A scary new twist on phishing
I'm now getting phishing emails from an address that used to a be a legitimate NatWest address.
I got a phishing email in my Hotmail account this morning. It purportedly came from my bank - NatWest.
There was nothing particularly unusual in the email. Standard stuff.
The message said that “Security machinery at National Westminster Bank has been upgraded…..all customers are required to update their account information.’
I was then invited to click on a link and give the fraudsters all my bank details.
But there was one thing about the email that did surprise me. It came into my normal inbox, not my 'junk mail'. So I knew that I had ticked a box in the past saying that this email address was known to me and messages from that address weren’t junk.
I then checked the email address on the phishing email. The address had been used in the past by NatWest to send me legitimate emails.
These legitimate messages were notifications that I’d changed my password for NatWest Secure. This is a password I’m sometimes asked for when I’m doing online transactions.
I find this a bit scary.
Yes, I’m aware that banks will never ask you for your PIN number, password or bank account number online. So I didn’t fall for this scam. In fact I sent the email to a NatWest/RBS email address for reporting phishing attempts - email@example.com. That could help NatWest take action on this.
However, I fear there are some people out there who will be conned. They might be a bit suspicious at first, but they could be persuaded by the fact that the email has come through to their main email inbox, and not junk mail.
I very much hope I’m wrong, but I reckon it’s the kind of trick that will work with some people. Make sure you stay vigilant!
UPDATE: Natwest tells me that 'spoofing' an email address is actually quite common. Fraudsters will often use someone else's email address to give their attempt at fraud more credibility. This isn't just limited to the banking sector. I guess this is just another thing to watch out for.
More on phishing: