Scam of the day – February 23, 2015 – Chase Online bill pay scam

by | Feb 23, 2015 | Scam of the day, Site Related

Today’s Scam of the day comes from my own email, however, I am sure many of you have received this, as well.  It is a phishing email that is intended to lure the recipient into providing personal information that will be used to make that person a victim of identity theft.  As typical with this type of phishing email, it is intended to make you think there is an emergency to which you must respond.  It looks pretty official, but there are some telltale signs that it is a scam.  First, is that although I did not include the email address of the sender, the email address is that of a private individual, not Chase although often identity thieves will use email addresses that appear to be official.  In this case, undoubtedly the email address used is part of a botnet whereby identity thieves have infiltrated the computers of innocent victims and then use their computers and email accounts to send out the fraudulent email.  Another telltale sign is that the email is directed to me, not by name, but rather as “Dear Customer.”   However, even if the email was directed to you by name, you couldn’t trust it because when JP Morgan Chase was hacked in the last year, the hackers stole names and email addresses.   Finally, the email appears to have been sent by Christopher Polumbo.  Christopher Palumbo is a Vice President at Chase, however, the email to me misspells his name.  However, it is easy to see how people would fall for this scam and provide the information that would enable an identity thief to gain access to your account.

Here  is a copy of the email I received.

“Dear Customer, 
We are writing to let you know that the service(s) listed below will be deactivated and deleted if your profile is not verified within 7 business days. Previous notifications have been sent to the Billing Contact assigned to your account.
As the Primary Contact, you must renew the service(s) listed below:

SERVICE: Chase Online and Bill Pay services. 
What you need to do:

1. Log in to your account through our enhanced security server http://www.Chase.comby clicking the URL.
2. Enter your user ID and Password (that you selected during the online enrollment process). 
3. Enter the requested information and your Chase Online and Bill Pay services will be renewed. 
If you have not signed up for online access, you can enroll easily by clicking “Enroll” at the bottom of the Login page. 
Please do not reply to this message directly but click on the URL. For questions, please call Customer Service at the number on the back of your card. We are available 24 hours a day, 7 days a week.

Sincerely,

Christopher Polumbo
Chase Online(SM)
Fraud Prevention Team

This site is directed at persons in the United States only. Persons outside the United States may visit International Banking . 
Links to third party sites are provided for your convenience by JPMorgan Chase. JPMorgan Chase neither endorses nor guarantees any offerings of the third party providers, nor does JPMorgan Chase make any representation or warranty of any kind about the content, use of or inability to use, the third party sites.
© JPMorgan Chase Bank, N.A. Member FDIC ©2015 JPMorgan Chase & Co.; Co”

TIPS

As I have warned you many times, you should never click on links in emails or text messages or provide information in response to such emails or text messages unless you have absolutely confirmed that the communication is legitimate, which is easy to do by merely contacting the company.  In this case, you could just contact Chase at the telephone number on your credit card or bank statement.  Providing information without confirming that the communication is legitimate gives the identity thief all that they need to make you a victim of identity theft.  In other variations of this phishing email, merely by clicking on the links provided will result in keystroke logging malware being downloaded on to your computer which can steal your personal information from your computer and then enable its use for purposes of identity theft.  Even if you have good security software installed on your computer or other electronic device, as you should, this may not protect you from keystroke logging malware because the latest malware is always at least a month ahead of the latest security software updates.  Remember my motto, “Trust me, you can’t trust anyone.”

As for this particular Chase phishing email, if you receive it, Chase requests that you forward it to them at abuse@chase.com.