2012/10/30

HSBC pays little attention to the prevention of email phishing.

I received an email from HSBC about annual service fee.  Usually, if I receive an email from a bank, I will open the email header to identify if it is really coming from a bank or it is just a phishing email.  For the HSBC's email, the sender domain is checked ok.  However, there is no DKIM messages in the email header.  To probe further on email protection, I tried to dig the SPF records of hsbc.com.hk.  Oh no, its SPF is based on "soft fail".  That is a poor setting.   Without the proper use of SPF and DKIM, I can conclude that HSBC pays little attention to the prevention of email phishing.

2 comments:

Anonymous said...

There is no convenient way to check it. Hope there will be a browser plugin, like DNSSEC.

warrenkwok said...

All websites and email services of banks should be supported by DNSSEC. However, we still need for .hk registry to be DNSSEC-signed.