2007 - (German American Bank)

Please be sure to read my Spoof/Phishing Scams Home Page

NOTE: All external links on this page open a new window.

Things I Did, Below

I, personally, receive email in HTML format. Since the email headers could be included, I did not "forward" the email to get the brief headers. The following was received (and looks) like I received it, with the following exceptions:

Any notes I added in the actual letter are in square brackets ("[" "]"), are bold, red in color, and highlighted. If what I found "behind the links" (email or website) are different than what was displayed, I will include them in this type of note.
Actual links in the email message have been changed to null (allowing them to still appear as links), have arrows pointing to them ("<=="), have been "named", and appear as one of "my notes" (bold, red in color, and highlighted). They are listed below the email example using the "names".
All spelling, spacing, line-wrapping, and punctuation errors are the ones that appeared in the original received email. (I may or may not analyze some or all of these.) This email started with the HTML from the email I received. Most of the HTML and the look is original to the email (making this page non-standard HTML 4.01!)

Scam Example

PLEASE NOTE: German American Bank and other online services and banks should NEVER require you to "click a link" in an email to go to their site. They may provide a text link (one you must cut-and-paste), but even these should ALWAYS go to the business' site, and to NO OTHERS. For your own safety, if you are a member of the business (or have an account there):

Go directly to the site itself (enter the business link - in this case: http:// www. germanamericanbancorp.com (type or cut-and-paste and remove the spaces))
Log in to your account
If what the email says is true, there should be some type of notification at either the main page, or on your account's login page.

BE SURE TO CHECK OUT ANY EMAILS LIKE THIS YOU GET!

[Please note: This whole page will not validate HTML 4.01, though it says it will at the bottom. The reason is because I cut-and-pasted the HTML from the email. -wds]

Received 10/31/2007, 04:06PM and 11/01/2007, 12:01PM

----- Original Message -----

From: First National Bank in Manitowoc [<== Behind the name service @ bankfirstnational.com]

Sent: Wednesday, October 31, 2007 4:06 PM

Subject: Dear Customer,

----- Original Message -----

From: German American Bank [<== Behind the name notice @ germancorporation.com]

Sent: Thursday, November 01, 2007 11:49 AM

Subject: Dear Customer,

Dear German American Bank Customer,

We regret to inform you that we have received numerous fraudulent emails which ask for personal account information. The emails contained links to fraudulent pages that looked legit. Please remember that we will never ask for personal account information via email or web pages.

Because of this we are launching a new security system to make German American Bank accounts more secure and safe. To take advatage of our new consumer Identity Theft Protection Program we had to deactivate access to your card account.

To activate it please call us immediately at [1st email] (425) 998-1190 [2nd email] (360) 717-3654

Activation is free of charge and will take place as soon as you finish the activation process.

If you think your identity has been stolen, here's what to do now:

1) Contact the fraud departments of any one of the three major credit bureaus to place a fraud alert on your credit file. The fraud alert requests creditors to contact you before opening any new accounts or making any changes to your existing accounts. As soon as the credit bureau confirms your fraud alert, the other two credit bureaus will be automatically notified, and all three credit reports will be sent to you free of charge.

2) Close accounts that you know or believe have been tampered with or opened fraudulently. Use the ID Theft Affidavit (PDF) when disputing new unauthorized accounts.

3) File a police report. Get a copy of the report to submit to your creditors and others that may require proof of the crime.

4) File your complaint with the Federal Trade Commission (FTC). The FTC maintains a database of identity theft cases used by law enforcement agencies for investigations. Filing a complaint also helps the FTC gather more information about identity theft and the problems victims are having.

For more information, go to: http:// www. consumer.gov/idtheft/.

Please do not reply to this message. For any inquiries, contact Customer Service.
THE GERMAN AMERICAN BANK CORPORARION - Copyright © 2007

[NOTE: I left any names, email addresses, and phone numbers in here for the search engines to find. DO NOT TRY TO CONTACT THEM! I'm SURE you will be ripped off! -LE]

Email Headers

Received 10/31/2007, 04:06PM

[DO NOT send email to any of the following email addresses]

