LONDON (10/27/2003) - Banks and building societies should be doing more to educate their customers on the dangers of hoax emails, according to experts.
Over the past few months a raft of spoof emails have been circulated to email users purporting to be from high street banks, including LloydsTSB Bank plc, Nationwide and now Halifax.
The emails provide a fake uniform resource locator (URL) which to the untrained eye appears to belong to one of the major U.K. banks. The recipient is advised to click on this link to verify his or her email address, and the site then asks for the user's customer number, password and memorable data all the information needed to access that person's bank account.
But according to Pete Simpson, ThreatLab Manager at email filtering specialist Clearswift Ltd., banks simply aren't doing enough to alert users to the existence of fake emails. In fact, according to Simpson, it is only since the hoax became a major problem that banks have taken action.
"There should be a prominent URL on bank home pages alerting to users to the hoax mails and a dedicated helpline where users can go for advice," he said.
After being made aware of the bogus email on Saturday, Halifax closed its internet site completely.
"In the interests of the security of our customers we have temporarily closed the online service in order that we can communicate the issue to online customers and make improvements in the service to further safeguard online accounts. Please note that we would never send you emails that ask for confidential or personal security information," said an email sent out to customers. The bank confirmed it would reopen the site later today.
The latest batch of emails masquerading as security messages from Halifax and Nationwide have been traced back to an inbox in Russia. But other emails, which have circulated through the U.S. and Australia, bear similarities to Nigerian email scams that have been prevalent for some years.
The hoax emails work on a double-tiered basis. Firstly, the fraudsters send out emails in various different forms duping people into handing over bank details. A second batch of emails is then deployed, this time offering people the chance to make a little money by acting as an agent for a foreign company.
Once the recipient has agreed, they are asked to hand over their bank details to transfer a sum of money less commission. Their bank account is then used to transfer the stolen money acquired from the first batch of email recipients to overseas accounts.
The emails are simply part of a mass mail-out and the banks were quick to confirm that none of their customers' details had been acquired through them. The chances of a customer actually receiving an email and being duped by it are therefore extremely small.
The U.K. National High-Tech Crime Unit has provided a list of tips for staying safe online, these include:
Keep password and personal identification number (PIN) information secret. Be wary of disclosing any personal information to someone to don't know and remember that neither your bank nor the police would contact you and ask you disclose PINs or password information.
Know who you're dealing with. Always access internet banking by typing the bank's address into your web browser. Never go to a website from a link in an email and enter personal details. If in doubt, contact the bank separately on its usual number.
Keep hold of your cash. Don't be conned by convincing emails offering you the chance to make easy money. If it looks to good to be true, it probably is.