though from the evidence of this thread I'd hesitate to call them experts. customerminds.com does not match bankofireland.com.

Paranoid Bob · 29-11-2017 9:34pm

ixtlan wrote: »

On the privacy issue can you confirm a few things?

Is customerminds a third party or a BOI entity?
Have they received a list of BOI emails?
Were mails sent from BOI owned systems?
Do you believe or not that permission was required to send them those email lists?

I may follow up with some journalists on this to see if they are interested in doing a story on BOI's careless security stance.

Ix.

Ix,

Another question you may want to add to the list:
How did Bank of Ireland compile the list of email addresses to receive this message?

I know people who are not Irish Water customers (because they live in rural areas and have private water supplies) who did not receive this message. The message was apparently targeted at Irish Water customers. What data did Bank of Ireland process in order to come up with a list of Irish Water customers, and did they have permission from those customers to process data for that purpose?

That is a question that the Data Protection Commissioner might be prompted to ask.

Bank of Ireland: Tara · 30-11-2017 2:40pm

Hi all,

Thanks for taking the time to post your comments and feedback on this matter which we have forwarded on to our communications team.

To reassure you, the links provided in this service email are to our Branch/ATM Locator and locations of External Lodgement ATMs. The other link is to view an online version of the email. Unlike a fraudulent email, neither of these links requests you to enter any account or log in details.

If you are one of our customers who has received this email but are unhappy with this, please see our complaints process here. As for your other questions, we are unable to provide that level of information.

To check how your email address was obtained, please submit a query using the Ask a Question option in Service Desk on 365 Online.

Just to reassure you once again, the email was sent to help our customers who may not receive cheques very often and to offer options on how the cheque can be lodged.

Thanks
Tara

Paranoid Bob · 30-11-2017 10:15pm

Tara,

Thank you for the response. Unfortunately it misses the point again. Your message includes:

Bank of Ireland: Tara wrote: »

To reassure you, the links provided in this service email are to our Branch/ATM Locator and locations of External Lodgement ATMs. The other link is to view an online version of the email. Unlike a fraudulent email, neither of these links requests you to enter any account or log in details.

The problem is there there is no way for the recipient of the email to know that the links will lead them to a Bank or Ireland site until after the links are clicked. If the message is genuine then there is no problem. If the message is not genuine then the customer will not know this until after the attacker has had the opportunity to install malware on their computer.

Bank of Ireland's own advice acknowledges this, and yet the bank persists in sending these messages.

Given that it is now well over a year since this was first brought to your attention on this thread we can only conclude that there is a wilful disregard for the legitimate cybersecurity concerns of your customers.
Can you make a comment on that? Can you reconcile the bank's own advice that customers should not click on links like this with the assurances here that these messages are safe?

For reference; the advice from Bank of Ireland is here: https://www.bankofireland.com/security-zone/personal/safety-online/#panel2

It includes the following:
What to look for: ... Unexpected emails that claim to come from a financial institution.
Tips: ... Check links in email are legitimate by 'hovering' your mouse over the link to view the web address (URL) without clicking. If it is different to what you are expecting, do not click.

The email sent from the bank this week is an unexpected email that claims to come from a financial institution, and hovering over the links shows that the URL is not a Bank of Ireland domain.

Please reconcile this advice with your assertion that the email sent this week should be trusted.
Failing that, acknowledge that the bank is continuing a practice that is not sound and will lead to a reduced cybersecurity awareness among its customers.

Bank of Ireland: Darren · 01-12-2017 3:19pm

Paranoid Bob wrote: »

Tara,

Thank you for the response. Unfortunately it misses the point again. Your message includes:

Bank of Ireland: Tara wrote: »

To reassure you, the links provided in this service email are to our Branch/ATM Locator and locations of External Lodgement ATMs. The other link is to view an online version of the email. Unlike a fraudulent email, neither of these links requests you to enter any account or log in details.

The problem is there there is no way for the recipient of the email to know that the links will lead them to a Bank or Ireland site until after the links are clicked. If the message is genuine then there is no problem. If the message is not genuine then the customer will not know this until after the attacker has had the opportunity to install malware on their computer.

Bank of Ireland's own advice acknowledges this, and yet the bank persists in sending these messages.

