This case study examines a bank phishing attack drawn from documented FTC complaint patterns. It illustrates how even experienced internet users fall for sophisticated phishing.
The Email
Sandra, 67, received an email that appeared to be from her bank — with the correct logo, formatting, and color scheme. The sender displayed as "Chase Bank Security <security@chase.com>" — though the actual sending address was security@chase-account-verification.com.
Subject: "URGENT: Your account access has been temporarily restricted."
Body: "We've detected unusual login activity from an unrecognized device in [her actual city]. To restore full access, please verify your identity within 24 hours or your account will be locked."
The Urgency Trap
Sandra had recently traveled, making the "unusual activity" claim plausible. The 24-hour deadline prevented careful deliberation. The email contained a "Verify My Identity" button.
The Fake Website
The button led to a site at chase-secure-login.com — not chase.com. The site was a perfect replica of Chase's login page, including SSL certificate (a padlock icon, which only proves the site is encrypted — not that it's legitimate). Sandra entered her username, password, and when prompted — her full debit card number, expiration, CVV, and SSN for "identity verification."
The Damage
Within hours, her bank account was drained via Zelle transfers to multiple accounts. Credit cards were applied for in her name. Her SSN was used to file for unemployment benefits in another state.
What Would Have Stopped It
- Checking the actual sending email address (not the display name).
- Going directly to chase.com by typing it — never using a link in an email.
- Calling the number on the back of her card instead of clicking.
- Recognizing that banks never ask for your full SSN or CVV via email.
This case is a composite based on reported FTC phishing complaints. Names are illustrative.