[dvirsky]

I once worked with a guy who had a domain that is the name of a major bank in my country (i.e. he owned {bank_name}.xyz and the bank's domain is {bank_name}-bank.xyz). Somehow he managed to hold on to it over the years.

Anyway, he had a catch-all email account for the domain, an sometimes interesting stuff would arrive. One day he showed me an email he had just received from a major investment firm that read more or less like this:

> Hey Jane, what's up?

> So I need to transfer those $50M we talked about over the phone the other day, just wanted to confirm the account. It's 123456789, right? If not, do send me the account number. Thanks!

Of course he didn't even reply, but he said these things happened pretty often.

[erelde]

Smells like phishing to me :)

An email trying to pass as a normal workplace email.

[dvirsky]

I seriously doubt it was, at least not a blanket automated attempt aimed at multiple people.

It was years ago but IIRC, there were actual names and the email was clearly between two people who knew each other personally, contained phone numbers, etc. Also, it wasn't in English, so it wasn't some automated Nigerian scam or something like that for sure.

And if someone went through the trouble of obtaining so much intel (names, phones, company titles, bank branches, etc) - makes no sense they would then get the email wrong.

Also, at most the person sending the email would gain is some business bank account number, that's probably semi public knowledge anyway, without any authentication-enabling information.

This stuff is done by fax in my country to this very day, I'm not surprised at all that such an unencrypted mail was sent.

[roninb]

I'm sure a vast majority of it was phishing, but you may be surprised to know how many and how often people send info like that over unencrypted email.

[erelde]

Oh yes I agree, that's why phishing exists in the first place. Because people do it, so someone can take advantage of those people's (bad) habits.

[JoelMcCracken]

Recently found out that our HR department has been sending all kinds of personal info over email (repeatedly...)

Names, addresses, social security numbers, etc.

[Veratyr]

In most of the world, account numbers aren't at all sensitive, so I'm not sure what would be gained.

[erelde]

It's not the content of the message.

Typically inside a company (like a bank) there's an email client with a preconfigured contacts list linked to an AD server, the email client will write the email address for you.

So the probability of someone mistyping an email address inside the same company is, I'd say, low. Even lower if it's a recuring contact between two persons who know each others.

That's what's smelling here. You don't mispell an email address when you're replying or sending a message to someone you have an ongoing conversation with.

And if you receive that kind of email from outside the company... Well. That's phishing.

[dvirsky]

It wasn't an internal email, it was from someone at some private investment fund, and emailed to someone at the bank.

Also, for clarification, 12345678 wasn't the actual number, it was something that looked completely legit.

[erelde]

I am not saying your story is fake dvirsky if that's you get from my posts. It's just has all the hallmarks of something I trained people around me to notice.

[dvirsky]

I didn't think this is what you implied, but having seen the actual email, I also think the security bad practice was on the sender side, and this wasn't a phishing attempt.

[GrumpyNl]

Did he check if it was from Nigeria?