Given that it is now well over a year since this was first brought to your attention on this thread we can only conclude that there is a wilful disregard for the legitimate cybersecurity concerns of your customers.
Can you make a comment on that? Can you reconcile the bank's own advice that customers should not click on links like this with the assurances here that these messages are safe?

For reference; the advice from Bank of Ireland is here: https://www.bankofireland.com/security-zone/personal/safety-online/#panel2

It includes the following:
What to look for: ... Unexpected emails that claim to come from a financial institution.
Tips: ... Check links in email are legitimate by 'hovering' your mouse over the link to view the web address (URL) without clicking. If it is different to what you are expecting, do not click.

The email sent from the bank this week is an unexpected email that claims to come from a financial institution, and hovering over the links shows that the URL is not a Bank of Ireland domain.

Please reconcile this advice with your assertion that the email sent this week should be trusted.
Failing that, acknowledge that the bank is continuing a practice that is not sound and will lead to a reduced cybersecurity awareness among its customers.

Hi there,

Thanks for getting back to me.

We have given all the information we can in relation to this. Thanks for all of your feedback and we have passed this on to our security team.

Thanks again,
Darren.

Paranoid Bob · 01-12-2017 9:01pm

Bank of Ireland: Darren wrote: »

Hi there,

Thanks for getting back to me.

We have given all the information we can in relation to this. Thanks for all of your feedback and we have passed this on to our security team.

Thanks again,
Darren.

So has the security team signed off on this practice?

Clearly someone in the bank knows it is a bad idea; the advice given is actually OK.
So either the security team has signed off on a practice that they know to be contrary to good advice, or the security team has not signed off on it but the communications team is doing it anyway.

So that bank's security governance is either incompetent or impotent.

To anyone reading this thread; I suggest you do not want to deal with a bank whose security governance is either incompetent or impotent. Don't walk away from Bank of Ireland. Run.

I've already taken my business elsewhere.

ixtlan · 02-12-2017 5:21pm

Bank of Ireland: Tara wrote: »

To reassure you, the links provided in this service email are to our Branch/ATM Locator and locations of External Lodgement ATMs. The other link is to view an online version of the email. Unlike a fraudulent email, neither of these links requests you to enter any account or log in details.

Sorry guys,

What you have said is not true.

The links provided do not go to Branch/ATM Locator and locations of External Lodgement ATMs. Repeat they do not go to BOI. That's the whole point of this seemingly endless discussion.

The links provided actually go to a third party non-BOI website (as far as we know), which then redirects the user to BOI to the information you mention.

As regards entering account information, from this mail you are 3 clicks away from an account login page. So you are training users to click on an unsafe link as OK... then if they want.. to click Visit BOI and then click login...where they will enter their account details. If you expect users to trust the first URL, why do you not expect them to conveniently follow the link in the mail to login?! Internet scammers are quite adept at reproducing entire web-sites!

The point of internet security training is to get people to be suspicious, while you seem determined to do the opposite.

We understand that you are an interface to the bank, and it may be tiresome that we persist in pointing out the issue here, but I hope you can appreciate that we are trying to help you to have the right security policies. What is frustrating for all of us is that while we believe you that the concerns have been passed up some chain of command, there has been no formal response to those concerns (for 18 months!) other than that they have been passed on. Of course common sense from our point of view is that no IT security group in the world would publicly agree with what BOI is doing so we wonder how this mailing practice can continue.

Ix

Paranoid Bob · 06-12-2017 7:56pm

There is some news from the UK recently that is relevant to this thread. It is unfortunate that there is no corresponding recommendations here in Ireland, but this is relevant. It shows the impact of training customers to accept bad practice and says clearly that banks have a particular responsibility to combat this.

The Commons Select Committee says action to combat online fraud must favour customers:
http://www.parliament.uk/business/committees/committees-a-z/commons-select/public-accounts-committee/news-parliament-2017/growing-threat-online-fraud-report-published-17-19/
An extract:
Banks not doing enough and response not proportionate to problem

Banks are not doing enough to tackle online fraud and their response has not been proportionate to the scale of the problem. Banks need to take more responsibility and work together to tackle this problem head on. Banks now need to work on information sharing so that customers are offered more protection from scams.

