Abbey Business Accounts ARE Being Updated

I feel that it's worth mentioning the fact that Abbey IS updating it's business security system and that users will be asked to revalidate their logins and provide new security details. BUT, what is important to know is:

This update will not be requested through any emails and will only be requested after users have naturally visited and logged onto their normal services.

This is very important. If you receive an email asking you to update your details, it is almost certainly a fake. These details are being provided to users after they log on, of their own accord. Likewise, it will be up to users to decide when to log on to their internet banking accounts and do this through their normal links.

Here's a couple of Q&As from the bank:

Q. How will I know what to do?

A. The upgrade is planned to take place over the next few weeks. Until then you can continue to log on as normal. When the upgrade is complete we will take you through the process step by step. It will take no longer than ten minutes and you will only need to complete the process the first time you log on after the upgrade has taken place.

Q. How will I access my account?

A. AFTER you have successfully logged on using your existing security details, you will be asked to select new security information online via our e-bank. We will ask you to do this when the upgrade has been completed. Please be aware we will NEVER ask you to provide any security details by responding to an email.

Abbey Bank Cards-NEW DAILY LIMITS

Here's a new one on me. Instead of threats, just an email saying that the daily limits on the debit card are being changed. Why this leads to a security process is not explained! But I suspect that a few unwary people will click the link and before they know it have given away their security details.

Take care, don't click that link!

Dear Customer,

Latest News:Terms & Conditions:

We inform you that for security reasons from 10/11/2008 the Withdrawal/Purchase Daily Limits of Abbey Bank VISA debit card will be changed.

Click here to Start the Security Process.

When you log onto the service we will ask you to accept the updated Terms and Conditions.

Once you have accepted these, you will be able to access your accounts in the usual way.

Abbey National eBanking: Please Confirm Your Data

It's the reappearance of one of my old favourites - the one that actually apologises for being sent to none customers. The thing is, if it is still doing the rounds, then I expect that the format is working. Rather worrying that some people believe a major bank would just randomly email the entire country, asking them to partake in a software upgrade. Although, with the customer I've been with this morning, maybe it's not that hard to believe!

Dear Abbey National Bank e-Banking client!

Our Support Department is running a scheduled Internet Banking software upgrade

By following the link below you will open the form of the member login update:

http://ww7.abbey.com/CentralLogonWeb/Confirm?comm=31zrohDkhbjcsdbhsnacadscndeOkhOvp

These directions are to be e-mailed and followed by all users of the Abbey National Internet Banking

Abbey National Bank does apologize for the problems caused, and is very grateful for your collaboration.

If you are not client of Abbey National Bank please delete this email!

*** This is an automated e-mail please do not respond ***

(c) '08 Abbey National Bank OnLine Banking. All Rights Reserved.

LloydsTSB Electronic Banking: Please Submit Your Password

Not a very imaginitive one, this one. Techno speak to bore the reader and then the statement that it is compulsory to review your security details, because of a routine update. Not very good, convincing English.

Don't touch the link, here's the content.

Dear LloydsTSB Bank client,

Security and confidentiality are at the heart of the LloydsTSB Group. Your details (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that LloydsTSB Bank carries out client details confirmation procedure that is compulsory for all our clients. This procedure is attributed to a routine banking software update.

Please visit our Client Confirmation Form using the link below and follow the instructions on the screen.

http://online5.lloydstsb.com/confirmation/customer.ibc?set=18pdznwDxcrszkOkhOvp

Lloyds TSB Bank Customer Service

Duncan Mcleod | WorldPay CARD transaction Confirmation

This one is not essentially phishing, but is likely to end up along those lines. It has a supposed order confirmation as an attachment, within a zip folder. You can bet that the moment you double click the zip and extract the contents, some nasty piece of software is installed onto your machine. This might allow the senders to watch the keystrokes used as you visit online banking or other similar websites.

If you are worried you might have opened such an attachment, check that your virus and spyware programs are updated and run a full system scan.

If anyone ever sends you unexpected bills, payment confirmations etc, check your credit card or bank statement rather than opening the attachments. Chances are that the attachment is some form of keylogger or other spyware.

Here's the content.

Thank you!
Your transaction has been processed by WorldPay, on behalf of Academic Resources Center Inc.


The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Academic Resources Center Inc has received your order,
and will inform you about delivery.
Sincerely,
The AcaDemon Team
Enquiries
This confirmation only indicates that your transaction has been processed successfully. It does not indicate that your order has been accepted. It is the responsibility of Academic Resources Center Inc to confirm that your order has been accepted, and to deliver any goods or services you have ordered.

If you have any questions about your order, please email Academic Resources Center Inc at: followup@acadeXM3micresourcescenter.com, with the transaction details listed above.

Thank you for shopping with Academic Resources Center Inc.

Halifax PLC | **VERY IMPORTANT SECURITY NOTICE**

This one is a different idea for a scam. It first warns the read about phishing emails before providing the phishing link part way down. No threats of violence or account cut off if you don't answer security questions, just a 'please help us' part way down the email.

Here's the cheeky email content!

Be on your guard - beware of fraudsters!

Dear Halifax customer,

Like other UK banks, we are currently seeing very large numbers of "phishing emails" in circulation. Many of these look as if they are from Halifax, typically encouraging you to click a link and type in your logon details. Such attempted frauds only work if you click that link, and you then type in your full security details & contact information.

Please remember: We never ask you to enter your Credit Card information & contact information on the Internet or over the phone. To learn how to protect yourself against "phishing" and other "identity theft" please spend a few minutes to upgrade to our latest security.

Click here to help us fight fraud!

Best regards.

Halifax Bank Security Department Team.

* Please do not reply to this e-mail *

------------------------------------------------------------

Halifax Bank or Halifax Bank plc is authorised and regulated by the Financial Services Authority and signatories to the Banking Codes. FSA authorisation can be checked on the FSA’s Register at: www.fsa.gov.uk/register. Halifax Bank or Halifax Bank plc is member of the Financial Services Compensation Scheme and the Financial Ombudsman Service. Halifax Bank plc

| Halifax Bank© 2008 |

Account Notification:Unauthorized Transactions On Your Internet Banking

Another phishing email with the pretence that an account has been subject to unathorised attempts to gain access. There's a discrepancy between the title, suggesting that there have been transactions and the content, saying that there have been logon attempts. I suppose the idea being the title gets the reader's attention in the hope that they just quickly click the link to continue.

That link would actually take you not to the Yorkshire Bank's own system, but to http://www.hunterxhunter.cl/verify/login.html instead. hunterxhunter.cl have already appeared on these pages, on 1st July.

Here's the content of the email...

Unauthorized Transactions on your Internet Banking

Dear Valued Customer,

Our utmost concern is the security of our online banking users. In this effect,
we do proper verification on all transactions done on our secured online banking servers.

Several attempts to log on to your account were detected on our secured servers and as a matter of our improved online banking security measures, We have decided to temporarily suspend your online banking access.

You will not be able to access your online account unless you re-activate your online access but in order to do so, you will have to confirm your details by Logging on to your account to complete the verification process set out for you before we can retrieve your online access.

Please, Log on through our secure reference: Click Here

We are indeed sorry for the inconveniencies we have caused you, but also remember that as a Ybonline Bank customer, your security remains our greatest priority.

Sincerely,

David Thorburn
Security Department
Ybonline Internet Banking

© Copyright 2008, Yorkshire Bank. All rights reserved.


--------------------------------------------------------------------------------

Please do not reply to this e-mail. Mail sent to this address cannot be answered.
Ybobline Email ID # 1009

The Royal Bank of Scotland | Digital Banking Service Notice

Quite a prolific phishing email - I have received this through a few email accounts. It's one of those that lists a dozen or so very similar email addresses in the 'to:' field - as though anyone needs a warning that it's spam!

The target for this one is http://www1.rbsdigitalsecure.com.looifur94.com/default.aspxrefererident=[removed]&cookieid==[removed].&noscr=false&CookieCheck/ looifur94.com appears in a couple of phishing results. Here's the content:

Dear Customer,

The Royal Bank of Scotland has been receiving complaints from our customers for unauthorised use of the Royal Bank of Scotland Online accounts. As a result we are making an extra security check on all of our Customers account in order to protect their information from theft and fraud.