Return-path: <service @ bankfirstnational.com>
Return-path: <service @ bankfirstnational.com>
Received: from mta4.manage.insightcom.com ([172.31.249.158])
by msb2.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006))
with ESMTP id <0JQS00I44NYCXZH0 @ msb2.manage.insightcom.com> for
w.sanders@insightbb.com; Wed, 31 Oct 2007 16:06:13 -0500 (EST)
Received: from mxsf03.insightbb.com ([172.31.249.124])
by mta4.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006))
with ESMTP id <0JQS001OZNYCFXF1 @ mta4.manage.insightcom.com> for
[my email address] (ORCPT [my email address]); Wed,
31 Oct 2007 17:06:13 -0400 (EDT)
Received: from mail.newspaperarchive.com (HELO mxip04.insightbb.com)
([216.81.216.55]) by mxsf03.insightbb.com with ESMTP; Wed,
31 Oct 2007 17:06:12 -0400
Received: from webmail.meqs.com ([65.204.5.234]) by mxip04.insightbb.com with
ESMTP; Wed, 31 Oct 2007 17:06:03 -0400
Received: from User ([64.22.73.144]) by webmail.meqs.com with Microsoft
SMTPSVC(6.0.3790.3959); Wed, 31 Oct 2007 17:08:18 -0400
Date: Wed, 31 Oct 2007 16:06:22 -0500
From: First National Bank in Manitowoc <service @ bankfirstnational.com>
Subject: Dear Customer,
Bcc:
Reply-to: a @ insightbb.com
Message-id: <EXCH03SERVER1YFkuut000000c6 @ webmail.meqs.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Content-type: text/plain; charset=Windows-1251
Content-transfer-encoding: 8BIT
X-Priority: 3
X-MSMail-priority: Normal
X-IronPort-AV: E=Sophos;i="4.21,352,1188792000"; d="scan'208";a="89219812"
Original-recipient: rfc822;[my email address]
X-OriginalArrivalTime: 31 Oct 2007 21:08:18.0078 (UTC)
FILETIME=[28D773E0:01C81C02]

Received 11/01/2007, 12:01PM

[DO NOT send email to any of the following email addresses]

Return-path: <notice @ germancorporation.com>
Return-path: <notice @ germancorporation.com>
Received: from mta4.manage.insightcom.com ([172.31.249.158])
by msb2.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006))
with ESMTP id <0JQU006SG7A644F0 @ msb2.manage.insightcom.com> for
[my email address]; Thu, 01 Nov 2007 12:01:19 -0500 (EST)
Received: from mxsf02.insightbb.com ([172.31.249.124])
by mta4.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006))
with ESMTP id <0JQU0059W7A680T0 @ mta4.manage.insightcom.com> for
[my email address] (ORCPT [my email address]); Thu,
01 Nov 2007 13:01:18 -0400 (EDT)
Received: from mail.3foldcomm.com (HELO mxip08.insightbb.com) ([69.108.232.65])
by mxsf02.insightbb.com with ESMTP; Thu, 01 Nov 2007 13:01:18 -0400
Received: from mail.3foldcomm.com (HELO 3foldcomm.com) ([69.108.232.65])
by mxip08.insightbb.com with ESMTP; Thu, 01 Nov 2007 13:01:18 -0400
Received: from User ([64.22.73.144]) by 3foldcomm.com with Microsoft
SMTPSVC(6.0.3790.1830); Thu, 01 Nov 2007 09:46:33 -0700
Date: Thu, 01 Nov 2007 11:49:35 -0500
From: German American Bank <notice @ germancorporation.com>
Subject: Dear Customer,
Bcc:
Reply-to: a @ insightbb.com
Message-id: <3FOLDSERVERRk48oryE0000040b @ 3foldcomm.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Content-type: text/plain; charset=Windows-1251
Content-transfer-encoding: 8BIT
X-Priority: 3
X-MSMail-priority: Normal
X-IronPort-AV: E=Sophos;i="4.21,359,1188792000"; d="scan'208";a="89383065"
Original-recipient: rfc822;[my email address]
X-OriginalArrivalTime: 01 Nov 2007 16:46:33.0109 (UTC)
FILETIME=[C25D1C50:01C81CA6]

Notes

Links from email, above: (This information is from the SOURCE of the email.)

Image Sources:
- None
Links (behind the words):
- Email #1: Behind "First National Bank in Manitowoc": service @ bankfirstnational.com
- Email #2: Behind "German American Bank": notice @ germancorporation.com
- Both Emails: Behind "http:// www. consumer.gov/idtheft/": http:// www. consumer.gov/idtheft/
- Note the "Reply-To" link in the email headers of both emails is a @ insightbb.com. This is not (normally) a valid email address for ANY site. Also, since the first email was supposedly sent from First National Bank in Manitowoc, and the second email from German American Bank. Why would the reply-to address be anything but some_account @ bankfirstnational.com or some_account @ germanamericanbancorp.com? (NOTE: germancorporation.com is currently (11/10/2007) a site that is under construction. The correct email domain name for German American Bank is germanamericanbancorp.com.)
Link Behind Image:
- None

Things to note in the links:

Image Sources:
No Images
Links (behind the words):
- First thing to notice is that while the words in the first email say it's for the German American Bank (which is in Southern Indiana), the FROM says it's from the "First National Bank in Manitowoc" (which Google shows to be in Wisconsin), and the link uses the new name for the latter bank: "Bank First National". In the second email, it says its FROM the German American Bank, but uses "GermanCorporation" as the domain name. Again, this domain is under construction as of 11/10/2007. And, from a prior email, I know the German American Bank email domain is germanamericanbancorp.com.
  