Campaigns to educate people and keep them safe online have so far been ineffective, supported by insufficient funds and resources.

In Bank of Ireland's case; their campaign is to educate people to accept the worst practices and trust emails that a scammer could duplicate with no effort.

Given the amount of time that has passed since this was brought to the attention of the bank we have to conclude it is a deliberate commercial decision; protecting customers is worth less than using a very slightly more complex way to gather metrics on engagement with customer outreach messages.

Grawns · 03-10-2018 11:41am

Just got an email similar and immediately assumed it was a very clever scam. Asking me to upload current I'd to customer minds. Very poor practice if its not a total Scam

ixtlan · 03-10-2018 12:42pm

Thanks Grawn,

Your mail prompted me to comment on a text I just received from BOI. I know it's probably from BOI because it comes from the number that sends me comments about bank fees.

However... wearily I have to add, this text is about the Live Life rewards programme, asking me to click on a link to answer a survey... link going to bankofireland.eu.qualtrics.com/jfe/form/SV/****** I mean really... could you make this more suspicious!?

As has been said many times, all we can do is ask our concerns be passed up the chain.

Ix.

NinjaTruncs · 03-10-2018 12:49pm

I have noticed this too in the past, for a company who should take account security serious their emails are so dodgy. It's gotten to the point where you need to delete any emails from BOI as you've no way of knowing if they are legit or not.

Alternatively, if everyone reported BOI emails as spam they would be pretty quick to start making changes as email providers would start blocking their emails.

Bank of Ireland: Jennifer · 03-10-2018 1:04pm

Grawns wrote: »

Just got an email similar and immediately assumed it was a very clever scam. Asking me to upload current I'd to customer minds. Very poor practice if its not a total Scam

Hi Grawns,

Thanks for getting in touch with us here. We are currently sending emails like this to some of our customers. if you forward the email you received to 365security@boi.com , they will be able to confirm if this is a legitimate email.

Thanks Jen

Paranoid Bob · 03-10-2018 10:00pm

Bank of Ireland: Jennifer wrote: »

Grawns wrote: »

Just got an email similar and immediately assumed it was a very clever scam. Asking me to upload current I'd to customer minds. Very poor practice if its not a total Scam

Hi Grawns,

Thanks for getting in touch with us here. We are currently sending emails like this to some of our customers. if you forward the email you received to 365security@boi.com , they will be able to confirm if this is a legitimate email.

Thanks Jen

This demonstrates exactly the problem with these messages.
It is not possible for the customer to tell the difference between what you describe as 'legitimate email' and a scam. The only way Grawns or any other customer can tell the difference between a 'legitimate' email and a scam is to ask 365security@boi.com about every single message they receive from the bank.
Clearly that is not good for either the bank or its customers, so the only reasonable course of action is to distrust all email that appears to be from Bank of Ireland and send it straight into the bin.

mickoneill31 · 04-10-2018 4:37am

ixtlan wrote: »

Thanks Grawn,

Your mail prompted me to comment on a text I just received from BOI. I know it's probably from BOI because it comes from the number that sends me comments about bank fees.

However... wearily I have to add, this text is about the Live Life rewards programme, asking me to click on a link to answer a survey... link going to bankofireland.eu.qualtrics.com/jfe/form/SV/****** I mean really... could you make this more suspicious!?

As has been said many times, all we can do is ask our concerns be passed up the chain.

Ix.

Don't just trust numbers either

https://krebsonsecurity.com/2018/10/voice-phishing-scams-are-getting-more-clever/

beecee · 09-10-2018 11:54am

Bank of Ireland: Jennifer wrote: »

Grawns wrote: »

Just got an email similar and immediately assumed it was a very clever scam. Asking me to upload current I'd to customer minds. Very poor practice if its not a total Scam

Hi Grawns,

Thanks for getting in touch with us here. We are currently sending emails like this to some of our customers. if you forward the email you received to 365security@boi.com , they will be able to confirm if this is a legitimate email.

