Last week I unexpectedly received an email purporting to be from Suncorp Bank. In the last year or so of banking with Suncorp and using their online banking system countless times, I don’t ever recall receiving an email from them about anything.
It doesn’t surprise me that I haven’t received an email from Suncorp before, given the prevalence of phishing attacks these days. For those unaware, phishing is an attempt to fraudulently acquire personal information from someone by getting them to enter it into a web site that looks familiar, that is in fact just a shallow replica of a real site. Phishing attacks are one of the reasons you’ll read and hear major institutions state that they will never ask you for your username and password, ever.
Just to checkout what the latest phishing attempt looked like, I thought I’d investigate the email to see if the spammers had gotten any smarter over the years. First thing I noticed was it was from an email address that was clearly related to their online banking system and at the correct domain. Secondly, the subject had to do with BPay – so I though how fantastic that the spammers now use brands or products related to the local country to garner trust with the user.
After opening the email, I suddenly realised that the email was legitimate and I couldn’t believe it! It turns out that Claire had just paid our rates online, through the Suncorp internet banking web site using BPay. The email was a notification, to let me know that a large payment had just been processed and if I hadn’t arranged it to call them immediately.
What I love about the email though:
- The subject was clear, it was a BPay notification
- They sent it to both of the email addresses I’d provided Suncorp, not just my primary one in case I didn’t check it immediately.
- It was a plain text email, so no fancy images or design – just the message. That meant that you needed to read the content of the email to see what it was about and not blindly clicking on something because it used the familiar Suncorp branding.
- The first line stated what it was about (high value BPay transaction), the second contained what action to take (phone Suncorp) and for full details you could check the transaction on their site.
- Suncorp include their business name, address, ABN, contact information in the footer
- Most importantly, there isn’t a single hyperlink anywhere to be seen in the email. As such, you can’t just ‘click the obvious link’ to go to their site.
A lot of the things above seem pretty small things to a lot of people, however I’m really impressed that they’ve chosen a lot of those options – especially the plain text email. Nefarious individuals and companies that use phishing attacks prey on people reacting to a familiar company and brand, such as from their bank to take an action. By providing it in plain text, it removes the familiarity aspect away to make you read the email. By not providing any hyperlinks, you need to open your browser yourself and go to their web site.
All round, a great email from Suncorp and they should be congratulated for doing their part in helping keep their clients information private and their money safe. If I were to make a single change to it, it’d be to remove the phone number and direct the user to their web site (no hyperlink) to get the phone number if they don’t already have it on hand. That way, all of the contact information needs to be entered by the user on their own behalf, which would all but remove the risk of a phishing attack.
ebay have a similarly clever system of using your username in the message subject and then your full name in the email as a way of trying to prove they know who you are, something spammers would have a little more difficulty in doing… they unfortunately put hyperlinks all the way through though, something Suncorp should be commended on :)
I recently also had a wonderful experience with Suncorp and it’s tight security practices. I went on an overseas trip with my husband, something we had been waiting to do for years, and used my credit card to purchase an overseas product. This is not something that we usually do. Within minutes of using the card, I had a call from Suncorp informing me that my card had been used for an overseas transaction and was I aware of it. I explained it was legitimate. I couldn’t believe the speed in which they contacted me and was extremely impressed with this service. Good work Suncorp.