So I got this email the other day:
—–Original Message—–
From: Schwabplanmessenger@schwab.com [mailto:Schwabplanmessenger@schwab.com]
Sent: Friday, January 09, 2009 1:15 PM
To: Matthew Wollenweber
Subject: Schwab Retirement Plan Quarterly StatementDear MATTHEW WOLLENWEBER:
Your quarterly retirement plan benefits statement is attached. This secure, electronic statement replaces your paper statement at your request.
Before opening the file we recommend you save the attachment as an html file using .html as the file extension. You may also double-click on the attachment to open it directly. You are required to enter your User ID and PIN to access your information.
Your company retirement plan is one of the best opportunities you will ever have to save for your future. Visit schwabplan.com anytime to access or make changes to your account, check performance or use the planning tools. If you have any questions about your retirement account or want to know more about saving and how Schwab can help, please call us at 1-800-724-7526. We’re here Monday-Friday from 7 a.m. to 11 p.m. Eastern Time. You can also email us at schwabplan@schwab.com if you have any questions about accessing your statement. Please do not reply to this email.
Thank you.
Sincerely,
Catherine Miller
Vice President, Client ServicesYour statement was sent through our encryption process which uses highly secure, industry standard algorithms. The encryption process between you and Schwab assures the highest levels of confidentiality for critical and sensitive data on public networks. Your password is hashed with 160 bit encryption with a large random number. This hash is then used along with the chosen encryption algorithm to encrypt your statement.
All e-mail sent to or from the Charles Schwab corporate email system is subject to archival, monitoring and/or review by Schwab personnel.
I thought for sure it was spam. I mean “download this html file, run it, enter your SSN and password”. How could it not be phishing? Well, I checked the headers, it came from Charles Schwab. I emailed them, just to make sure it really came from them… I got a response, it did. WTF? Who does this?
Now, I suppose you’re thinking “well dumbass just look at the source and see what it’s doing”. I did, it is this nasty crypto stuff delivered by obfuscated javascript and I really wasn’t motivated enough to spend time on it. Despite that, I can’t get over the whole idea of the message. All I can say is “who does that?”