NatWest customers are being targeted by a run of fake "phishing" emails exploiting the recent disruption in the bank's services, Action Fraud warns. The fraudulent electronic messages offer prospective marks access to their accounts in exchange for personal information. In reality the opportunistic scam is purely designed to …
The bank sent out an email warning customers to ignore such phishing emails ???
My bank just changed it's login page again. At the bottom there is some logo of "super-safe-trust-security-inc" and a warning saying, if you think this page isn't genuine or there is anything suspicious here call ... and then a phone number - generated on the page that is suspicious !
A few months ago when logging into First Direct I was "unexpectedly" asked to answer my secondary security questions and update my password (later I realized that the problem was they'd rejigged the login page and the "forgotten password" button was where the "procede" button used to be). As I did this I suddenty thought am I being phished - assuming a phisher knew what they were doing then there was no point in sending a message via the first direct "secure message" system so instead I sent an email exlaining what had happened and why I wasn;'t using the "secure message" system to customer services - only to get a reply saying "we cannot comment on account via email, please send a secure message from your account page". Anyway, as mentioned once I'd worked out what had happened then I realized there wasn't an issue but its another catch-22 - how do you tell a bank that you think your login in and thus access to the secure messaging system has been compromised if they'll only respond to questions submitted on the secure messaging system!
There's this thing called a phone ;-)
They love it, you get to sit on hold for hours whilst they make money for every minute the call is connected, and when you still get through they're still no help!
On the plus side, after the wait you will at least be able to ask what the weather is like in India (not my joke, blame Shappi Khorsandi :).
Re: Weather in India
I know what the weather in India is like, or, at least, the bit that I live in.
When I do get through to an Indian call centre, I sigh with relief that I don't have to explain funny addresses like "7-bar-9-oh-sorry-that's-7-slash-nine-but-we-say-bar," explain where the "H" is in "Gandhi", spell the name of my city slowly and explain Indian post codes.
Unfortunately, when I call the Royal Bank of Scotland I usually get a very pleasant, but softly-spoken person whose Scottish accent is not at all easy, over 5,000 miles of telephone network, on my very British but somewhat deaf ears.
(Not that anyone wants to know, but I'm really really really not being anti-Scottish here. It's that high-frequency hearing loss thing: certain accents are much harder to understand than others.)
Re: Weather in India (@ Thad)
Happened to me last month, when I called a call centre in South America. It's not only the hearing loss. To save some bucks, they send the call through VOIP and a sound compression method that plays havoc with sharp sounds. The CSR was a girl with such a sharp voice I could barely understand a word out of two. I have a basso voice and I suspect the CSR was also having trouble understanding what I was saying, probably due to some other compression artifact.
I dont think this is accidental. This way if you have any problem/complaint with a company, you have to spend hours talking to people you hardly understand and who have a hard time understanding you, and who probably don't have the faintest idea of the problem. So 90% complainants en giving up, and half of the rest suffers a stroke :-).
And usually you get the impression that those outsourced CSRs don't give a shit about not being able to fix your problems with the company. Their job is not fixing your problems. Their job is forcing you to give up your claims, and they do that job exceedingly well.
The parent was talking about First Direct. Phoning them is not like phoning any other bank - you get through quickly and simply to a reasonably trained operator.
Seriously. I've been using them since 1990.
Re: Weather in India
I'd rather speak to a Scot than an Indian. What's even worse is having an Indian doctor, because then you've got doctors' bad handwriting to contend with too.
Actually First Direct are very good for speaking to them on the phone, I usually get through very quickly when I ever need to (which is rare).
How long until we see an email along the lines of
"hello, my name is Sanjit and I work for RBS in India. I made a mistake on a data backup which caused all the problems with the bank. Luckily my manager has not been able to place the blame on me but when we fixed the system I realized that £10MILLION was left in a holding account - if he sees this he'll know it was my fault and sack me. Can you help me please and let me transfer this money into your account - you can keep the money and I'll keep my job"
More likely "We have you wages, please give us your credit card number and security questions so we can credit your account..."
The original RBS phishing email
hello, my name is Fred and RBS used to work for me. I made a mistake on a bank purchase which caused all the problems with the bank. Luckily I didn't have a manager to place the blame on me but when we fixed the system I realized that £10MILLION was left in my account. Can you help me please and let me transfer more money into my account - I can keep the money and you can loose your job.
they nearly beat the RBS to it
with this email. Next time it'll surface even before the bank has "fixed" the problem.
generally I don't have much sympathy with people falling for email scams, but on the other hand, the more desperate you are, the more you want to believe someone actually wants to help you. And this one is preying on desperation.
generally I don't have much sympathy with people falling for email scams
i understand why you dont have much sympathy , but what we need to remember is that a lot of the people who fall for things like this are "getting on a bit " , " not very i.t literate " or from the "shallow end of the gene pool " .
we are not all i.t ninjas :)
Re: generally I don't have much sympathy with people falling for email scams
Retired IT manager (one of the IT-literate ones, I like to think) here ... and I recall the day I nearly fell for one of the scam Paypal mails.
Luckily, I took a second look at the addresses in the links just in time. We can all be caught out, and "I should have known better" comes too late.
There's nothing amazing about these things looking realistic. It's easy enough to grab graphics off the real sites. I don't even do html, but I bet I could find out enough by this time tomorrow to knock up something similar. Forgery has never been simpler --- or more threatening to such a large number of people.