  NOTE: I could find NO CONNECTION between the German American Bank, again, in Southern Indiana, First National Bank in Manitowoc (Wisconsin - new name: Bank First National, and German Corporation. My guess is this email was used to attempt the scam in Wisconsin, and the scammer failed to make the change everywhere when they moved to Indiana banks. And, while germancorporation COULD make sense for the German American Bank/Bancorp, a quick Google search for the German American Bank will find that it's domain name is germanamericanbankcorp.com, not germancorporation.com.
- It appears that the first email FROM link (service @ bankfirstnational.com) MAY be a valid (real) link to customer service at Bank First National - Northeast Wisconsin's Independent Community Bank, though I could find no link to that email on the site.

Other "problems" and things I see:

Phone numbers are NOT to correct locations:
- AC 425 is in Washington State, in the north and east Seattle suburbs, including the cities of: Ames Lake, Bellevue, Bothell, Brier, Carnation, Duvall, Edmonds, Everett, Fall City, Granite Falls, Issaquah, Kenmore, Kirkland, Lake Stevens, Lynnwood, Maple Valley, Mill Creek, Mountlake Terrace, North Bend, Redmond, Renton, Sammamish, Snoqualmie, Snoqualmie Pass, and Woodinville.
  [Source: Area code 425 - Wikipedia]
- AC 360 is in western Washington State, outside of the greater Seattle metropolitan area, and includes all of western Washington outside of urban King, Pierce, and Snohomish counties and Bainbridge Island of Washington.
  [Source: Area code 360 - Wikipedia]
NOTE: This adds to the feeling this is a phishing email. Even were the email addresses correct, why would I need to call Washington (state) for a problem with a German American Bank account?
Besides, I am not now, nor have I ever been a client/customer of German American Bank.
From the Email Headers:
- BOTH emails were sent from IP: 64.22.73.144, which is from Las Vegas, NV.
  - From the subject of the first, First National Bank of Manitowoc (aka: Bank First National) is from Wisconsin, and German American Bank is a Southern Indiana corporation. (Check out their site, and their locations.) Why would I get an email from Las Vegas, NV, from a bank in Wisconsin about a bank from Southern Indiana?
  - From the subject of the second, German American Bank is from Southern Indiana (see German American Bancorp: Definition and Much More from Answers.com.)
  NOTE: More fuel for the fire - Why would I receive an email from Las Vegas, NV, from a Wisconsin or unknown location for a bank in Southern Indiana, which tells me to call Washington (state) to resolve the problem?
- There is no valid "TO" email address on this email, and BCC is shown in the headers (though it's blank), meaning it was probably sent to a mailing list. However:
  - The email says, "we have received numerous fraudulent emails which ask for personal account information", implying they received emails about MY account. (Interesting... I don't have an account with them...)
  - The salutations both are singular ("Dear German American Bank Customer" - Not "Customers".)
  - Most, if not all, banking, financial institute, and other sites, will not send email to generic customers, but will individualize the emails they send, so you know it's FROM them and TO you. They may also include not only your email address, but the username and name you used for that account, for your protection.
  - Most, if not all of the same sites have changed their policies to NOT send links except directly to their site. They may have instructions for you in the email, but the link will NOT be to any special page. It will be to the site, in general. (Ie: www. germanamericanbancorp.com/, NOT to any page after the "/".)

As you can see, with a little checking BEFORE YOU CLICK A LINK OR REPLY (OR MAKE A PHONE CALL), you can find inconsistencies that can save you from a world of hurt! (and empty bank accounts!)

Send comments/questions about this page to Bill Sanders at:

Go to Scams - Spoof/Phishing Scams Home page
Go to Scams - Spoof/Phishing Scams Examples Links

Send email to Bill Sanders ()
with questions or comments about this page or site.

This site, all text and graphics (unless otherwise noted) on it
were designed, developed and published by Bill Sanders of Orange Frog Productions.
It and it's CSS was validated and complies with both the: CSS and HTML 4.01 validators from W3C.
NOTE: All CSS validates except the "New Window Buttons" which include some invalid code (ie: hacks),
added PicoSearch Tables, and warnings for using transparent backgrounds when color foregrounds defined.
Copyright © 2003, 2004, 2005, 2006, 2007 by Bill Sanders / Full site last modified: October 21, 2006
Any reproduction, printing, or selling of this content is prohibited without express written consent from William D. Sanders.