Today I received a phishing eMail, nothing unusual there... I get loads of them, but this is a little more convincing than most for one reason, it contained my postal address (ok, one from many years ago, but nonetheless it proves that it was a lot more targeted than some)

The eMail

As usual the grammar and formatting are both terrible, so you'd be unlikely to believe this is from Lloyds bank, but many people do it seems.

The usual fake urgency is a bit of a giveaway as well - Please respond within the next hour to avoid a permanent block. - why ?

So, let's respond ...

The website

This is actually constructed much better than the eMail, but geared towards mobile devices.

The URL started;
http://www.lloydsbank-online.co.uk.personal.login253.2324534634563454.com/

Many browsers will only show the start of this, and a lot of people won't notice the lack of a / at the end of the .co.uk.

The domain is hosted by GoDaddy who, seven hours after the initial report, have yet to respond and - at the time of writing - the website is still live.

First you're asked for your user ID and password as you'd expect

Then they also ask for;

  • Your Memorable Information
  • Your National Insurance number

Where this differs from most scams like this is the final page (which loses the branding a bit) and directs you to phone them;

Phone Scam

This number is provided by Voxbone. I reported this to them and whilst they 'thanked me for bringing it to their attention' almost immediately, it remained in service for many hours afterwards despite clearly having no legitimate purpose. I cannot help but wonder how many victims were reached in this time.

I called this number, expecting to reach a person but instead was welcomed to 'Lloyds Bank' by a reasonable convincing (if clearly generated by a text-to-speech application) IVR that asked if I had a personal or business account.

After selecting a personal account they attempt to obtain;

  • Your account number, advising it's 8 characters
  • Your "long card number" - i.e. the full PAN 16 digits, and they verify it's a valid number (using the Luhn algorithm, so the test numbers work)
  • The expiration date associated with the card
  • The "last three digits" (CVV) of the card
  • Your date of birth
  • Your mobile number
  • Your passport number (or drivers license)
  • Your telephone banking PIN (advising it's a 6 digit number in the post)

After this, the message indicates you will receive;

  • A text within 48 hours confirming your mobile number has been updated
  • A message immediately which you must follow a link in to validate.

The latter is apparently the most important step to ensure maximum security.

You can listen to the full call (my responses are not audible, but you can assume for each prompt I provided something)

SMS Scam(s)

I didn't provide a valid mobile number so don't know the content of these messages, however I expect one of a few things. One of which is quite a scary proposition;

It is possible the real Lloyds Bank send a text message to verify a change of mobile number, I don't bank with them so can't confirm this. If this is the case it is possible the scammer will use the details the victim has provided to generate a 'real' request to change mobile number, which the scammer forwards on to the victim's mobile that is provided and they dutifully click the real link, effectively handing control of their account to someone else.

If the bank then generates a message to the original number advising them that there has been a change - a relatively common safeguard - the victim will be expecting this (within 48 hours) and so ignore it.

Another possibility is that the message with instructions to validate is simply an opt-in to some reverse-charge premium SMS service, to allow them to extort even more from the victim.

Summary

In short never trust an eMail that appears to be from your bank - it almost certainly is not, and if in doubt at all phone the bank.

Banks should make this clearer, and print a customer services (not just a lost/stolen) number on the back of all their cards and encourage their customers to only ever use this number to call, as it's the one thing you can be sure is not tampered with.

I expect a lot of people will fall for an IVR like this; even if you get suspicious later in the call, they've already gathered a lot of sensitive information.

(in)Action

I'm also very disappointed by both GoDaddy and Voxbone in taking action to shut this down - in a clear-cut case as this the service should be shut down immediately. I'd also be very curious to know the SIP endpoint of that IVR!

Voice companies can do more to protect consumers against this sort of fraud. I'm biased, but at Simwood we often divert the caller to a message stating that the number has been used in connection with nefarious activity and the caller or the person who gave them the number should not be trusted.

That sort of announcement would maybe make people think about what they've just provided, and proactively contact their bank and let them know they may have been a victim of a scam - potentially before the scammer gets away with anything.

Past experience suggests reporting such things to ActionFraud is relatively pointless, as they tend to only act when money is actually lost and, frankly, I'm not quite that stupid.