Today, for the first time every, I got a phishing spam from a spammer targeting a bank that I actually use. A couple of months ago, Washington Mutual held a "contest" where if you opened an account and put at least $100, they'd also contribute $100. Wanting to double my money for almost nothing, I took advantage of it. My only goal for doing this was to collect my 100% rate of return.
Well, a few weeks later, in one of my many email accounts, I noticed that I got an email notice from Chase, with the subject line Chase Bank Security Service Notification (IMPORTANT). Here's the message:
When I saw the message in my inbox and I glanced over the subject line, my first thought was "How did they get my email address? I never gave it to them." Yes, that was the first thing I thought, it was completely instinctual. It only lasted for a brief moment because I immediately realized that I was being phished.
Tsk, tsk. If only the spammers knew who they were dealing with... not that they care. But the point is that it goes to show that things like this operate on an emotional level. People see that a message comes from their bank and they are interested in seeing what is going on. The threat to take action, particularly about fraudulent action, scares people into taking action on it. This is nothing new and is an example of social engineering action, it is a spam technique that has been around as long as I have been fighting spam. But as I said, it's the first I have ever been phished from a bank I use.
Incidentally, both Firefox and Internet Explorer blocked the site and reported them as unsafe. It's a good thing both browsers did that because the site is very well polished and looks real.
This is a good example of something I don't know why we don't address directly: IF...
1. the message contains linked text that looks like a URL, AND
2. the actual URL behind that link does not match the visible text, THEN
3. make a 100%-certain decision that the message is spam.
I know of no anti-spam software that does that, as an absolute test. And, yet, it should be. If legitimate email from, say, Chase, should have a visible URL for chase.com that actually links to otherchasedomain.com, the IT people responsible for that need to be rounded up and sent to Nigeria in exchange for some of the $20 MILLION US DOLLARS the Nigerians keep promising me.
I'm also actually surprised that not all of the phishing sites are polished convincing. It's not terribly hard to clone the entry page to the real web site, and just replace the login code.
The site looks convincing, yes, but the email still reads like it was written by someone who doesn't speak English natively. I'll start being really scared of them when they get someone who understands verb tenses to proofread their spam.
I don't think you can use your test as 100% evidence of spam. I have seen a few legitimate emails where the displayed URL was a shorter version of the link. As a made-up example. an email from a bank may display www.thisbank.com/login, the real link behind it may be www.thisbank.com/login.asp?id=1234567.
Not a good idea to send emails like this in my opinion, but not uncommon. Perhaps if you checked just the domain from the displayed text and compared to the real domain (ignoring everything except the actual domain name), you could create your 100% spam rule.