By Sarah Toyne
BBC News Online personal finance reporter
'Phishing' scams are becoming a growing problems
Customers of Nationwide, the UK's largest building society, have become the latest online banking consumers to be targeted by an e-mail scam, BBC News Online has learned.
The scam tries to trick customers into giving away confidential bank details.
The scam, known as "phishing", targeted Barclays and Lloyds TSB customers in September.
NatWest customers were e-mailed on Friday and Halifax's on Saturday, and it has also emerged that Barclays' customers were targeted again over the weekend.
The e-mails ask customers to verify their details and handover pin numbers and passwords, through a replica website.
They are sent randomly to consumers, in the hope that someone will divulge their banking details.
Nationwide, the UK's largest building society, said its customers had received the false e-mails on Sunday.
Recipients said the wording on the e-mails was very similar to those also received by Halifax customers over the weekend.
Experts say the scam originates from Eastern Europe - and it is the first part of a two-tier scam which has emerged in recent months.
The building society said some customers had received e-mails, but it was too early to say if anyone had submitted their details.
It is advising anyone who thinks they may have given away their confidential details to contact its call centre.
"We would never ask for personal identification details, such as pin numbers or passwords," said a spokesman.
"Delete them [suspicious e-mails] straight away."
Barclays said it had shut down the fraudster's website over the weekend and had introduced extra security measures.
"We had some calls from customers but only one so far has disclosed any information", a spokesman told BBC News Online.
The scam has also hit large retail banks in the US, Australia, New Zealand and mainland Europe in the past year.
"Phishing" is only the initial stage of a two-tier scam originating in Eastern Europe.
The second stage, known as "money transfer" or "job offer scam", involves advertising for British people with UK-based accounts to act as agents to transfer money overseas.
Anyone who has concerns should contact Nationwide on 08457 302010.
I have received emails of this type reportedly coming from first Halifax then Barclays. One simple thing made me realise it was a scam - I don't bank with Halifax or Barclays. I did click on the second email purportedly coming from Barclays out of curiosity and was fooled initially until I came and checked the BBC site where I found confirmation this was a scam. I've been building web systems for the last few years so am very sceptical about any unsolicited email Thanks for letting people know about this, I am sure a lot of people will be fooled. I couldn't see anything on the real Barclays site warning people about this.
Mark Baynes, UK
I've received two e-mails - one supposedly from Nationwide and one supposedly from Barclays. Your report suggests that customers of these organisations have been "targeted", but if the fraudsters were capable of such targeting I would not have received any such e-mail - I'm not a customer of either Nationwide or Barclays.
Both messages were bounced using "Mailwasher" software.
Consumers should wake up and face the threat. Any respected organisation that deals on the internet would NEVER EVER ask for your personal details. Even for confirmation of accounts or passwords. THINK! Why would a bank want me to confirm I was a customer? Common sense should kick in and say 'Why?'. If you had a safe with a digital lock and the manufacturer asked you for your combination, would you not think 'Why does he want that?'. Anyone foolish enough to hand over private details of their accounts to stupid emails first deserve it and second need to pack their PC away and send it back to the shop. You need to be 16 to smoke and 18 to drink but any age to own a PC and be a victim of 'Cyber Crime'.
Roger Callan, UK
One thing to look out for in emails that you are not sure of is an "@" sign in the links they send out. This is a well-documented exploit in internet security that makes your browser navigate to any site given after the "@" sign. In this case, the loaded page also loads up the official Barclays web site to add credibility to the scam.
I had several spurious E-Mails supposedly from Barclays (I do have & use their online banking service) but instantly know they were not a genuine message from Barclays as Barclays send the account and password information via snail mail and would not expect me to type the details into a unsecure web page ! These scams have been going years and will obviously continue unabated in the future, just use a bit of commonsense.
I received an e mail supposedly from Halifax, but became suspicious when I realised it was addressed to my husband, who is not a Halifax customer. One other thing to note....the e mail contained a virus which was picked up by our anti virus software. I contacted Halifax today, who told me that the matter was being investigated and that they are aware that the e mail has a virus.
Janet Leland, UK
Marc should avoid making statements such as the use of @ is an exploit. It is no such thing. The @ is used to separate the address from the optional username/password that can be entered. However it is wise to take notice of the exact address you are being sent to.
What would be nice is if the browser alerted the user to the fact that the URL contains a username and password and it is a prompt that can NOT be turned off within any options. If that was the case then this method of duping people our of their banking details would drop stone dead, but oh no... It's way to simple an idea to implement. ]=:
People are lemmings. I rest my case!
If a man comes to your door asking to read you meter, you should ask for his identification before letting him into your house. Similarly, digital signatures and methods of verifying identity online have been around for years (and are legally binding in the UK). Until the banks, the media and government do something about this, the public will live in fear of online confidence tricks that are in fact completely preventable.
I used to receive two or three of the "money transfer" type of emails a week. While initially they were amusing, it became a bit of pain. If you are not careful with your personal email address then it soon gets added to all sorts of list. I now have two addresses, one advertised on my website that I check weekly and another personal address, not generally given out, that all my friends and people that I can trust (like my bank account etc) have and I check daily. It certainly keeps the spam down a bit.
Well, I just logged in to my Halifax online account, and I'm happy to say that the Halifax are taking the issue very seriously indeed - plenty of pop-up warnings to tell the user to be vigilant, and a phone number to call if they are worried. Nice.
I got an email yesterday, supposedly from the Halifax, but I've seen them before. The actual offending site is in Russia. However, the authorities are now catching up and the offending sites are being taken down. The general public is becoming much more aware, and tech savvy - I don't think this will affect too many people.
