Last Saturday, I received a phishing email targeting members of USAA, which is a bank extensively used by active-duty military members, veterans, and their family members. See for yourself:
Subject:
Important Message
From:
USAA <[email protected]>
Message:
Dear valued USAA member:
Thank you for your support, At USAA we are updating our server for security reasons and some additional security measure.
You will need to download and open the document attached to this e-mail in order to verify your records. Please follow the instructions from the document.
USAA, 9800 Fredericksburg Road, San Antonio, Texas 78288
USAA means United Services Automobile Association and its insurance, banking and investment affiliates.
Attachment:
USAA.htm
Did you spot the flaw? Half a dozen references to “USAA”, yet the domain name in the email address is USSA.com [sic]. Really, this phishing scam is nothing special. Like so many others, the fraudsters use a domain name that is confusingly similar to the authentic website. [Note: it’s possible that the return address was spoofed, so the owner of USSA.com might not be the culprit. It would be odd to spoof a typo rather than the actual domain, though.]
Yet this status quo is appalling, isn’t it? Few active-duty military service personnel, let alone retirees, are vigilant for impostor domain names. This lack of training makes them sitting ducks for identity thieves, ransomware, hackers – you name it.
Banks ought to be alert to such phishing scams. In particular, they ought to conduct regular audits, looking for chinks in their domain portfolio “armor”. Typo-based attacks such as USSA.com / USAA.com are predictable to the point of inevitability. USAA may be remiss in not having secured this typo domain already; but they are, unfortunately, in good company. Many banks are equally vulnerable.
Domainers often excoriate the UDRP process, owing to cases that abuse domain ownership rights. But it’s a good thing the UDRP is available to banks, domain registrars, and other sites often impersonated by scammers. I hope USAA files a complaint and takes possession of USSA.com. Given the phishing email being sent out, the case ought to be a slam dunk.
Joseph, can you pls forward a copy of the email to me?
I am an attorney representing the domain owner and I can assure you that the domain email was never used by the client.
I look forward to hearing from you.
Forwarded yesterday (for the record).
If the domain USSA.com wasn’t used in the phishing scam, then the scammers simply made a typo as an accident – 1 typo only and only inside the domain of a spoofed email address.
Ordinarily when scammers make typos inside a domain, that’s very deliberate – to siphon traffic, mislead the eye, drive misplaced clicks.
But maybe this was just a case of the scammer slipping on a banana peel … and knocking me off balance as a result. The misspelled domain was such a red flag – especially in the context of an obvious phishing scheme – that I didn’t look beyond the fake USAA domain. We don’t expect the burglars to break into their own house by mistake.
Someone pointed out that it may not have been an accident. It might be because there was no mail record USSA.com, so they were able to spoof it. This might be an issue for a lot of domains.
If true, that’s a significant observation. That would mean that effective brand protection and cybersecurity might require obtaining typo domains and creating some mail record for them, simply as a deterrent to spoofing. Of course, this only applies to high-risk websites such as banks.