Here’s a bit of a different one in the world of spam, at least for me — text messages claiming that my First Horizon Bank account has been locked and that I need to log into the website to unlock it.
Normally, I try to cover spam that’s somewhat funny, but this one is a bit more serious. At its core this one just a variation on the classic spam phishing email, of course, but it doesn’t try to hide itself very well. The thing is, this isn’t just a random attempt to get people’s accounts — this is seems very well targeted and timed, and that makes it all the more sinister to me than it already would be.
Let me explain.
First Horizon was, up until very recently, known as First Tennessee Bank, and is actually based here in Memphis, Tennessee. Beginning in late 2019, thanks to some mergers, the name of the newly formed company was changed from First Tennessee to First Horizon.
This change included things such as the mobile app getting updated. This lead to some confusion among customers of the bank who you would think would have been notified in advance of this change. Some believed they had been hacked or something else strange had happened but once word got around over social media to the rebranding what had happened things settled down quickly.
Then comes this, a few months later these text messages, probably being sent out to every “known” phone number with a Memphis area code, are telling people they need to go to this URL, presumably to unlock their account. To the untrained eye they look at least worth inspection.
The problem, of course, is obvious — these certainly aren’t the actual First Horizon Bank websites in any capacity. In the image above I show a set of older messages I had gotten, and at the top is the one from today — you can see the different URL’s used them, none of which are the actual website of First Horizon Bank: https://www.firsthorizon.com/. Going to the one featured in the most recent text message shows exactly what’s going on, as the below screenshot shows.
I’ve archived the page that comes with when you go to the URL in question here: http://archive.is/KQP4v. Note that the page actually uses images from the actual First Horizon website, but is otherwise fake — that URL in question (www.firsthorizonz.com ) actually resolves to www.ligne-ambiances.fr/wp-content/horizon/ — a French URL which is hosting a wordpress powered section of a site which, otherwise, is selling fireplaces, apparently? (see their main site at http://www.ligne-ambiances.fr ) It seems to be a page piggy-backing off of an otherwise valid website, which makes me wonder — was that site compromised, is it a front, or is it someone with access to the server doing this?
This is a by-the-books phishing type scam, to say the least — obviously an attempt to get a persons account login information. It seems to be a cleverly targeted on, as well, but one that doesn’t hide itself as well as traditional email scams do.
I decided to dive deeper into this, and put in some information — expletives and insults to the scammers, actually, as the username and password. Naturally the page didn’t question this information, and took me to a security question page asking for my Maternal Grandmothers first name — a common security question. This, still, is just an attempt to get more info — enough to pass a security check and get access to your account. – see http://archive.is/99FWp for the example. It actually seems to be a stock “question” page, based on the URL.
After putting in more insults as the answer to the question and waiting a moment for it to “verify my info” it inquired to me about a “zelle” code of some kind being sent to my phone. See http://archive.is/KEPkG Perhaps their system, or possibly an actual human tried to input the information and get this code to gain access? Who knows. Considering the information I provided was fake and I know nothing about how First Horizon does their banking I can’t say.
I should remind you that the entire time I’m doing this the URL is still the obvious French one with no connection to First Horizon Bank. When in doubt, always make sure the URL is absolutely correct.
In any case, I decided to put in a random code to see what would happen and the page gave me this happy message that my account was unlocked! Actually, I’m certain if the information I had provided was at all real they would currently be trying to steal all 2 and a half bucks I have in the bank right now. How lovely. (see example here: http://archive.ph/AmG1n )
I could see why someone who, on their phone may not check the URL’s (or know how to) getting concerned and falling for this. It’s a damn shame that this is what some people want to do to make money, but that’s how it’s always been, I guess. Some people just don’t want to put in constructive work, they have to just take from others.
Naturally, if you do receive one of these messages do not go to the URL and do not input your information. If you have accidentally done so or fear you may have fallen victim notify First Horizon Bank immediately via their actual phone number, preferably to your local branch, which can be found here: https://www.firsthorizon.com/Support/Contact-Us
If you’re local to anywhere First Horizon operates PLEASE alert your friends, family, etc, to this. I want to see these operations cease and for people to feel safe using online banking, and banking with the group they choose to. As I said, I don’t bank with First Horizon but I’ll be damned if I’m going to ignore this.