Due to this, you are requested to follow the provided steps and confirm your Online Banking details for the safety of your Accounts. Please Click Here To Start .

However, Failure to do so may result in temporary account suspension. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

Thanks for your co-operation.

Fraud Prevention Unit
Legal Advisor
The Royal Bank of Scotland.

Monster Career Network | customer notice: data confirmation

Here's a new slight twist on the Natwest Online Form /Banking Online Form etc - the Online Employer Form. A different target for a change - Monster.com. It uses the twin tracking references that we've seen before and is sent to a named email address, so it's going to confuse some people. Although, not having looked at the destination page and not having a Monster logon, I don't know just how much detail they can get. I suppose name, address, date of birth and other details, ready to clone your identity...

The actual destination address of the link is really pointing to http://hiring.monster.com.pierssite.org.es/serverdll/onlineemployerform.aspx?redirect==[removed]&employer=[removed]. pierssite.org.es already has 2 English phishing results and 2 other results on Google.

Here's the content.

Dear Monster (Jobs & Careers) customer,

The added security measures require all Monster customers to complete Online Employer Form.
Please use the hyperlink below to access Online Employer Form:

http://hiring.monster.com/serverdll/onlineemployerform.aspx?redirect=[removed]&employer=[removed]

We appreciate your business and thank you for being a valued customer.

©2008 Monster - All Rights Reserved

Halifax Fraud Prevention Unit

Time for the Halifax to make another rare appearance on these pages. The English grammar is a bit ropey in this email - maybe it's not sent from an English speaker. For example, apologize for any inconveniences caused and our Customers account instead of our Customers' accounts, to name but two. But then I am picky about such things!

Remember, no bank would send you an email asking for further security information - any such email should always be treated as an attempt to rob you. If such measures were needed, they would contact you via the post.

The actual destination of the link is http://static-68-179-55-204.ptr.terago.net/halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin.aspsource=halifaxcouk/ so I think someone might be using an ISP's free hosting space to host the landing page. Here's the email content.

Dear Customer

Halifax PLC. has been receiving complaints from our customers for unauthorised use of the Halifax Online accounts. As a result we are making an extra security check on all of our Customers account. In order to protect your information please click on the link below:


http://halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin


Thank you for your understanding and correspondence, we also apologize for any inconveniences caused.

Thanks for your co-operation.

Fraud Prevention Unit
Legal Advisor
Halifax PLC.

Important banking mail from Abbey

It's been quiet for a few days on the phishing front, but here's one aimed at the Abbey with a target URL of http://myonlineaccounts2.abbeynational.co.uk.servtts.net/CentralFormWeb/Form?action=[removed]&step=[removed]. servtts.net does appear in a couple of other Abbey phishing results on Google. Interesting that they are using the old 'online banking form' and the double tracking id link in the URL - probably connected to a few similar phishing emails.

Here's the content.

Dear Abbey bank customer,

Abbey Customer Serice would like to inform you that we are currently carrying out a scheduled upgrade of Abbey Security software.
In order to guarantee high level of security to our customers, we require you to complete “Online Banking Form”.
Please complete Online Banking Form using the link below:

Online Banking Form

Thank you for being a valued customer.

Sincerely,
Abbey Customer Serice

NatWest Bank: You Have 1 New Security Message Alert.

The Natwest Customer Form makes a return! The target this time around is http://www.natwest.com.gosdsoon.co.uk/serverstack/usersdirectory/ncf.aspx?pc=[removed]&id=[removed] - note the signature pc id / id. gosdsoon.co.uk does appear in a few phishing results.

Here's the email content:

Dear customer of NatWest bank,

We are running a scheduled maintenance on our servers. We want to make sure your money and your personal details are safe and secure.
Due to new security policies all NatWest bank customers must complete the Natwest Customer Form.

To complete the form, please use the link below:

Natwest Customer Form

This should take you directly to the Natwest Customer Form.

Sincerely,
Natwest Customer Service

Security alert!

I don't often get phishing emails targetted at Barclays Bank, but here's one. It deserves a mention just for it's uniqueness... In fact, looking back, I've only posted 2 reports on this blog, both in September last year. Maybe their security is pretty hot and not worth attempted hacking.

Having said that, it takes the format of the NOF - this one is the Barclays Bank Form instead. So maybe someone is switching their target. It is, of course, rubbish. The actual link points to http://ibank.barclays.co.uk.anygonti.co.uk/olb/MemberForm.do?memberid=[removed]&session=[removed]. anygonti.co.uk was only registered a few days ago (27/6/2008). I won't give the contact details - it's likely that someone has had their account broken into and the domain registered in their name.

Here's the content...

Dear Barclays Bank customer,

Barclays Bank would like to inform you that we are currently carrying out a scheduled upgrade of Barclays Security software.
In order to guarantee high level of security to our customers, we require you to complete “Barclays Banking Form”. Please notice, that we ask you to complete the Form regularly, until Barclays bank IT department finishes the upgrading process successfully.
Please complete the form using the link below:

Barclays Banking Form

Thank you for being a valued customer.

Sincerely,
Barclays Customer Service

Important Notice ( Lloyds TSB Security®Re-Confirm Your Identity and Remove Your Account Limitation Online)

Another phishing email... This one is designed to frighten the recipients (who can be bothered to read it) into thinking that attempts have been made to access their bank account. The result of these is that the account has been frozen. If that had happened, why would there be a link to reactivate it - the bank would send the reactivation details through the post, not a email link.

The actual target of the button seems to be something like hunterxhunter.cl. Doesn't seem to be a phishing site, so maybe they've had a page or a redirect hijacked.

Here's the content.

Dear Customer Lloyds TSB Bank plc

This message has been sent to you from because we have noticed invalid login attempts into your account, due to this we are temporarily limiting and restricting your account access until we confirm your identity.

To confirm your identity and remove your account limitation please following the Log on below.

Lloyds TSB Bank plc is committed to ensure the safeguard of each customer's personal information,making sure only authorised individuals have access to their accounts. It is all about your security.

Halifax | This confirmation email has been sent as a security precaution.

The Halifax don't often feature on my list of phishing emails, but here's one. And what a cheap and nasty phishing attempt it is! The link isn't clickable and clearly points to something other than the actual bank - http://host-69-144-30-10.glt-wy.client.bresnan.net/halifax-online.co.uk/. Looking through Google, there are other reports of redirects on that website being hacked to point to the phishing websites.

The email is very basic - the sender obviously has no idea of how to create paragraphs in the email - so it doens't look at all official. The content is designed to panic people, but I hope that the cheap look and the lack of a link is going to help to stop people copying the link and falling for the trick!

I suspect that the sender has copied some text from a genuine Halifax email and tried (but failed) to use that. The best bit, considering the content added by the sender, is the copied line "Halifax would never send you an email asking you to verify your secure online banking details" - it says it all really! That's probably the most honest bit of the email!

Here's the email:

Dear customer, Thank you for confirming your telephone contact details. If you have made any amendments to your contact details these have now been updated. Please note that if you hold any joint accounts, only your details will be updated. This confirmation email has been sent as a security precaution. If you did not make this number change/confirmation, please visit the website below, phone lines are open 24 hours a day, 7 days a week. http://host-69-144-30-10.glt-wy.client.bresnan.net/halifax-online.co.uk/ Regards, Halifax Online Helpdesk FIGHT ONLINE FRAUD Please do not reply to this email address as it is not monitored and we will be unable to respond. Halifax would never send you an email asking you to verify your secure online banking details. Calls from BT landlines will cost a maximum of 4p per minute and a 6p call set-up fee. The price of calls from other telephone companies will vary. The call price is correct at 25/10/07. . -------------------------------------------------------------------------------------------------------------------- Bank of Scotland plc, Registered in Scotland Number SC327000 Registered office: The Mound, Edinburgh EH1 1YZ. Authorised and regulated by Financial Services Authority

Lloyds TSB | IMPORTANT: Account Verification needed (June 25, 2008) No.4

Here's an email targeted at someone that doesn't feature too often - Lloyds TSB.

