|Eek - it's a phish|
The user said he examined the link he clicked on, but felt safe because it was an https link. But this is where the user education fell short. The user had been told to inspect the links he was clicking. The training modules used by this organization did not specifically reinforce that users needed to ensure the links they clicked actually took them to the correct page.
The actual domain the user was redirected to had a lookalike of the USAA log in, complete with the pin verification required by USAA. The site itself was a compromised website where the attacker had taken up residence. I won't victim shame here by sharing the actual domain used, but the user should have EASILY noticed this wasn't really USAA.
|Results of a quick Google search show that McAlum is real|
The victim reported that they felt a need to follow up on the phish since the message mentioned security problems on the user's account. He said he actually Google'd the sender and when he found the user was really the USAA Chief Security Officer, he felt the message was legitimate. Good on the user for thinking, but the logic here is all wrong. If he can Google to find the name of the CSO, so can any attacker. A little critical thinking should have led the user to wonder why the CSO would be contacting him directly. The CSO at a major bank probably doesn't work issues (even security issues) with individual checking accounts as the phish suggests.
At Rendition Infosec, we always recommend that clients educate their users on realistic phishing scenarios. As infosec professionals, we owe it to our users to ensure that our scenarios are realistic and cover issues like this. Otherwise, our users may get a nasty Christmas surprise in their stockings far worse than a lump of coal.