I was surprised to notice the URL that CIBC is using for their online banking – it seems like great bait for a phishing attack.
Using a fourth-level domain www.cibconline.cibc.com instead of the simpler for, cibc.com or www.cibc.com makes it really easy for the bad guys to fool people into clicking links that look like this:
Note that I changed the root domain in the URL from cibconline.cibc.com to cibccom.co – a fairly innocuous domain that is available for registration today, and therefore fair game for a bad guy to start using tomorrow.
It is trivial nowadays to show users friendly URLs, no matter how complicated your backend is. I’d really love to see CIBC use something like this:
While it won’t completely solve the phishing problem, it will make their banking app a little more friendly and easier for an average user to understand the difference between a fake URL coming from a bad guy and the real one coming from their bank.