Why does phishing work? Because phishers are able to manipulate the mindlessly bureaucratic language of the average financial institution to pull of a confidence trick. Luckily, mimicking this is much, much harder than it looks. There is something to be learned here.

Here are two examples of the species, both spotted by security outfit Websense. The first targets users of a small regional mutual in the UK, the Yorkshire Building Society.

“We Recently noticed one or more attempts to log in to your Yorksire Building Society account from foreign IP adress and we have reasons to believe that your account was hijacked by a third party without your authorization If you recently noticed one or more attempts your account while traveling, the unusual log in attempts may have been initiated by you. However, if your are rightful holder of the account, Click Here < LINK REMOVED > to log into your account and follow the intructions

Let’s ignore the erratic spelling and focus on the details. These criminals are out to scam users of a small regional financial institution in Northern England, and they haven’t worked out either how to spell the company’s name or to use non-US spellings (the characteristic US “z” and single “l”). It’s also incredibly wordy. Emails from UK banks and financial companies are never as prolix.

Here’s another one that sets out to scam customers of another small UK mutual, the Derbyshire Building Society.

“Dear Valued Customer,

Fraudulent activity has been registered on some of our account

Sign in < LINK REMOVED > to prove your identity Not proved accounts will be suspended.
Once you have confirmed your account records.”

This one is struggling to compose itself in coherent English. “Let’s hit the customers of a small bank”, you can imagine them reasoning. The smaller, the more regional, the stupider the customers. Wrong.

In fact in both examples, it is that connection to local conventions and idioms that is a customer’s best defence. It is when people sign up to big banks that they become more vulnerable because big institutions talk in the language of the impersonal, less local.

Here’s a defence against phishing that should work for a while at least – sign up for a small bank with a slightly eccentric and local view on how to communicate with its users. That way, you’ll be able to spot dumb phishing without the need for a single security product.