This is a legitimate email from a Legitimate Financial Institution that I was expecting, but I don’t know what I could change it to make it look more like a phishing scam.
We’ve spent the last 20 years teaching people not to open email attachments but I guess Raytheon’s Cybersecurity company didn’t hear about that?
I did open the attachment in an isolated browser after reading the source. Inside was a button that takes you to their secure messaging site’s onboarding flow. There’s 90K of data POSTed in hidden fields, so I suspect the constraints that led to this were:
- Our security platform generates 90K of data to authenticate that the source of this request is legitimate.
- That’s too much to add as query string parameters on a GET request, but it works for a POST.
- Support for forms in email clients is poor, so we need to put the form into an HTML attachment.
Each step solves the previous problem, but at no point did anyone with the power to fix things step in and stop it. They didn’t say “90K is too much, find another way to authenticate the source of the request, preferably less than 2K.” If I had to guess, the people who had the information about how bad the implementation is were completely removed from the people setting the requirements.
All of that exists, too! If you follow the mobile instructions and forward the email to that unknown email address, it generates a very reasonably sized link, that takes you to an HTML page hosted by them, where you can POST 90k of hidden data and read your secure message.
Despite how awful this system is, I’m still glad that Legitimate Financial Institution is using some secure messaging service to collect my loan documents (I’m getting a loan to buy solar panels) and not asking for them to be faxed or emailed plain text.