Re: generally I don't have much sympathy with people falling for email scams
It's not an IT problem. "Con-artist" has got to be up there with "prostitute" and "lawyer" among the world's oldest professions.
> fraudsters will be able to log in to their account and steal all their money
Assuming of course that anybody can get into the account at all?
>Assuming of course that anybody can get into the account at all?
and that any funds haven't mysteriously disappeared. Now that Hester is likely to miss out on another bonus he's got to make up for it from somewhere.
Re: "Now that Hester is likely to miss out on another bonus..."
Why would he?
Are these phishing emails positively targeting Nat West and RBS customers alone ?
Or is it just a blanket phish going out to world and dog ?
If the former is the case I would find it rather alarming.
Sorry, but I couldn't see an answer to this in the article. To me it did seem to suggest the former scenario. Clarification would be good either way.
I would imagine it's just being sent to a bunch of miscellaneous harvested email addresses. With 16.9million accounts affected, you're bound to hit a few ....
I'm a non-RBS/NW/UB customer & I got one the other day, I would have ignored it anyway, but gmail did divert it straight into the spam folder.
I see. Whilst I do understand the very reasons why these scams are referred to as "Phishing", I was just seeking some clarification. My Bad - taking things too literally I guess.
A good way to determine whether an email is coming from a fraudulent source, is to tap or click & hold on the email address of the sender. If it looks funky, like the email address doesn't have the company's name at the end or it looks like jibberish, then it's most likely a fake. Also, beyond email, there are ways of getting you to release important info about yourself or your financial accounts. I recently received a robocall about an account that I has opened @ Bank of America. At first I tought I was legit, until I realized that no bank will contact a customer in the middle of the night. They had probably correctly assumed that they would get more people to participate if they called while people are sleeping & not thinking as clearly
What is this "click on the email address" thing you speak of? I didn't know that Elm had a GUI interface..
I think we've been infiltrated by Daily Mail readers.
Bank of America... Ah.. You don't drive a Buick and have a thing for Steve Ballmer by any chance?
Unfortunately, some organisations send out their email via a third party. It's much the same as is done for physical mail, though there is obviously less hassle over email than with sending out printed letters.
And then, when email doesn't get delivered, because it looks like spam, it's our fault rather than theirs.
"or enter personal details after following links from such emails."
People still follow links in emails?
This is a bit like saying 'avoid STD's by wearing a condom' surely?
...anyone afflicted by this will also blame the bank, when it's not the bank's fault at all (in this particular case). I do hope they don't end up having to compensate people for this too, Hester==git notwithstanding.
Remember, for most people who have some money in account float for emergencies, it's not been a problem, If I read El Reg right: it's incoming payments that have been delayed. You can still use your debit cards and get cash out of machines, provided the funds were there already, right? (As it happens I've not had to, coincidence)
Re: Problem is...
More importantly (for me, at least, as my employer uses NW to pay salaries) BACS payments aren't interupted either.
Perhaps not too bright..?
Phishing for info regarding a bank which won't let its legit customers get at their loot even with all the passwords etc. etc.
Doesn't strike me as the brightest option...
Bad show on Nat West.....
I've been wondering since last week when the first phising mails would come out "Due to our recent computer glitch we now require you to eneter your security details......." etc.
Sad thing is I'm a Natwest customer, and I've now had 4 or 5 emails from the bank apologising, advising of extended opening hours etc. HOWEVER, not one of those mails has contained a warning to the effect of " As a result of this glitch it is possible that fraudsters/criminals/terrorists/paedophiles (delete as approrpiate) may send out fraudulent emails asking you to log into your account and re-enter your security details. Under circumstaances will Natwest ask you to do this, blah blah, blah"
Extra big fail on behalf of Natwest/RBS there, me thinks.
Re: Bad show on Nat West.....
Actually - let me amend my last post. I've just re-read my mails from NatWest. There is a paragraph warning about Phishing mails. It's buried amongst the gibblets of small-print and disclaimers at the bottom of the mail, after all their logos and things. In circumstances like this I think they really need to emphasize the phishing and security aspects in every email they send out.
As a former contractor at RBS. I am not surprised that shortsighted management created the environment for this mess.
To the point though, there is an opportunity here to mess with the scammers.
DO NOT TRY THIS IF YOUR BANKING DETAILS ARE ANYWHERE ON YOUR COMPUTER EVEN IF YOU HAVE WITHDRAWN FROM ONLINE BANKING.
When you get any email from any bank and you do not have any bank account details on your computer, follow the link, noting the lack of https and the strange url; if you have siteadvisor software - USE IT; fill in the information requested using swearwords and false details - firstname.lastname@example.org is good email address for example then sit back in the knowledge that the scammer will have a database full of rubbish to trawl through.
DO NOT TRY THIS IF YOU HAVE BOUGHT ANYTHING ON THE INTERNET -the risk is low though the penalty high.
Cure with one line of SQL...
Yet another story highlighting the inherent folly of giving your e-mail address to your bank.
Seriously, why would you do that? E-mail is too insecure for anything sensitive, and too slow for anything time-critical. What exactly would you want to receive that way?
I use internet banking all the time, but none of it goes through my e-mail system.
So if any bank never wants its customers to be phished again, the fix is simple:
UPDATE customer SET email = ''