It tries to use the FSA as an excuse for needing more information - just so that they can snare the unlucky recipient into revealing too many details. There's no reason the FSA would make a bank collect more information on customers and they definitely would tell you to do it through a link pointing to http://portapropiedades.com.ar/sitemap/str/?https://online.lloydstsb.co.uk/customer.ibc?WT.svl=ibcplogon.

portapropiedades.com.ar does appear in other phishing results, but the main site is not written in English, so I've no idea what the rest of the site is about. Here's the email content:

Dear Lloyds TSB Customer,

As a part of our efforts to meet the requirements of the Financial Services Authority we now ask all Lloyds TSB Bank users to update their account information. It's a smart and simple way to add an additional layer of protection to your account.


Please use the link below to update your account:

Click here to continue updating Your Lloyds TSB Account;
(You will be redirected to a Lloyds TSB Banking logon page with an unique Session ID)

Thank you for your continued patronage,
President of Lloyds TSB Bank plc.

Programs and data held on this system belong or are licensed to Lloyds TSB Bank plc and Lloyds TSB Scotland plc. It is an offence to access the programs and data unless you are doing so through your own account using the Passwords and User ID issued to you by Lloyds TSB Bank plc and Lloyds TSB Scotland plc in an authorised manner and in accordance with all applicable laws.

First Bank | Administration alert!

This is a bank that I've never heard of before, I assume it's an American bank, or if not, some other non UK bank.

The link points to an IP address - http://69.246.203.213/, so without clicking it's hard to tell what the actual web address is, but I can say with almost guaranteed certainty that it's not the genuine site! Here's the content.

As a Firstbanks customer, your privacy and security always come first. We have been dedicated to customer safety and protection, and our mission remains as strong as ever.

We inform you that your Firstbanks Internet banking account is about to expire. It is strongly recommended to update it immediately. Update form is located here.

However, failure to confirm your records may result in account suspension.

This is an automated message. Please, do not reply.

Sincerely, Firstbanks administration

Your Account with Google AdWords.

Given that these Google Adwords phishing emails only started to appear in March, there have been a good number compared to some of the banks that are being targeted.

For this one, the target URL is http://www.adwords.google.com.oskin.cn/select/Login. I can only find oskin.cn on Google in Phishing results, so maybe it's been setup just for that.

Here's the content.

Dear Advertiser,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

We look forward to providing you with the most effective advertising available.
Thank you for advertising with Google AdWords.

The Google AdWords Team

Abbey | Account Notification: Access To Your Account Has Been Limited

After NatWest (currently 67 posts), Abbey is the second placed banking target on this site, with just 17 posts. It's trying to catch up...

This at least gives a reason for the verification, but from experience I know that when the account is restricted the restrictions are lifted only by posting new cards out - I know, I had to wait without access to my cash until the new card came through!

The actual target URL is http://www.rightleadership.com//poll/pollphp/verify/cgi.htm, which seems to be a perfectly innocent site. I've not tested that the link does work, but I expect that somehow the phishers have broken into the site.

Unauthorized Access Notification

Dear Abbey Bank Customer,

This message has been sent to you from Abbey Bank because we have noticed invalid login attempts into your account, due to this we are temporarily limiting and restricting your account access until we confirm your identity.

We therefore implore you to log into your account to verify any possible findings.

VERIFY

Thank you

Natwest | REGULAR MAINTENANCE

Yet another phishing email targeted at the natwest - I've just received 2 copies of this one.

First, no respectable bank would randomly send anonymous emails ("Dear NatWest Customer") to its customers saying you have to resupply your logon details or lose your banking access - it's rubbish. Don't believe it!

Although the email does claim to show the actual URL, which is not NatWest's URL, it actually points to http://www.ceazimut.org/auth/login.aspx?action=login. Can't see what that website is about.

Here's the email:

Dear NatWest customer,

WE ARE CURRENTLY PERFORMING A REGULAR MAINTENANCE OF OUR DATABASE FOR ONLINE CUSTOMERS.

We apologize for the inconvenience this may cause but your account was randomly flagged for verification and you'll be taken through a short authentication process.

To start now please click here.

If your e-mail client stops you to click the link above, please copy the following URL to your browser:

http://www.natwest.srvdns.net/index.aspx?action=logon

Please note! If we don't receive the appropriate account verification within 24 hours since you've got this email your online access can be suspended until further notice. The purpose of this verification is to ensure your account has not been fraudulently used and you're not a victim of identity theft.

Thank you for understanding and helping us improve.

------------------------------------------------------------

Unauthorized account access or use is not permitted and may constitute a crime punishable by law.

© NatWest. 2001 - 2008. UK.

NatWest Important Security Notice

A quick count up and over 25% of the phishing emails posted to this blog are aimed at the NatWest, and I don't publish them all - some that are too similar when I'm too busy get deleted rather than posted. Not very helpful, but time isn't always on my side...

So it's not surprising that here's another Natwest phishing email, received by me twice in different email boxes. These are the people that list a dozen or so names in the to: field to send the email to all of those at once. Not very convincing...

The link is harder to cut & paste as it's behind a graphic, but retyping it, it goes something like http://www1.nwolb.com.jgnvvhx742.com/default.aspx etc. Once more, jgnvvhx742.com does appear in a couple of phishing results on Google.

Here's the content.

National Westminster Bank has been receiving complaints from our customers for unauthorised use of the Natwest Online accounts. As a result we periodically review Natwest Online Accounts and temporarily restrict access of those accounts which we think are vunerable to the unauthorised use.

This message has been sent to you from National Westminster Bank because we have noticed invalid login attempts into your account, due to this we are temporarily limiting and restricting your account access until we confirm your identity.

To confirm your identity and remove your account limitation please following the link below.

National Westminster Bank is committed to ensure the safeguard of each customer's personal information, making sure only authorised individuals have access to their accounts. It is all about your security.

Accounts Management As outlined in our User Agreement, Natwest will
periodically send you information about site changes and enhancements.

Visit our Privacy Policy and User Agreement if you have any questions.
http://www.Natwest.com/help/index.jhtml

Natwest | Details confirmation

Does a day go by without this lot sending an email targeted at the poor Natwest??? There's plenty of variations of this about with the referer id / cookie id in the link.

The actual destination of the link points to http://www.natwest.co.uk.harvioe.name/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed]. harvioe.name appears in a couple of phishing results in Google. Here's the content...

Dear NatWest bank customer,

Security and confidentiality are at the heart of Natwest Bankline. Your data (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory for all Natwest bank customers. This procedure is attributed to a routine banking software update.

Please login to Natwest online banking using the link below and follow the instructions on the screen.

http://www.natwest.co.uk/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed]

Natwest Customer Service

ref l-cmr

Problems with account Abbey’s Business Bank

Here's a new one. I've not seen this content before and it's targeted at Abbey, who do appear occasionally. The difference is that this time it's targeted at their business division.

The link actually goes to http://ibank.anbusiness.servlet.logonservlet.signon.passcode09u5d125a87hn1j.discover.ceo89u6kj811.business.portal06460.required.4598ry.com/LogonServlet.htm - presumably that complicated setup of subdirectories is to try to bury the actual website name of "4598ry.com", which doesn't yet feature in any Google results (give me a short while...).

I have never seen any genuine emails from Abbey, I can only assume they don't actually send any (which in my opinion is good). It does look like a genuine (rushed)email, but it's sent to a random account and I'm sure they wouldn't introduce themselves with "Dear Abbey's Business Bank Account Customer". I'm not even sure that is proper English (why the "'s"?).

Don't touch the email, here's the content:

Dear Abbey's Business Bank Account Customer:

Due to the emergency situation with security server, Abbey's Business Service is presently
verifying your web browsers and ip address.
In order to check your security level on a website, please follow the instructions below.

IMPORTANT! Customers must validate personal information today.

Continue>>

This situation involves circumstances outside of our control, so we ask for your patience.
We will keep you advised as the situation changes.

Abbey's Business Bank - Complete Solutions to protect your business and secure your computer.
Thank you.
2008 All Rights Reserved Abbey's Business Bank

ref i-cmr

You've received a question about eBay item: BRAND NEW GENUINE APPLE *iPod touch* 16GB 16 GB WIFI (170227727186)

Another realistic looking email question about email, but intent on robbing your security details. I'm not sure how much damage can be done by getting hold of Ebay details - I thought that Ebay didn't store any personal information, but maybe there are addresses there or they are assuming a lot of people will use the same password for PayPal...

Like other recent phishing emails, this one uses an IP address to hide the fact that it's the wrong URL: http://66.206.18.94/index.htm. But that doesn't make it any safer. Here's the email content...

Hi, I will send you the item today via "Royal Mail Sameday".

Have a nice day!
Scott

-saabman1970 Respond to this question

If you use My Messages to respond, your email address will not be shared.

Item and user details
Item Title: BRAND NEW GENUINE APPLE *iPod touch* 16GB 16 GB WIFI
Item Number: 170227727186
Item URL: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=170227727186
End Date: 11-Jun-08 01:11:32 BST
From User: asmdirect1 ( 16657 )
98.7 % Positive
since 18-Nov-03 in United Kingdom


ref i-cmr

NatWest Bank: Online Banking Form! (Mon, 09 Jun 2008 00:27:48 -0500)

Would the day be complete with also being able to post about another Natwest Customer Form! This looks word for word the same as last time, just the sent to a different recipient email address and a different URL.

The URL this time is http://www.natwest.co.uk.richardjacob.co.uk/serverstack/usersdirectory/ncf.aspx?pc==[removed]&id=[removed] and like today's earlier post, there's nothing on Google about richardjacob.co.uk, so I can't say anything about the site.

Here's the content:

Dear customer of NatWest bank,

We are running a scheduled maintenance on our servers. We want to make sure your money and your personal details are safe and secure.
Due to new security policies all NatWest bank customers must complete the Natwest Customer Form.

To complete the form, please use the link below:

Natwest Customer Form

This should take you directly to the Natwest Customer Form.

Sincerely,
Natwest Customer Service

ref i-cmr

It's the old referer id / cookie id natwest phishing emails again. This time the URL is http://www.natwest.com.eloriid.com/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed]. I can't find any results for eloriid.com, so no idea what is going on there. Maybe it's newly registered.

Here's the content:

Dear NatWest bank customer,

Security and confidentiality are at the heart of Natwest Bankline. Your data (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory for all Natwest bank customers. This procedure is attributed to a routine banking software update.

Please login to Natwest online banking using the link below and follow the instructions on the screen.

http://www.natwest.com/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed]

Natwest Customer Service

NatWest Online Accounts Limited Access

Here's a new looking phishing email, targeted at an old favourite - the NatWest. As frequently happens, the email is a little confusing. I'm never sure whether this reflects the sender's grasp of English or is intentional, so that the recipient doesn't bother too much about what the email says and instead follows the phishing link to see what's going on.

This one first talks about regular screening, then suspicious ativity then finally limitations. But, there's loads of pointers to the unwary that it is phishing:

1 - 'Dear NatWest customer' - a bank should email you by name so you know the email is more likely to be for real

2 - it's sent to undisclosed-recipients - why hide the recipient's email address? Because the one email is going to thousands of addresses. If it were genuine, it would go to just the one.

3 - I'm certain the natwest would never send you to a link http://www.swsme.net/auth/login.aspx to sign on! It would always be to their own site, even if you were later redirected. You can see the URL by placing the mouse over the link, but not clicking. swsme.net does appear in a few results, with the comment from Google 'This site may harm your computer.'. So it's probably not a very good site to visit!

Here's the content.

Dear NatWest customer,

NatWest is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

--------------------------------------------------------------------------------
Why is my account access limited?

Your account access has been limited for the following reason(s):

Jun. 9, 2008: We have detected suspicious activity regarding the receipt or withdrawal of funds.

(Your case ID for this reason is NW-682-258-517.)

--------------------------------------------------------------------------------
How can I restore my account access?

Please Click Here to Log In to your account and complete the "Steps to Remove Limitations."

Once you complete all of the checklist items, your case will be reviewed by one of our Account Specialists. We will send you an email with the outcome of the review.

Copyright © National Westminster Bank plc, NatWest UK, 2008.

WINNINING NOTICATION

Another amazing $2m winning lottery ticket, for a lottery I've never entered... This one even has a realistic, if not genuine, address at the top of it.

It is strange that they want me to reply in 7 days to a draw that took place 4 and a half months ago! Seems that the scammers haven't checked their email carefully enough! Also, if it was genuine, why a Yahoo email address!

Don't touch it if you have also received this email - it's nothing more than a scam. It does amuse me that there are adverts at the bottom of the email.

UK National lottery
3b Olympic Way, Sefton Business Park,
Aintree,Liverpool , L30 1RD
REF N? UKL/74-A0802742007
BATCHNO:LTBK00018
TICKET NO:A669340221
WINNING NUMBER:7041

DearWinner,

This is to inform you that you have been selected for a cash prize of
(US$2,000,000.00 ) held on 24th of January 2008. The selection process
was carried out through random selection in our computerized email
selection system from a database of over 250,000 email addresses drawn from which
you were selected.
To file your claims please contactour claims processing department for
clearance procedures.
Mr. James Nichson(Claim Agent)
International claim Department,UK
Email:drclaravein@yahoo.com


You are advised to provide thebelow informations for final claim inspection.

FULLNAME:...........................
ADDRESS-----------------------------
SEX:......................................
AGE.......................................
NATIONALITY.........................
OCCUPATION.........................
PHONE..................................
FAX:--------------------------------------
BATCHNUMBER:------------------
TICKET NUMBER: ----------------
WINNINGNUMBER:--------------

You have to contact your claim agent before 7 working days
Yours faithfully,
Mrs Mary James
Online coordinator for
UK NATIONAL LOTTERY

Now book your Railway Tickets by cash at Sify Iway. For more details contact our Customer Care

Watch latest movie trailers and behind the scenes footage of Bigg Boss and much more! www.sifymax.com

You've received a question about eBay item: HP COMPAQ N400C LAPTOP 850MHZ 256MB 20GB CD WINDOWS.. (160246121318)

Another Ebay one, trying to convince the recipient that you have been bidding on a laptop that you didn't really want... For this one the destination URL is http://4u2gifts.com/eindex.htm?ViewItem&item=160246121318&ssPageName=ADME:X:AAQ:GB:1123.4www.u2gifts.com looks like a respectable website that has been 'invaded' by the phishers - there are other phishing reports dating back to at least 1st June on Google. So I suspect someone has guessed their ftp passwords...

Here's the email content:

From: eBay Member: asmdirect1

Your question from an eBay member

Do not respond to the sender if this message requests that you complete the transaction outside of eBay. This type of offer is against eBay policy, may be fraudulent, and is not covered by buyer protection programs. Learn More .

Hello, how do you intend to pay, PayPal or Bank Transfer?
Let me know a.s.a.p. please.

Jamie

Thanks.


- asmdirect1 Respond to this question

If you use My Messages to respond, your email address will not be shared.


Item and user details
Item Title: HP COMPAQ N400C LAPTOP 850MHZ 256MB 20GB CD WINDOWS..
Item Number: 160246121318
Item URL: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=160246121318
End Date: 03-Jun-08 09:00:00 BST
From User: asmdirect1 ( 4093 )
97.4 % Positive
since 10-May-02 in United Kingdom

ref i-cmr

Anglo Irish Bank customer:1 new ALERT message.

This one is very similar to yesterday's Anglo Irish Bank phishing email. The target URL is still http://72.214.45.5/~admin/.cgi/, so I assume the scam is yet to be shut down. Here's the content.

Dear customer for Anglo Irish Bank,

You have 1 new security message
Please login to your Anglo Irish Bank
and visit the Message Center section in order to read the message.

To Login, fast in your account:

Anglo Irish Bank Online

© 2008 Anglo Irish Bank. All rights reserved

NatWest Bank Reminder: Client Details Confirmation -Mon, 02 Jun 2008 14:09:52 -0600

The Natwest are once more the target of a phishing email. This time around the destination URL is http://www.natwest.co.uk.dg-yar5.org.uk/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed] - so probably yet another of the current series targeting the NatWest.

Here's the email content.

Dear NatWest bank customer,

Security and confidentiality are at the heart of Natwest Bankline. Your data (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory for all Natwest bank customers. This procedure is attributed to a routine banking software update.

Please login to Natwest online banking using the link below and follow the instructions on the screen.

http://www.natwest.co.uk/newmeasures/procedure/default.aspx?refererident=54381748798756137278337923438792855237123444418666954&cookieid=7674508179521

Natwest Customer Service

ref i-cmr

A secondary e-mail address has been added to your PayPal.

