Lloyds TSB - Hacking Alert!

sweetsoul

Hi
Hope this is the right place to post this but just had call from SIL to advise me to beware of Lloyds TSB. It appears that somebody has created a duplicate site that you enter all of your personal details onto as you would when using online banking. The upshot is that they have taken a £30k loan out in my SIL's name and have access to all of her personal data! She's quite computer savvy so it must look genuine. TSB has now frozen all of her accounts but luckily she has an account at another bank she can access.

Just wanted to alert Lloyds TSB customers that this has happened so to avoid the stress that my SIL is going through trying to solve this mess.

lpgm

Oh... sister-in-law! I think.

isofa

Unfortunately your sister has fell victim to a phishing scam... you receive an email that "looks" genuine, you click a link in the email, which actually takes you to a similar site address, but not the correct one, the scammers make the site look the same, you enter your details, they steal them.

(The link might read www.lloydstsb.com in the email, but the link is coded underneath to route you to another site - this is very easy to do in an HTML email, not the official one - if you have technical knowledge, they are normally easy to spot, but can look very accurate.) Always look at what the address is in the bar of the browser too.

It happens all the time, they target all different banks constantly, then send emails out to millions of addresses, in the hope someone with an account at that bank will be conned into clicking and entering the details - so you must watch out.

Never, ever click on links in emails to reply / respond with personal details / bank information. In fact it's good practice to have all these disabled.

A bank will never ask you to login via a e-mail, it will never ask for your details or bank info in an email, if you ever suspect anything, ring the bank up and ask first, BEFORE you click and do something which you may regret!

Only ever load your bank (or any other secure website) from the address you know, or type it in manually, in this case: www.lloydstsb.com

dunstonh

There are emails like this going out daily by the bucket load. They are usually easy to spot by those that are internet savvy. American grammar/spelling. Images taken from the home page. Not personalised. Email address not yours in the "to" box, website address shown on in the email doesnt belong to the bank (the shown address does but the real link isnt, many email programs show the incorrect link when you hover over it). Plus, most of the message is the same with multipe banks with just the bank name changed and the image changed.

Some of the spelling and grammar on these phishing emails is just plain awful. Any decent spam checker and some virus checkers automatically mark these message as spam.

Lloyds frequently run messages on their internet banking website saying they never send out emails to individuals requesting they login anywhere and that any such email is likely to be fraudulent.

dag_2

I must admit I tend to rely on the search engines to find the front page of internet banking web sites. Obviously that's not as bad as clicking on a link in an email, but I guess it's still possible for link spammers to push bogus banking sites up in the search engine rankings.

Then again, even if someone does manage to get a bogus banking site ranked highly in the search engines, it's still easier to spot bogus sites in search engine listings than in phishing emails.

Of course, even if you do put the name of the bank's web site directly into the browser's address bar, that's still no guarantee that you won't get a phishing site. See the Register's article on DNS cache poisoning.

Digital certificates reduce this risk somewhat. However, the process of verifying digital certificates itself depends on using the DNS system to look up the certifying authorities, meaning that the same cache poisoning bug can theoretically be used to issue fake SSL certificates.

But I don't think it's realistic to expect people to give up on using domain names, and use only IP addresses instead.

So I agree with isofa; never assume that a link in an email is legit. Although corrupt DNS records are a problem, it's still nowhere near as easy to corrupt DNS records as it is to create fake emails, and fake bank web sites on obfuscated URL's that you hope no-one will notice.

baby_boomer

Sorry to hear of your sister's problems.

sweetsoul wrote: »

It appears that somebody has created a duplicate site that you enter all of your personal details onto as you would when using online banking.

Lloyds aren't that daft.

You don't enter all the necessary details when you use their online banking site.

Did your sister enter all of her memorable information? Lloyds tell you they will never ask for all of it.

ukmike

I get these every week,i used to forward them on to Lloydstsb - emailscams@lloydstsb.co.uk as requested on their website,but as they don't have the manners to even reply,i've stopped doing it.Even the likes of Ebay & Paypal reply thanking you-& they close the fake site down quickly,something Lloydstsb don't.

dag_2

There are emails like this going out daily by the bucket load. They are usually easy to spot by those that are internet savvy.

That is indeed true, however, it's not a question of sifting the legit emails from the bogus ones.

If people believe it's simply a matter of sifting the genuine emails from the bogus ones, then the result is that phishing emails will get progressively more and more convincing and "realistic" as time goes by.

The point is, though, that email is inherently insecure. It's ridiculously easy to send an email that passes yourself off as someone else. Banks will never rely on you to respond to anything sent to you in an email with security information.

The simple rule of thumb is this: if it's in an email message, it's bogus. There is no such thing as a "genuine" email from a bank.

That's not to say that banks don't sometimes send marketing material by email; they do. But the point is, you should never put yourself in a position such that it actually matters whether an email sent to you by a bank is legitimate or not. Contact the bank directly if you ever have any query, and never rely on the email message to connect you to your bank.

If people stick to this principle, then the sleuthing work of sifting genuine bank emails from bogus ones simply isn't necessary. This isn't "innocent until proven guilty" - it's not even "guilty until proven innocent". It's "guilty even if proven innocent." The principle of "guilty even if proven innocent" is really the only safe way to deal with emails from banks.

sweetsoul

Don't know the exact route they took but suspect it was via the technique you guys have mentioned. I'll find out more when they've calmed down a bit! But thanks for the info will check it out.

Hungerdunger

It's a shame your SiL didn't look more closely at Lloyds website (the real one) where she would have found:

Protecting yourself against phishing

Don’t be fooled. Emails and websites might not be what they seem.

• You may receive emails or be directed to websites that ask you to enter your personal information. The aim of many of these email scams is to take you to websites that may look like the lloydstsb.com site but are in fact ‘spoof’ web sites. When you click on a link or enter your personal details, the information is sent to someone other than your bank or other service providers. You thought you were safe, but someone else now has access to your accounts.
• Don’t be fooled. Lloyds TSB may email you from time to time, but will never send you an email asking you to enter your Internet banking details either through an email or a website. For a quick way to tell if an email is genuine, check for your name at the top of the email. We know who you are so we’ll always greet you personally, but fraudsters are unlikely to know your name.
• If you receive an email that asks for your personal information, do not click on any link or provide any Internet banking or telephone banking log on details. Please forward suspicious emails that ask for your personal information to [EMAIL="emailscams@lloydstsb.co.uk"]emailscams@lloydstsb.co.uk[/EMAIL] and then delete it from your inbox without responding.
• Protect yourself and your computer by having up-to-date anti-virus software, operating systems and firewalls.

baby_boomer

Or as it says in a bold banner when you log on - before you get to your accounts - so you can't possibly miss it.

Never share your User ID, password or memorable information with anyone.
• We will never email you asking you to provide this information or redirecting you to a website that does.
• If you receive an email asking you for this information it will be fraudulent. If you are in any doubt do not respond.
• Any email we send you will always greet you personally and quote the last four digits of your current account.
• Under no circumstances will we ask you to disclose all characters from your memorable information in one go.