The Less Thoughtful Phisher

Less innovative than the scam mails described in my previous articles (Phish to phry  and The Thoughtful Phisher II), there are those phish messages that suggest a problem with your account that they need you to log in to fix. (Of course, you aren’t really logging in to a legitimate site.) Mostly their appeal is to fear and paranoia – I’ll look at some of those in due course.

New Year’s resolution

This one is more interesting, though, in that it suggests a technical/administrative error, or maybe a mistake on the victim’s part.

Nationwide – Resolve Your Account

We are sorry to inform you that your account in NATIONWIDE Internet Banking System is not fully available.

During the last update of your account details, our security system reported many required fields not filled.

To finish the activation process please follow the link below.

Click here to complete your account

Thank you for banking with us.
Nationwide Building Society.

We’ve probably all had the experience of being unable to complete a transaction because a form isn’t constructed to meet the conditions that we find ourselves in: for instance, it might include some fields that are too restrictive in format, such as a postcode format that assumes you have an American zipcode. Or it simply hangs or crashes out for no obvious reason, perhaps a browser with collywobbles. So this approach could be quite convincing for an incautious potential victim.

The English is slightly better on this one than it is on many others, though it still sounds a little ‘foreign’. I’m not sure how many potential victims would be put off by that, though poor English is certainly a viable heuristic for detecting likely phish messages. People who write emails on behalf of a bank in a given region are likely to be native speakers of the language primarily spoken in that region. I’m not sure if ’fully available’ is deliberately vague, but it might reassure someone who tried to access the phishing site and tried to access services to which it didn’t include valid links.

It does you credit

Here’s one that could almost belong to the previous article, since it describes something desirable (an incoming credit), though it also describes an imaginary problem.

Dear Santander Account Holder,

At Santander We take our internet banking security seriously. When using our internet banking you automatically benefits from our internet banking promises.


There is a pending Credit payment into you account from our account department for security reasons invalid records and your 4 digits Security Pin we require you to confirm your account status and profile on file with us before this transfer can be completed.

This can be done in 2 simple steps using the reference provided below.

Confirm Pending Credit

Please accept our apologies for any inconvenience this action may have caused

Yours sincerely,
Online Customer Service

As usual, there is no personalization. The English is abysmally bad. And why on earth would they need your PIN in order to facilitate a credit?

Jump to it!

Now we move to a class of phishing message that appeals to your fear of insecurity, if not downright paranoia. This set of messages is characterized by subject lines such as ‘[your bank] Important Security Notification’ or ‘Credit Card Security upgrade – Must Read’ to create a sense of importance and urgency.

Starting from September 25 2013, Lloyds bank introduces new authentication procedures in order to better protect private information of our account holders.

Please note that accounts that are not reviewed within 48 hrs are subject to termination.

To avoid service interruption click here to avoid services interruption 

Thank You.

Lloyds Banking Group.

Again, the English isn’t bizarrely wrong, but is slightly odd. Note the further use of a common phishing technique: the scammer tries to frighten you into complying before you’ve had time to consider it properly, by threatening to terminate your account if you don’t react immediately.

It’s good for you

And here’s another. Short and not particularly sweet, but doesn’t contain an overt threat.

Dear Valued Customer:

We have upgraded our system security service bringing significant performance improvements and new features, which all Nationwide Building Society customers will enjoy.

Due to this upgrade we urge you to please upgrade to this service now for security purpose.

Please kindly click here now to upgrade your Nationwide Building Society account to the latest security feature.

Nationwide Building Society

Welcome to Halifax. Errr, Lloyds. Um, Halifax….

The next one is interesting in that it’s more than usually sloppy: it can’t quite decide which part of the Lloyds banking empire it was sent from. The apparent sender is Halifax [] but the subject is LloydsTSB – Account Upgrade Notice.

Dear Valued Customer,

We recently reviewed your account and noticed that your Halifax account details needs to be updated and verified.

Due to this, you are requested to follow the provided steps to confirm your Online Banking details for the safety of your accounts.

Simply click on secure account to update your Internet Banking details.


Thank you for banking with us.

Yours sincerely,
Customer Service Department.
Halifax Online Banking

Scams like this are very much less effective if you bear in mind that the last thing a responsible financial institution is likely to do is to ask you to upgrade your security by going to a dubious link in an unexpected email.

You might also bear in mind that your bank probably knows whether it’s called the Halifax or Lloyds TSB. Of course, banks and building societies do merge – Lloyds TSB is itself the result of the merging of Lloyds Bank and what was once the Trustee Savings Bank, and the Halifax is nowadays part of the Lloyds Banking Group – but where both names are used randomly like this, it just means that the scammer has used a standard template and forgotten to change one of the name references to fit the current phishing target.

We’ll text you when we’ve robbed you

The next one is kind of interesting because it offers a service. But not the one you might think that it’s offering.

Valued Customer,

Your NatWest Credit Card is designed to help keep you safe

Receive alerts when we spot a suspicious transaction

Sometimes we spot what looks like a fraudulent transaction on your credit card – 

so to make sure, we’ll call you and check. Better still, why not join our free fraud 

text alert service?

It’s just another way we’re working to keep your card and your money safe.

To sign-up for this service, simply click fraud text alert services.

And we’ll simply steal your credentials.

Enter the Terminator

And finally one that bolsters the notification of ‘service update’ with a threat to terminate the account, if the victim doesn’t respond immediately:

At NatWest Card Services, we take the job of protecting our customers seriously,
So for your protection we are proactively notifying you of this activity.

Starting from November 13 2013, NatWest Card Services introduces new authentication procedures in order to better protect private information of our account holders.

Please note that accounts that are not reviewed within 48 hrs are subject to termination.

To avoid service interruption Click Here to avoid services interruption

Thank You.
NatWest Card Services.

So. No pressure then. Now things are starting to get much more overtly threatening, as we’ll see in the final blog in this series.

ESET Senior Research Fellow


Author David Harley, ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.