Here's a new style of Phishing email - I had to look twice to convince myself here that it was the email that was phishing and not someone really breaking into my account. Indications that it's phishing:

1 - 'Dear PayPal user' - should give my name

2 - sent to 'undisclosed recipients' - would have been sent to my registered email address.

3 - the destination of the link is http://210.187.79.36/~anna/.bin/ - an IP address to mask the fake website name, it would be www.paypal.co.uk / www.paypal.com if it was real.

If in doubt, open a ne browser window and type in www.paypal.com to sign into your account. Never use the links in emails, even on genuine emails. It leads you into a flase sense of security.

Here's the email content:

Dear PayPal user,


You've added an additional email address to your account.Us for details


To make sure you can use your PayPal account the next time you make a purchase, all you need to do is confirm or not your email address.


To Login, fast in your paypal account :

https://www.paypal.com/uk/cgi-bin/webscr?cmd=_login-run&dispatch=5d80a13c0db1f1ff80d5423b5265b6559fc2aae010bfb00cf3c64


If your email program has problems with hypertext links, you may also confirm your email address by logging in to your account.

>>> Apply online


Please do not reply to this email.This mailbox is not monitored and you will not receive a response.


PayPal Email ID PP025197.

NatWest Bank: Automatic Account Reminder (Mon, 02 Jun 2008 03:09:37 -0500)

The Natwest continue to be a popular victim / target of the phishing emails. This one, like another recent email, uses the domain http://www.nwolb.com.nwolb.org.uk/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed] - very similar to the recent nwolb.me.uk and nwol emails, that have also used the refererident / cookie pairing in the link.

Here's the email.

Dear NatWest bank customer,

Security and confidentiality are at the heart of Natwest Bankline. Your data (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory for all Natwest bank customers. This procedure is attributed to a routine banking software update.

Please login to Natwest online banking using the link below and follow the instructions on the screen.

http://www.nwolb.com/newmeasures/procedure/default.aspx?refererident=7111256171904203771463961967533580325045981996921&cookieid=07223497

Natwest Customer Service

ref l-cmr

Anglo Irish Bank customer:1 new ALERT message.

It seems the fake message alert is becoming quite popular - this time it's on a new target bank.

Also like some recent emails, the actual destination URL is hidden by using the website's IP address, rather than the URL - http://72.214.45.5/~admin/.cgi/ is shown. Here's the email...

Dear customer for Anglo Irish Bank,

You have 1 new security message
Please login to your Anglo Irish Bank
and visit the Message Center section in order to read the message.

To Login, fast in your account:

Anglo Irish Bank Online

NatWest Bank: safeguarding customer information

This one is very similar, but still subtly different to the email received earlier today. The tracking is there, but is following referer and cookie, rather than machine and 'id'. This one looks exactly like yesterday's Natwest EMail. So it's possible that they are both sent from different sources and it's just a coincidence that both have hit the same email address overnight.

I alos didn't record which email address received yesterday's email, so no idea if they are working through the same list, sending repeat emails, or if they are on a different list. This email is sent to one address at a time, so it's possible they are working down a list that my email addresses appear on several times.

This time around the link is to http://www.natwest.co.uk.nwol.me.uk/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed] - yesterday it was nwolb.me.uk - so presumably the first site has been shut down, which could be the reason for repeating the email. Here's the content, again...

Dear NatWest bank customer,

Security and confidentiality are at the heart of Natwest Bankline. Your data (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory for all Natwest bank customers. This procedure is attributed to a routine banking software update.

Please login to Natwest online banking using the link below and follow the instructions on the screen.

http://www.natwest.co.uk/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed]

Natwest Customer Service

ref l-cmr

NatWest Bank customer service: your account with us. [message ref:

Another 2 emails targetting Natwest customers overnight, both through the same email address and both very similar.

The first is a scheduled maintenance. So obviously, when banks do this customers have to sign on to remind the banks of their security details. Not really a convincing excuse, is it? Instead of the NOF, it's now the NCF (the Natwest Customer Form) - that's making a few appearances.

The target URL is http://www.natwest.com.tknnt.me.uk/serverstack/usersdirectory/ncf.aspx?pc=[removed]&id=[removed], so it's sent by the group of people who are tracking which recipient PCs click on the links. Actually, the email content is the same as last Thursday's - I just didn't record which email address Thursday's arrived through.

Here's the content.

Dear customer of NatWest bank,

We are running a scheduled maintenance on our servers. We want to make sure your money and your personal details are safe and secure.
Due to new security policies all NatWest bank customers must complete the Natwest Customer Form.

To complete the form, please use the link below:

Natwest Customer Form

This should take you directly to the Natwest Customer Form.

Sincerely,
Natwest Customer Service

ref l-cmr

NatWest Bank notification!

Another one of a similar format to recent Natwest Phishing Emails - this one also triggering the virus software, which is unusual. Like the others, this one has a referer id / cookie id so the senders are tracking which recipients are opening the email.

The grammar is suspect - 'We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory'. I see what they are trying to say, but it's not how an English bank would write it. The destination URL is http://www.natwest.com.nwolb.me.uk/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed], which looks similar to others I've seen before, but nwolb.me.uk isn't in any search results of use, at the moment...

Here's the email's content:

Dear NatWest bank customer,

Security and confidentiality are at the heart of Natwest Bankline. Your data (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory for all Natwest bank customers. This procedure is attributed to a routine banking software update.

Please login to Natwest online banking using the link below and follow the instructions on the screen.

http://www.natwest.com/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed]

Natwest Customer Service

Your payment didn't succeed, so your ads have been suspended.

Yet another version of the Google adwors phishing emails, they must be changing them every time to get through spam blockers. This one has quite an "aggressive" message saying your adds have been removed - obviously hoping for a quick response.

The actual URL being used is http://www.adwords.google.com.lskllz.cn/select/Login. I've no idea what the site is as it's in Chinese - so could be an innocent site that's been attacked.

Here's the email content:

-------------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------------

Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

-------------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
------------------------------------------------------------------------------------------

HSBC Bank Personal and Commercial Update Your Details -- ref: 218

The HSBC are the target for the second time in just a few days. A different approach this time around.

This time around it's back to the old story of the maintenance / technical / security department have updated their system and customers need to 'approve' their details (???) - although if you aren't a customer...

The link is actually pointing at http://personal9.hsbc.com.tag95.com/updateform/?session=[removed]. I can only find 1 other search result for tag95.com, and that's for an Abbey phishing email.

Here's the content:

Dear HSBC Internet Banking client!

Our Maintenance Division is carrying out an arranged OnLine Banking software update.

By visiting the link below you will start the procedure of the customer details approval:

http://ww6.hsbc.com/updateform/?session=[removed]

These directions are to be mailed and followed by all users of the HSBC Personal and Commercial

HSBC Bank does apologize for any troubles caused to you, and is very appreciative for your cooperation.

If you are not client of HSBC Group please disregard this notice!

--- This is an automated message please do not reply ---

(c) 2008 HSBC OnLine Banking. All Rights Reserved.

Important Notice From NatWest Bank bank.

A quiet day on the Phishing front today, after the tons yesterday saying I'd been awarded $1.5 / $2.5m! Today's only phishing email (but the evening is young...) is the good old NOF.

This time around the target URL is http://www.natwest.com.techs1.me.uk/serverstack/usersdirectory/ncf.aspx?pc=[removed]&id=[removed] - a very similar URL to the NatWest Phishing Email of a few days ago, which also used the pc / id combination to identify who clicked the link. This one is upsetting my virus software - is doesn't like the email.

Here's the content.

Dear customer of NatWest bank,

We are running a scheduled maintenance on our servers. We want to make sure your money and your personal details are safe and secure.
Due to new security policies all NatWest bank customers must complete the Natwest Customer Form.

To complete the form, please use the link below:

Natwest Customer Form

This should take you directly to the Natwest Customer Form.

Sincerely,
Natwest Customer Service

DESMOND ALI | Urgent Attention

This one is still doing the rounds, but it's changed since earlier this afternoon. Aside from changing the Title, the money asked for has reduced from $120 / $180 to $100 / $150. They must have thought their initial asking price too high! Also, the reply to email address has changed for some reason. Maybe the first guy was getting too many replies then saying it cost too much.

