As long as people think of phishing as stealing financial data, no one’s safe. Take this email I just received from Virgin Atlantic after signing up for their Flying Club frequent flier program. It’s a great example of how a user could be duped into giving up personal information (including, but not necessarily, financial data) via a socially engineered email.
The email itself is from “flying club <firstname.lastname@example.org>” which could itself be phishy. Then there’s the text, which begins:
If you would like to view an enhanced version of this email in your web browser, complete with illustrations, please go to: http://s1.e-srv.net:80/?s2=01-4-4COWkFQip_l5uKze-5813
Dear Mr xxxx,
Start spending time on life… Have you seen our fantastic new look website? Not only does it look good, but the features on the site are great too. As a flying club member, you can now deal with almost all of your flying needs quickly and easily by clicking below: http://s1.e-srv.net:80/?s2=01-4-4COWkFQip_lhG0N2-5045
Now those links work (I’ve removed some digits for security’s sake here), but there’s nothing in there that tells me it’s not a phish. It’s not hard to imagine a phisher sending out an email identical to this and luring the victim into giving up account details — at least enough for the phisher to then impersonate the customer and make flight bookings, alter bookings, steal airmiles or even access other data using that information.
We’ve said it before: Phishing bank accounts is just the beginning. Companies going online: Wise up and use links that users can verify visually, as much as possible.