Welcome to Orange Frog Productions Scams, Shams & Flim-Flams Section [Banner]

Search this site powered by FreeFind

Page Title:

Spoof/Phishing Scam  - 10/31/2007 - (German American Bank - Survey)

Please be sure to read my Spoof/Phishing Scams Home Page

NOTE: All external links on this page open a new window.

Things I Did, Below

I, personally, receive email in HTML format. Since the email headers could be included, I did not "forward" the email to get the brief headers. The following was received (and looks) like I received it, with the following exceptions:

  • Any notes I added in the actual letter are in square brackets ("[" "]"), are bold, red in color, and highlighted. If what I found "behind the links" (email or website) are different than what was displayed, I will include them in this type of note.
  • Actual links in the email message have been changed to null (allowing them to still appear as links), have arrows pointing to them ("<=="), have been "named", and appear as one of "my notes" (bold, red in color, and highlighted). They are listed below the email example using the "names".
  • All spelling, spacing, line-wrapping, and punctuation errors are the ones that appeared in the original received email. (I may or may not analyze some or all of these.) This email started with the HTML from the email I received. Most of the HTML and the look is original to the email (making this page non-standard HTML 4.01!)

Scam Example
Received 10/31/2007

PLEASE NOTE: German American Bank and other online services and banks should NEVER require you to "click a link" in an email to go to their site. They may provide a text link (one you must cut-and-paste), but even these should ALWAYS go to the business' site, and to NO OTHERS. For your own safety, if you are a member of the business (or have an account there):

  1. Go directly to the site itself (enter the business link - in this case: http:// www. germanamericanbancorp.com (type or cut-and-paste and remove the spaces))
  2. Log in to your account
  3. If what the email says is true, there should be some type of notification at either the main page, or on your account's login page.

BE SURE TO CHECK OUT ANY EMAILS LIKE THIS YOU GET!

[Please note: This whole page will not validate HTML 4.01, though it says it will at the bottom. The reason is because I cut-and-pasted the HTML from the email. -wds]

----- Original Message -----
From: German American Bank [<== link behind name: service @ germanamericanbancorp.com]
To: Undisclosed recipients: [<== link behind name: Undisclosed recipients: - invalid]
Sent: Wednesday, October 31, 2007 8:00 AM
Subject: Congratulations!

Congratulations!

Dear Customer,

You"ve been selected to take part in our quick and easy survey
In return we will credit $50.00 to your account - Just for your time!

Please spare two minutes of your time and take part in our online survey
so we can improve our services.
Don"t miss this chance to change something.

To continue click on the link below:

http:// www. germanamericanbancorp.com/index.php?page=welcome&bid=5 [<== link behind link: http:// germancorp.notlong.com/]

 © Copyright © 2007 German American Bancorp
N.A. Member FDIC

[NOTE: I left any names, email addresses, and phone numbers in here for the search engines to find. DO NOT TRY TO CONTACT THEM! I'm SURE you will be ripped off! -LE]

Email Headers

[DO NOT send email to any of the following email addresses]

Return-path: <service @ germanamericanbancorp.com>
Received: from mta2.manage.insightcom.com ([172.31.249.154])
by msb2.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006))
with ESMTP id <0JQS006A01DRECA0 @ msb2.manage.insightcom.com> for
[my email address]; Wed, 31 Oct 2007 07:58:39 -0500 (EST)
Received: from mxsf00.insightbb.com ([172.31.249.124])
by mta2.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006))
with ESMTP id <0JQS00DRW1DQM711 @ mta2.manage.insightcom.com> for
[my email address] (ORCPT [my email address]); Wed,
31 Oct 2007 08:58:39 -0400 (EDT)
Received: from nlyris4.mail-thestreet.com (HELO mxip00.insightbb.com)
([209.67.27.37]) by mxsf00.insightbb.com with ESMTP; Wed,
31 Oct 2007 08:58:38 -0400
Received: from ns3.itplus4u.com (HELO ns1.itplus247.com) ([69.64.37.240])
by mxip00.insightbb.com with ESMTP; Wed, 31 Oct 2007 08:58:38 -0400
Received: (qmail 18220 invoked from network); Wed, 31 Oct 2007 07:55:38 -0500
Received: from 74-94-187-105-newengland.hfc.comcastbusiness.net (HELO User)
(74.94.187.105) by ns3.itplus4u.com with SMTP; Wed, 31 Oct 2007 07:55:38 -0500
Date: Wed, 31 Oct 2007 09:00:02 -0400
From: German American Bank <service @ germanamericanbancorp.com>
Subject: Congratulations!
To: Undisclosed recipients: ;
Reply-to: x @ insightbb.com
Message-id: <67aeon$hbtk76 @ mxip00.insightbb.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Content-type: text/html; charset=Windows-1251
Content-transfer-encoding: 8BIT
X-Priority: 3
X-MSMail-priority: Normal
X-IronPort-AV: E=Sophos;i="4.21,351,1188792000"; d="scan'208,217";a="94363188"
Original-recipient: rfc822;[my email address]