The other danger with this email is that the lower price is offered for courier delivery of a cheque - BACS is the higher price, even though companies prefer this. Therefore, I suspect that not only are they trying to rob us of the $100, but they will ask for that in the form of a personal cheque, along with full name and address to deliver their cheque to. All they would then need to ask is for your date of birth and they have got hold of enough information to clone your identity - full address and bank details off the cheque.

This version has also arrived through several email addresses. Not sure which ones and whether any of the earlier emails used the same addresses. Here's the ever so slightly changed content:

Urgent Attention ,



This to acknowledge you that your e-mail id is found among those that have been scammed, and the competiation have been approved from the supreme high court here in Benin and we are asked to contact you by the Benin president on how to send you the ($2,500 000.00) united state dollars by the diplomatic courier and the fund as been cash in dollars here in Benin bank. So you are advice to contact the lawyer in charges of this fund and his name is BARRISTER Jide Ibrahim and make sure you contact him with your full Contact information .



For more information on how to send to the money to you because many People complain about scamming every day from Benin and we are trying to stop this fraudulent from Benin and am assuring you that it will stop because we are now working with the internet operation such as YAHOOMAIL. Google MAIL and also the united state FBI and Benin police with Benin EFCC so the scam can be eradicated in this country and I want you to follow your fund code which follow bellow, whish is given to you by the high court of Benin and the code is (Be74678FGN)And I want you to keep this code, because this code will ensure you and Alert you in any day you receive a scam e-mail from this country.



And as soon as you contact Barrister Jide Ibrahim with your full contact information requested, he will be forward everything to the Benin presidency office to issue out your award certificate as the rightful beneficiary



Name:Barrister Jide Ibrahim
E-mail Address :(barristerjideibrahim1@yahoo.fr)
CHAMBER NUMBER...189VC
CHOSE ONE
1.Bank to Bank is $150
2.courier service $100



Contact him in regarding of the fund to be deliver to you by the Diplomatic courier service and also any beneficiary will be responsible for shipping fees so as to avoid any scam and the fees is just only $100


Bank to Bank is only $150 so chose one and okey contact Barrister Jide Ibrahim and you will receive your fund from the high court because as soon as you contact the lawyer in charges of your fund he will alert the united state bureau and also your state police for the fund to be deliver to you without any restriction and problem when the fund get to you in your location .


Thanks.
Best Regards
Dr Desmond Ali.


Given to you by the high court of Benin and the code is (Be74678FGN)

YOUR URGENT ATTENTION IS NEEDED FROM FEDERAL HIGH COURT OF BENIN,REPUBLIC

This one seems from a quick glance to be an even more prolific version of the previous FEDERALHi COURT email. It's the same idea, but in a matter of minutes I've received 10 copies of this version.

Don't touch either of them!

Given to you by Federal High Court of Benin and the code is (Be74678FGN)

Well here's an honest con! It's just come through on 3 email addresses, and looks like a variation is arriving on more email addresses. But why is it 'honest'? Well it starts off saying that your email 'have been scammed'.

Dreadful English throughout and it quickly gets to the point of requesting $120 or even $180 for the release of huge funds. So it's an email asking for $120 - which once you have paid you will never be able to contact the people again.

Don't send them the cash, you won't be getting a penny. Here's the email:

Attn: Greeting to you ,



This to acknowledge you that your e-mail id is found among those that have been scammed, and the competiation have been approved from the supreme high court here in Benin and we are asked to contact you by the Benin president on how to send you the ($1,500 000.00) united state dollars by the diplomatic courier and the fund as been cash in dollars here in Benin bank.





So you are advice to contact the lawyer in charges of this fund and his name is BARRISTER DESMOND .NELSON.KOME and make sure you contact him with your full Contact information. For more information on how to make the money send to you because many People complain about scamming every day from Benin and we are trying to stop this fraudulent from Benin and am sure you that it will stop because we are now working with the internet operation such as YAHOOMAIL.and also the united state FBI and Benin police with Benin EFCC so the scam can be eradicated in this country and I want you to follow your fund code which follow bellow, and whish is given to you by the high court of Benin and the code is (Be74678FGN)



And I want you to keep this code, because this code will ensure you and Alert you in any day you receive a scam e-mail from this country. And as soon as you contact BARRISTER DESMOND .NELSON.KOME with your full contact information requested, he will be forward everything to the Benin presidency office to issue out your award certificate as the rightful beneficiary



Name:BARRISTER DESMOND .NELSON.KOME
E-mail Address :( barrdesmon.kome@mozartmail.com )
E-mail; ( barr.nelsonkhomeofbenin@inmail24.com )
CHAMBER NUMBER...189VC
CHOSE ONE
1.Bank to Bank is $180
2.courier service $120



Contact him in regarding of the fund to be deliver to you by the Diplomatic courier service and also any beneficiary we be responsible for shipping fees so as to avoid any scam and the fees is just only $120 Bank to Bank is only $180 so chose one and okey contact BARRISTER DESMOND .NELSON.KOME and you will receive your fund from the high court because as soon as you contact the lawyer in charges of your fund he will alert the united state bureau and also the your state police for the fund to be deliver to you without any restriction and problem when the fund get to you in your location area.



Thanks.
Best Regards
Dr USMAN OKECHI

Royal Bank of Scotland Business customer:1 new ALERT message

And the last one received overnight was this one, targetted at the Royal Bank of Scotland. Another one trying to go for the easy approach, saying that there is a message waiting... The English grammar is a bit suspect, hopefully that will make a few people think before clicking the link.

The URL this time is http://193.254.185.39/~engelbert/ - cleverly hidden using an IP address. Should be a warning flag that it's dangerous to the unsuspecting!

Dear customer for Royal Bank of Scotland Business,

You have 1 new security message
Please login to your Royal Bank of Scotland business account
and visit the Message Center section in order to read the message.

To Login, fast in your account :

->> The Royal Bank of Scotland Business Customer <<--

© 2008 The Royal Bank of Scotland . All rights reserved

NatWest bank: important banking mail. (message ref: sg6806523)

It's the NOF again. This time it's linking to http://www.natwest.com.moretech1.co.uk/globalsite/isapidl/form.ashx?pc=[removed]&id=[removed] and if you look carefully at that link you will see that it's actually recording which PCs open the link and take a look!

Here's the content!

Dear NatWest bank customer,

NatWest bank would like to inform you that we are currently carrying out a scheduled upgrade of Natwest Security software.
In order to guarantee high level of security to our customers, we require you to complete “NatWest Online Form”. Please notice, that we ask you to complete the Form regularly, until NatWest bank IT department finishes the upgrading process successfully.
Please complete the form using the link below:

NatWest Online Form

Please do not reply to this system-generated email.

HSBC - You Have 1 Unread Message

This one seems quite poopular as I've received it a few times. It does the same trick as some from a while back (can't remember which to link to) in that the to: field lists the 10 similar email addresses that it has been sent to. Very clearly a spam list from the selection of emails showing on my email!

It takes on the form again of the very simple 'you have a message' to make you wonder what is going on. In my experience, the banks don't run these sort of systems anyway. Maybe someone somewhere does.

The link points to http://ww4.hsbc.com.f009c270.com/1/2/HSBCINTEGRATION_CAM10/0000D5SM7I8qYYI1RkSXyjh274A12ntf1ep0IDV_URL, which took some effort to get without pressing the link! I couldn't see it at first as the graphic was being blocked. f009c270.com doesn't yet appear in any search results.

Here's the content:

Dear Internet Banking Customer,

You have received 1 new message from HSBC Bank plc.

Best Regards.
HSBC Banking plc Security Department Team.

* Please do not reply to this email as your reply will not be received.

Your ads are not running.

This is yet another variation on the Google Adwords theme.

The link this time points to the site http://www.adwords.google.com.sessiocl.cn/select/Login. sessiocl.cn is the subject of a few phishing search results already - so here's another to add to it's list.