Mark Wills, UK
I frequently get emails from financial institutions that contain URLs requesting me to click on them for the latest offer or view my statement. Any one of these emails could be spoofed and the URL I click on lead me to a hoax site where I duly log in to see my latest statement or sign up for the latest offer. At that point I've given my login credentials away and the fraudster can pop up a failed login message or system down for maintenance error to avoid giving the game away.
The only way to avoid this is to NEVER click on any link contained within an email that purports to take you to a financial institutions site; instead ALWAYS type the url directly into the browser or use a bookmark you have set up previously.
The financial institutions could help prevent this problem by not sending emails with URLs contained within them and then educating users to only use the method described above. Until this happens the Internet banking sites are always open to this kind of abuse.
Peter Lidwell, UK
I've had 2 emails. One on Saturday "from Halifax" and one today "from Barclays", I don't have accounts with either of them, the Halifax one took you to a site based in Russia which then tries to download a virus to your pc
Mark Balcombe, UK
I received an email from Nationwide on 6th October, which I never got around to opening, but after reading this article I opened it and noticed that the time of the email was sent CEST, (is this eastern Europe?) therefore is it a fake??
I have replied to my email from Barclays, I supplied all the information that was requested by them. Although what I did supply was completely fictitious. This gives me great delight with the thought of the individuals getting nowhere with the details. The only way to beat them would be for everyone who receives an email is to reply to it with fabricated details and flood them with a vast amount of dead information.
Mike Gerwin, UK
I've had several emails from each bank, and I filled them with completely bogus details. I'm not stupid enough to send in my own. I figure on letting these admittingly devious people waste their time with my false details.
Jamie Fryer, UK
This scam has caused no end of inconvenience, I have not been able to log on to my Halifax accounts since Saturday night as they have been suspended and only now have they come back on. (21:00 Monday). Now they have barred transfers, so I can look at my accounts but not do anything! So annoying! They should have measures in place to stop this sort of thing.
Wayne Morrell, UK
I received a fake mail from the 'Halifax'. To be honest I was going to give the details until my Grandson who was luckily with me stopped me. It makes me angry that people like Roger above say people should know that these things are scams. I am pretty new to the Internet and with no formal training who I am supposed to trust?
Jim McGrath, UK
Common sense is the best weapon against these fraudsters.
Ivan Scholte, Laos
My point is that people should be aware that it is not only the banks that are being used as cover for this type of scam. How long is it going to be before someone claims to be one of the Utility companies or other such organisation that like us to use Direct Debit payment methods. With increasing movement towards automated payments, both into and out of Bank accounts, I can only see this becoming more commonplace. This is only the 21st century version of the Nigeria scam, where alleged African Businessman need your bank details, for a fee, to transfer cash out of the country. This one has been around for so long, surely people are not still falling for it.
David Tibbs, UK
Why have the Banks not done more to combat this? There are some simple reliable and robust ways of dealing with this. The phishing problem has been around for at least 18 months for Ebay users - I've received many very realistic looking phishing emails, but if you know what to look for they are obvious. When I contacted the Banks and offered to advise, they said that they had good security teams, but still the clients of those banks have suffered. I think that it is all down to "cost savings" by the Banks.
Charles Smith, UK
I truly don't feel there is any way to beat e-mail scams. The only thing we can do is educate ourselves and pass on the information when a new one comes out.
Roberta McCartney, USA
The responsibility for this sort of thing lies with the ISPs and the banks. ISPs could do a lot more to educate new customers about the risks of net use and how to avoid being scammed - a simple email or web page highlighting the common email/web scams and hoaxes and advice about how to protect yourself wouldn't be that hard and would pay dividends.
Banks could easily institute a more secure email system, either through digital signatures, or even simply turning the passwords around so they have to provide a keyword in their emails that is unique to each user. Sure, plain text emails can be snooped and these keywords discovered, but it would stop the mass-mail approach working.
A few people have said that they've replied to the emails with bogus information.
The downside to this is that you have confirmed that your email address still exists, and you are opening the floodgates to more spam.
Many spammers don't know if your email address is still live, or if it even exists, so confirming it to them will still be of benefit, even if you have completed it with bogus information.
As many have mentioned, if in doubt, call your bank etc first to confirm what has been sent. Email remains the most insecure of all communications!
Alex Ramsay, UK
As an employee in the IT field it's a lot easier for me to spot such scams. I believe loopholes will always been found in Internet security no matter what is done. There will always be vulnerable people. We can't really point the finger at the banks as it is up to us to listen to advice given out by our banks. Time and time we are told that the banks will never ask us for our password or username, yet hundreds of people without thinking have filled in a FAKE security audit forms. We must learn to be more vigilant!
James Pilgrim, UK
I have not had any bogus emails from the banks yet, but i have had several emails wanting my account number and sort code for the transferring of money overseas, or to hold a sum of money in my account for a while. Working in the insurance financial sector I was already aware of these types of scams and commend the BBC and the banks for making consumers aware. Whilst I agree we must remain vigilant there are people out there that will give their account details as they are new to the super highway and are not aware of the possible scams that go on.
Emma B, uk
I received email from Nationwide last night to warned me that the fraudster was targeted at Nationwide - why people didn't leave us alone and our money, I think it should set up tough penalty for fraudster when caught them. Also I received 3 emailed from Nigeria that they want to buy my PC for $25,000!! but I refused and deleted email right away - they trying to steal my card numbers -- so watch out for Nigeria email scam as well.