Thanks Jen

Might just have to block all emails from BOI. Can't believe no heed has been paid to all the very valid feedback on this thread. Despite assurances given, there's no way I'm clicking on anything in those emails!

kbbucks · 06-11-2018 11:53am

Just got one myself this morning looking for photo ID & proof of address. I put it down to a scam straight away but did a quick interweb search of boimedia out of curiosity and ended up here

I really can't believe a company the size of BOI and with the current profits they are enjoying don't invest in/review their online processes - it just goes to show that in this country they don't have to... Surely any sort of an ISO audit would red-flag this sort of practice - I guess the bank guarantee must have covered audits as well!! ;)

Umaro · 07-11-2018 10:45pm

I received one of these email this morning, thought it looked a bit suspicious and it made no sense why it was asking for proof of address and ID... I've been with this bank for 15 years.

Googled around and this thread turned up, and lo-and-behold people were warning BOI not to use these dodgy URLs all the way back in June 2016. It's actually insane that you continue to do this when a load of customers were already on your case about it over 2 years ago.

Squatman · 07-11-2018 10:56pm

as a BOI customer, i find these practices to be questionable to the extreme. the answers here, while, i know you are towing the company line, offer little in the way of reassurace to the customer. I will consider moving bank, over this, and BOI's general lack of help to customers

Bank of Ireland: Darren · 08-11-2018 11:33am

Hi All,

Thanks for all of your comments and feedback, please be assured that we pass on all the feedback we receive here.
If you have any specific questions about the requests that you've received you can contact that section directly on 0818200339 (or 0035312500399 if you're abroad) and the advisers there will be more than happy help you with this.
If your unhappy and would like to raise this as an official complaint you can do so by calling us on 0818200365 (or 0035314044000 if you're abroad).
You can also do this in writing and send it into the following address below:
Bank of Ireland,
Group Customer Complaints,
4th Floor,
New Century House,
IFSC,
Lower Mayor Street,
Dublin 1
D01 K8N7.

Thanks again for getting in touch.
Darren.

Squatman · 09-11-2018 10:26am

Bank of Ireland: Darren wrote: »

Hi All,

Thanks for all of your comments and feedback, please be assured that we pass on all the feedback we receive here.
If you have any specific questions about the requests that you've received you can contact that section directly on 0818200339 (or 0035312500399 if you're abroad) and the advisers there will be more than happy help you with this.
If your unhappy and would like to raise this as an official complaint you can do so by calling us on 0818200365 (or 0035314044000 if you're abroad).
You can also do this in writing and send it into the following address below:
Bank of Ireland,
Group Customer Complaints,
4th Floor,
New Century House,
IFSC,
Lower Mayor Street,
Dublin 1
D01 K8N7.

Thanks again for getting in touch.
Darren.

since BOI do very little face to face transactions, and most contact is done electronically, surely they have an email address to forward complaints to?

Vicarious Function · 09-11-2018 10:42am

I never access any account via a link on an email. Got caught on an eir email once and the result was not pleasant.

Bank of Ireland: Darren · 09-11-2018 11:02am

Squatman wrote: »

Bank of Ireland: Darren wrote: »

Hi All,

Thanks for all of your comments and feedback, please be assured that we pass on all the feedback we receive here.
If you have any specific questions about the requests that you've received you can contact that section directly on 0818200339 (or 0035312500399 if you're abroad) and the advisers there will be more than happy help you with this.
If your unhappy and would like to raise this as an official complaint you can do so by calling us on 0818200365 (or 0035314044000 if you're abroad).
You can also do this in writing and send it into the following address below:
Bank of Ireland,
Group Customer Complaints,
4th Floor,
New Century House,
IFSC,
Lower Mayor Street,
Dublin 1
D01 K8N7.

Thanks again for getting in touch.
Darren.

since BOI do very little face to face transactions, and most contact is done electronically, surely they have an email address to forward complaints to?

Thanks for getting back to us. I can confirm that there would not be an online option for this process. Please be assured that we will pass on this feedback straight away.
Thanks again for the message.
Darren.

Tavi · 11-03-2023 5:02pm

I have received an email from BoI confirming application for a current account and when I opened it the antivirus gave the following warning: "aborted connection to boimedia.customerminds.com because it was infected with URL: Blacklist"

Really?! Real or phishing? http://boimedia.customerminds.com

Comments