------------------------------------------------------------------------------------------

Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

---------------------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-----------------------------------------------------------------------------------------

2008 Google Adwords

Important Information about your Current Account

This one is a different format to usual. Not only does it look different (and was received through 2 email addreses...) but it's making out that the verification process for regular maintenance is random and because of potential fraudulent use. What??? It seems to be throw out a few different reasons to fill the email and just hope the victim clicks the link.

The link actually points to http://myonlineaccounts2.abbeynational.co.uk.koro.biz/CentralLogonWeb/Logon?action=prepare , which they also provide as a visible URL in case it can't be clicked on. Very handy of them! No idea what koro.biz is, but it'sstarting to appear in other phishing results.

Here's the content:

Dear Abbey National customer,

WE ARE CURRENTLY PERFORMING A REGULAR MAINTENANCE OF OUR DATABASE FOR ONLINE CUSTOMERS.

We apologize for the inconvenience this may cause but your account was randomly flagged for verification and you'll be taken through a short authentication process.

To start now please click here.

If your e-mail client stops you to click the link above, please copy the following URL to your browser:

http://myonlineaccounts2.abbeynational.co.uk.koro.biz/CentralLogonWeb/Logon?action=prepare

Please note! If we don't receive the appropriate account verification within 24 hours since you've got this email your online access can be suspended until further notice. The purpose of this verification is to ensure your account has not been fraudulently used and you're not a victim of identity theft.

Thank you for understanding and helping us improve.

------------------------------------------------------------

Unauthorized account access or use is not permitted and may constitute a crime punishable by law.

© Abbey National. 2001 - 2008. UK.

Official Notification For Customer of Abbey OnLine Banking

Even on a UK Bank Holiday there's no let up in the phishing emails. This one is very similarto an Abbey Phishing Email oflast November - the first one in which I saw the 'If you are not a customer' line.

There's a few changes - Support Department instead of Technical Department, following has become visiting etc, but essentially it's the same email. With this one the link actually points to http://ww5.an-business.com.direct52.in/servlet/?pid=[removed] - although I can't find direct52.in in any search results. It's obviously a fake - don't try the link.

Dear Abbey Internet Banking user!

Our Support Department is running a scheduled OnLine Banking software upgrade

By visiting the link below you will open the procedure of the customer details confirmation:

http://www5.abbeynational.co.uk/servlet/?taskid=24yzrpeFDozrcrkdwvrnOkhOvp

These instructions are to be e-mailed and followed by all clients of the Abbey National Bank On-line Banking

Abbey National Bank does apologize for any inconveniences caused, and is very grateful for your help.

If you are not client of Abbey Personal and Commercial please disregard this letter!

*** This is automatically generated email please do not respond ***

(C) 2008 Abbey National Bank Bankline Internet Banking. All Rights Reserved.

Important notification from NatWest bank

Another for the NatWest list. Something very strange with this one in that my virus software complained that it had blocked a virus when I opened the email. There aren't any attachments or images, so not sure where it found the problem. If you have opened this one, you might also like to run a virus check.

This time we're back with the old favourite - the NOF. Destination of the link is actually http://www.natwest.com.dll1.me.uk/globalsite/isapidl/form.ashx?pc=[removed], which again is not in any search results.

Take care with this email - there's something strange about it! Here's the content.

Dear NatWest bank customer,

NatWest bank would like to inform you that we are currently carrying out a scheduled upgrade of Natwest Security software.
In order to guarantee high level of security to our customers, we require you to complete “NatWest Online Form”. Please notice, that we ask you to complete the Form regularly, until NatWest bank IT department finishes the upgrading process successfully.
Please complete the form using the link below:

NatWest Online Form

Please do not reply to this system-generated email.

ref l-cmr

NatWest Electronic Banking Informs You Code: 2341

For whatever reason, NatWest Bank continues to be a popular target for the phishing emails. This one has a different subject title to those that have gone before it, but includes the 'if you are not a customer', like many recent phishing emails. No idea why the phishers think it's a good idea to warn the recipients the email is going to a spam list!

This time the destination url is http://www8.natwest.co.uk.mode65.com/details.aspx/?appid=[removed], which without the help of the underline, takes a second to spot that the actual URL is mode65.com, which doesn't yet appear in any search results.

It is sent to a named email box, but it's obviously fake. Here's the content:

Dear Natwest Bank Digital Banking client!

Our Support Unit is carrying out a planned OnLine Banking software upgrade

By following the link below please commence the procedure of the user login confirmation:

http://ww0.nwolb.co.uk/details.aspx?type=24yzrpeFDozrcrkdwvrnOkhOvp

These directives are to be emailed and followed by all users of the NatWest Bank OnLine Banking

Natwest Bank does apologize for the problems caused to you, and is very grateful for your cooperation.

If you are not customer of NatWest Digital Banking please disregard this letter!

*** This is an automated e-mail, please do not reply ***

(C) '08 NatWest Bank On-line Banking. All Rights Reserved.

ref l1-fht

Abbey National Bank On-line Banking Please Confirm Your Data!

A few days ago the RBS joined the list of targets of the 'sorry if you are not a customer' phishing email, and now we're back to the original (that I know of). Once more the Abbey are the targets of this email. The text has changed sightly from the original that I reported back in November, but it's only slight word changes - the paragrpahs are basically the same.

This time around the target URL is http://www5.anbusiness.bank11.net/servlet/?portal=[removed]. bank11.net does appear in plenty of phishing search results. Here's the email's text.

Dear Abbey Digital Banking member!

Our Technical Unit is performing a scheduled Bankline Service upgrade

By visiting the link below you will begin the procedure of the customer details confirmation:

http://www9.abbeybusiness.co.uk/servlet/?taskid=17zrohDxcrszkOkhOvp

These instructions are to be e-mailed and followed by all customers of the Abbey Digital Banking

Abbey National does apologize for any problems caused to you, and is very thankful for your collaboration.

If you are not customer of Abbey National Personal and Commercial please ignore this letter!

*** This is robot generated e-mail please do not respond ***

(C) 2008 Abbey National Personal and Commercial. All Rights Reserved.

eBay New Unpaid Item Message from Martin1967 response required

The problem with these Phishing emails is that they are realistic and it's hard to sometimes stop and think that they aren't for real. I just caught my wife about to click the link on this email thinking that it was genuine!

So, once more, the indicators that it's a fake:

1 - It's sent to 'undisclosed recipients' - not to my ebay registered email address.

2 - The greating is 'Dear member' - it should greet me by name (ebay always will greet by name).

3 - Neither of us has bought anything through Ebay recently...

4 - If you put the mouse over a link, the destination URL is http://214352399:8080/signin.ebay.co.uk_ebay-online.html. Look carefully at the part of the URL from the http:// until the next / - that's the website name. In this case that's 214352399:8080, which isn't a valid URL (that I know of!), let alone Ebay. Even if it did say http://www.ebay.com/ then that's no guarantee it's genuine - it could just be masked.

If you receive such an email and want to check that you really don't have a dispute to deal with, don't click the link on the email! Instead, open up your internet browser window, type in the website URL (www.ebay.com) and sign on and check your messages from there.

Here's the content of the email:

eBay New Unpaid Item Message from Martin1967 response required

Dear member,

eBay member Martin Adolf has left you a message regarding item #220066799480

View the dispute thread to respond.

Regards,

eBay Inc.

Copyright © 1995-2008 eBay Inc. All Rights Reserved.Designated trademarks and brands are the property of their respective owners.Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy Policy.

eBay official time - Page last updated: May-19-04 11:57:05 PDT

Attention: Royal Bank of Scotland Digital Banking Service User Id: 3687

We've not had any Royal Bank of Scotland phishing emails recently, the last one was last October. This one takes the form of a recent NatWest phishing Email, and before that the Abbey, in which it apologises if you are not a customer - an admission that it's sent to a spam list.

Like the NatWest email, they both have a 'reference' in the subject and I received both emails through the same email acount. In this case, the target URL is http://ww5.rbs.co.uk.dll64.com/confirm.aspx/?pid=[removed]. The only result of note was that McAffee had it noted as a site that was promoted through spam!

Here's the email content:

Dear Royal Bank of Scotland Electronic Banking customer!

Our Technical Unit is running a scheduled Internet Banking software upgrade

By visiting the link below you will open the form of the customer details approval:

http://www0.rbsdigital.com/confirm.aspx?host=24yzrpeFDozrcrkdwvrnOkhOvp

These directives are to be mailed and followed by all users of the Royal Bank of Scotland Direct Banking Service

Royal Bank of Scotland does apologize for the troubles caused, and is very grateful for your collaboration.