Notes

Links from email, above: (This information is from the SOURCE of the email.)

  • Image Sources:
    • None
  • Links (behind the words):
    • Behind "German American Bank" service @ germanamericanbancorp.com
    • Behind "Undisclosed recipients:": Undisclosed recipients: NOTE: This is invalid]
    • Behind "http:// www. germanamericanbancorp.com/index.php?page=welcome&bid=5 [spaces added] http:// germancorp.notlong.com/
    • Note the "Reply-To" link in the email headers is x @ insightbb.com. This is not (normally) a valid email address for ANY site. Also, since the email was supposedly sent from German American Bank, why would the reply-to address be anything but some account @ germanamericanbancorp.com?
  • Link Behind Image:
    • None

Things to note in the links:

  • Image Sources:
    No Images
  • Links (behind the words):
    It appears that the email FROM link (service @ germanamericanbancorp.com) MAY be a valid (real) link to customer service at German American Bancorp's website, though I could find no link to that email on the site.
  • The "Undisclosed recipients" link is actually invalid. (There's no email address there.)
  • The link that looks correct, http:// www. germanamericanbancorp.com/index.php?page=welcome&bid=5 had a different link behind it (see above).

    Obviously (I didn't take it, but...) this page will look like a valid German American Bancorp page, and be a survey. They will ask you to sign in, or give them your information, so they can credit your account with the $50, but, it should be obvious by now, that the login will be unsuccessful.

NOTE: You will not only NOT be credited with $50 into your account (should you actually have one), but your account will most-likely be wiped out, and your information will probably be used to get a/another credit card (for the spammer), where they will run up your balance owed.

Other "problems" and things I see:

  • I am not now, nor have I ever been a client/customer of German American Bank.
  • From the Email Headers:
    • This email was sent from IP: 74.94.187.105, which is from Concord, NH. German American Bank is a Southern Indiana corporation. (Check out their site, and their locations.) Why would I get an email from Concord, NH for a bank based in Indiana? This shows me for sure that the email was spoofed.
    • There is no valid "TO" email address on this email, meaning it was probably sent to a mailing list. The email implies that I was one of a few chosen to take this survey, so it's possible that this is true. However:
      • Most, if not all, banking, financial institute, and other sites, will not send email to "undisclosed recipients", but will individualize the emails they send, so you know it's FROM them and TO you. They may also include not only your email address, but the username and name you used for that account, for your protection.
      • Most, if not all of the same sites have changed their policies to NOT send links except directly to their site. They may have instructions for you in the email, but the link will NOT be to any special page. It will be to the site, in general. (Ie: www. germanamericanbancorp.com/, NOT to any page after the "/".)

As you can see, the email "looks" very official, but with a little checking BEFORE YOU CLICK A LINK OR REPLY, you can find inconsistencies that can save you from a world of hurt! (and empty bank accounts!)

Send comments/questions about this page to Bill Sanders at:

Go to Scams - Spoof/Phishing Scams Home page
Go to Scams - Spoof/Phishing Scams Examples Links

| Home | Main | Owner | Scams, Shams & More Flim-Flams | Glossary | Sitemap | Contact |

Send email to Bill Sanders ()
with questions or comments about this page or site.

This site, all text and graphics (unless otherwise noted) on it
were designed, developed and published by Bill Sanders of Orange Frog Productions.
It and it's CSS was validated and complies with both the: CSS and HTML 4.01 validators from W3C.
NOTE: All CSS validates except the "New Window Buttons" which include some invalid code (ie: hacks),
added PicoSearch Tables, and warnings for using transparent backgrounds when color foregrounds defined.
Copyright © 2003, 2004, 2005, 2006, 2007 by Bill Sanders / Full site last modified: October 21, 2006
Any reproduction, printing, or selling of this content is prohibited without express written consent from William D. Sanders.
ctr