The company I work for uses Anthem Blue Cross for our health benefits coverage.
The other day I got an email from "Anthem National Accounts" <firstname.lastname@example.org> asking me to "Please click here to complete my "coordination of benefits questionnaire and return it to us within fourteen days of receipt.". As I moused over the link, I noticed that it was "http://cl.exct.net/open.aspx?Globally-Unique-Id-Removed-For-This-Post". A URL like that, sent from a health care provider should immediately raise a red flag for anyone, not just those that are security conscious.
My next step, one that most would not do, was to take a look at the mail headers. This email was received from: xtinmta02-111.exacttarget.com ([220.127.116.11]). Another warning sign about this email is that the mail was not actually sent by anthem.com. I now see three separate domains. The envelope address (anthem.com), the link address (exct.net), and the mail server (exacttarget.com), and the more I look into this, the "phishier" it gets.
The next thing I did was to check the SPF (Sender Policy Framework) record for the domain anthem.com. An SPF record for a domain will list the mail servers that legitimately send email on its behalf. A company will often add a third party email provider to their own record in order to prove that the companies do have a relationship, and that the third party is permitted to send emails on their behalf. Unfortunately, anthem.com has no SPF record, so there was no way for me to validate that this is a legitimate email.
For the purposes of this post, I clicked on the link, and it redirected me to a link at http://www.surveymonkey.com. The page was branded with the Anthem Blue Cross logo. It wanted me to fill out information such as my Anthem Member ID, My full name, and the names of all of my dependents. To make matters worse, this was not even a secure (HTTPS) page. Now I am sure that SurveyMonkey.com is most likely a legitimate business, but looking at that company name, the first think I think of is silly "What StarWars Character Am I Most like?" quizzes, not the sort of place that I want to send my personal health care information to. I do not know this company, and I do not have a relationship with them. I do not have any reason to believe that a company running this survey should also be responsible for my personal information. BTW for the record: I am most like Han Solo.
So what is a sane person to do? The only correct course of action is to delete the email at the first sign of it being "phishy", and so far I have counted five.
Unfortunately, I have had quite a few dealings with Anthem Blue Cross in recent months, and most of them have not been pleasant ones. I know Anthem Blue Cross to be just the sort of company that would demonstrate such a blatant disregard for its customers personal information that it was entirely possible that this was a legitimate email.
My solution was to forward the email to the human resources manager at my company and ask her if this was legitimate, and if I should worry about filling this out. Now here is the scary part: It was a legitemate email! Her response was that during the middle of last month, an announcement was sent telling everyone that this email was coming. She agreed that this email looked funny, and that they should do a better job in the future. For the record: I refused to fill out the survey. I will do so, if required, when the survey is hosted on an anthem.com based URL.
Keep in mind that I understand that it is reasonable, and normal for a company like Anthem Blue Cross to rely upon a third party in order to handle its email communications. In fact, I work for such a company. But there are ways to do this right, so that the person receiving the email does not have to question its validity. For instance:
- Create an SPF record for your domain, and keep it updated. The later is just as important as the former. I have a few instances where companies send out important notifications from a third party that is not listed in their SPF record, and then wonder why their clients filed it as junk. Having a bad SPF record is worse than not having one at all.
- If you are going to have a third party send a large amount of email on your behalf, it might be worth the extra few minutes of effort to add a DNS entry for your domain, that points to the email server(s) of your provider. For instance, anthem.com could add an entry for exct.anthem.com that points to 18.104.22.168. The third party would need to dedicate an IP for this customer, and give it a matching reverse address.
- Links in your emails, if you are sending them or not, should point to your own domain. If you need to redirect to a third party at that point, you can, but honestly, it is not recommended in this day and age.
- If you must use a third party for collecting information from your customers, you might want to spend the extra few minutes to an hour and work with the provider and your IT staff to set up DNS so that it at least looks like a host in your domain, such as surveymonkey.anthem.com or sm.anthem.com. If the provider wants your business, they will be more than happy to help you set this up.
None of this is very hard, or very complicated. Any company that is worth doing business with will be able to handle such a request, and setting up SPF and DNS records is only a few minutes work for a well trained IT professional. Then again, it seems that Anthem Blue Cross does not hire well trained mail administrators
My point to all of this is: If a supposedly legitimate email from a reputable health care provider can look this bad, how is Grandma Mae supposed to spot the phishing attempts that say they are from HSBC Bank? The second you tell a person to ignore the common knowledge they have been taught, such as not following links in strange looking emails to servers you do not recognize and not entering sensitive information on to non-secure pages, then why should they think any differently when they get the next phishing attempt or Nigerian email?
Edit to add:
I sent the URL of this post to the Anthem email address above, just to be fair, and give them a chance to acknowledge the issues. Unfortunately, the email bounced. It was first accepted by smtp.wellpoint.com[22.214.171.124] but shortly after, an email was sent back saying "User anthem.communications (email@example.com) not listed in Domino Directory".
I would normally send such a thing to firstname.lastname@example.org, but as you can see, that address does not work as anthem.com violates RFC 2821 Section 4.5.1.
At least I did my best and tried to let them know
Tags: anthem blue cross, dns, hsbc, phishing, phishing attempts, spam, spf
Current Location: Oakland, CA
Listening to: Faith No More - We Care A Lot