Wells Fargo cannot follow its own phishing security advice

Wells Fargo has a reasonably good security page educating customers about phishing email and texting scams.

They make three good comments about how to recognize a phishing email scam, informing the user to look out for a combination of red flags:

Non-Wells Fargo email address: The email address of the sender does not include the wellsfargo.com domain name, instead using something like [email protected]

Urgent call to action: The email includes an urgent request in the subject line and message copy, such as “Don’t miss your chance to win $1,000. Complete the survey today.”

Suspicious URL: The email contains a link to a non-Wells Fargo URL, which could be a fraudulent website, such as https://mail.gallupmail.com/track?xyz.

As you may have guessed, I replaced their actual examples with similar but real content that I received by email from Wells Fargo.

On the left is a screen shot of Wells Fargo’s good security advice regarding phishing emails. On the right is a screen shot of an actual Wells Fargo email violating its own advice (verified months later as legitimate by the Wells Fargo Executive Office).

Wells Fargo emails look like phishing emails

Wells Fargo, you have a responsibility to perform email best practices. All emails from Wells Fargo should come from the wellsfargo.com domain or a subdomain of wellsfargo.com, and all links in said emails should link back to the wellsfargo.com domain or a subdomain of wellsfargo.com. Nothing less is excusable.

Follow your own security advice. Don’t send customers emails that look no different than phishing emails. By doing so, you are training your own customers to trust emails they should not trust.