Last Saturday, I received a phishing email targeting members of USAA, which is a bank extensively used by active-duty military members, veterans, and their family members. See for yourself:
Dear valued USAA member:
Thank you for your support, At USAA we are updating our server for security reasons and some additional security measure.
You will need to download and open the document attached to this e-mail in order to verify your records. Please follow the instructions from the document.
USAA, 9800 Fredericksburg Road, San Antonio, Texas 78288
USAA means United Services Automobile Association and its insurance, banking and investment affiliates.
Did you spot the flaw? Half a dozen references to “USAA”, yet the domain name in the email address is USSA.com [sic]. Really, this phishing scam is nothing special. Like so many others, the fraudsters use a domain name that is confusingly similar to the authentic website. [Note: it’s possible that the return address was spoofed, so the owner of USSA.com might not be the culprit. It would be odd to spoof a typo rather than the actual domain, though.]
Yet this status quo is appalling, isn’t it? Few active-duty military service personnel, let alone retirees, are vigilant for impostor domain names. This lack of training makes them sitting ducks for identity thieves, ransomware, hackers – you name it.
Banks ought to be alert to such phishing scams. In particular, they ought to conduct regular audits, looking for chinks in their domain portfolio “armor”. Typo-based attacks such as USSA.com / USAA.com are predictable to the point of inevitability. USAA may be remiss in not having secured this typo domain already; but they are, unfortunately, in good company. Many banks are equally vulnerable.
Domainers often excoriate the UDRP process, owing to cases that abuse domain ownership rights. But it’s a good thing the UDRP is available to banks, domain registrars, and other sites often impersonated by scammers. I hope USAA files a complaint and takes possession of USSA.com. Given the phishing email being sent out, the case ought to be a slam dunk.