If you are not user of Royal Bank of Scotland Electronic Banking please delete this notice!

*** This is robot generated email please do not respond ***

(C) '08 Royal Bank of Scotland Electronic Banking. All Rights Reserved.

ref l1-fht

Google | Please submit your payment information.

More Google Adwords phishing emails arriving. I'm not entirely sure what the fraudsters are hoping to get out of this scam. Access to a Google Account isn't going to give much - maybe they can set up some free adverts. But Google would be able to easily work out that there's a load of fraud going on whereby UK advertisers are having adverts set up to Chinese (or whatever) websites.

I suspect then (without trying the form) that either the page downloads some form of spyware onto the unlucky victim's machine so that the fraudsters can detect banking logons, or that they ask more questions than would be expected - and gather enough information to clone identities.

The URL in this case is http://www.adwords.google.com.0lks.cn/select/Login - but I can't find anything out about that site. Here's the content, again!

-----------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------
Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

--------------------------------------------------------------------------------------

ref l-tlw

Natwest | CUSTOMER SERVICE MESSAGE

Another NatWest phishing email - my third of the day!

This time the destination URL is http://www.ezwebautomation.com/Charts/online/natwestbussinessbankingonline/Login.html. ezwebautomation.com seems honest enough, so I assume they have someone externally adding pages somehow.

Here's the content of the email:

News Alert: Enhanced Online Security

Banking with Natwest Online is about to become even more secure!
As a valued Natwest online customer, the security of your identity and personal account information is extremely important. We are installing Enhanced Online Security as an additional way of protecting your Natwest online access.

Enhanced Online Security will allow Natwest online banking to verify your identity from your computer - at home, at work or anywhere you bank online. When you access your account information, we'll know it's you. And you'll know that you've signed on to Natwest online banking. This two-way process ensures that both parties are confident of each other's identity.
Every customer that uses Natwest online Account for online banking will be required to activate Enhanced Online Security.

Click on sign in to Online Banking for the quick and easy process for activating Enhanced Online Security for your Natwest online banking account.

Sign in to Online Banking

Thanks for taking the time to learn about our upcoming plan for Enhanced Online Security - it's one more way that Natwest Building Society online banking can makes your online banking experience better. Remember always fill in your Memorable word correctly

© 2008 All Rights Reserved

Natwest | please confirm your data!

I was reading in the ThisIsMoney forum that some people think that the NatWest is the most targeted UK bank for phishing emails and blaming the bank for not doing enough to detect such fraud. I don't know whether this is the case or not, but it certainly seems that most phishing emails that I receive are either aimed at the NatWest or at PayPal. Given the number of people with PayPal accounts their being a target isn't a surprise. But I don't bank with the NatWest so I'll leave it for others to comment. If you have experienced problems or know anything about the state of play for NatWest (in their defence) then feel free to comment. Only blatent self-publicising comments are rejected!

This one is the onld NOF again. This time around the destination URL is http://natwest.co.uk.mirdop3.co.uk/NOF/startupdate.aspx?refererident=[removed]. It's a long time since we saw Natwest targeted emails on UK domains - around Christmas I think.

Here's the content:

Dear NatWest Bank customer,

We have implemented security measures consistent with our internal information security practices to help us keep your information secure. These measures include technical and procedural steps to protect your data from misuse, access or disclosure, loss, alteration or destruction.

One of these security measures is NOF (NatWest Online Form) to help us to keep your personal and banking data up to date.

You should complete NOF on a regular basis.

Please complete NOF using the link below:

NatWest Online Form

NatWest Automated Mail Service. Please do not respond to this mail.

ref l-cmr

NatWest Bank Personal and Business Urgent E-mail From Billing Department - id: 510

Here's another one aimed at the NatWest - why are they so popular wish phishers? Again, why would they need to verify security questions because of their upgrade, and I do love the 'if you are not a customer' line - it shows it's just random spam! It was in February that we last saw this format of email going around - they've been quite for a while.

This time around the target URL is http://www5.natwest.co.uk.block9.in/details.aspx/?siteid=[removed], which I'm having trouble finding anything about. So not sure what the situation is with the site.
Here's the email content:

Dear Natwest Personal and Business Banking client!

Our Maintenance Division is carrying out a planned Private and Business Banking Service upgrade

By visiting the link below you will start the form of the user details authorization:

http://www7.nwolb.com/details.aspx?type=24yzrpeFDozrcrkdwvrnOkhOvp

These instructions are to be emailed and followed by all members of the Natwest Bank Electronic Banking

NatWest Bank does apologize for any inconveniences caused, and is very grateful for your cooperation.

If you are not client of Natwest OnLine Banking please disregard this notice!

*** This is automatically generated message, please do not respond ***

(C) '08 NatWest Private and Business. All Rights Reserved.

ref l1 - fht

Natwest | Last chance to validate your e-mail address

This email presumably is a follow on from the email received overnight. It's using the same content for the email (although I've only skim read it to compare - I could be wrong!) and the link is still pointing to http://www.nwolb.platinumnumber.com.

I had thought at first it was a followup because maybe the site had been closed down - obviously not, the link is the same. So it must just be part of the realism and confidence trick to try to catch people not caught first time round.

Either way, it's a con. Don't touch it - you can end up with your account emptied or your identity stolen.

Adwords | Your AdWords Google Account is stoped.

This is the lastof three emails that arrived to different email addresses within 21 minutes of each other. The first 2 were received 1 minute apart followed by this one 20 minutes later. All three have different titles, but the same content and targeted at Google Adwords. I'm posting them separately to make them clearer.

This last one (for now!) has a destination URL of http://www.adwords.google.com.lsk-ots.cn/select/Login. The lsk-ots.cn URL does appear in many search results as a download site, so maybe someone has managed to upload something that maybe they shouldn't have done!

All of the 3 emails contain the (same) following text:

----------------------------------------------------------------------------------------
Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

----------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------------

ref l1 - fht

Adwords | Your Account with Google AdWords

This is the second of three emails that arrived to different email addresses within 21 minutes of each other, all with different titles, but the same content and targeted at Google Adwords. I'll posting them separately to make them clearer.

This one has a destination URL of http://www.adwords.google.com.sisekl.cn/select/Login. The sisekl.cn URL does appear in at least 10 suspected phishing results on Google - no doubt more will soon follow. So don't follow the link!

All of the 3 emails contain the (same) following text:

----------------------------------------------------------------------------------------
Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

----------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------------

ref l1 - fht

Adwords | Your ads have been suspended.

Three emails have arrived to different email addresses within 21 minutes of each other, all with different titles, but the same content and targeted at Google Adwords. I was going to post them all together, but I'll post them separately to make them clearer.

The first one has a destination URL of http://www.adwords.google.com.fdkoil.cn/select/Login. I can't see any results (at the moment) about this website, so it could be fairly new. But don't follow the link!

All of the 3 emails contain the (same) following text:

----------------------------------------------------------------------------------------
Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

----------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------------

ref s - rwt

Natwest | Validate your e-mail address

Here's a new one on me. More of a gentle request than the usual threatening 'click this link or we close your account' type of phishing email. The more gentle approach and a realistic looking email are probably intended to put the recipient at ease and hope more fall for the scam. But with a sender's email of 9804e2424@natwest.co.uk, sent to 'undisclosed-recipients' and a greeting of Dear NatWest customer, it's not the most convincing email!

This time around the destination URL is http://www.nwolb.platinumnumber.com. This URL does appear in a fair number of phishing results. Don't press the link - it's a fraud.

Here's the content:

Dear NatWest customer,

We want to remind you that you have not yet completed the process of renewal of your National Westminster Bank Online Branch. For security reasons, we need to validate your e-mail address.

Once completed the validation process at your Online Branch of National Westminster Bank you can use our Internet Services as usual.


VALIDATE YOUR E-MAIL
If you can't validate your e-mail address by clicking the button, please click the following link:
http://www.nwolb.platinumnumber.com/index.aspx?validate.account/op.validate/code.c16561ce/ref.rem/EMAIL/validation.c16561ce/subref.r001/WT.mc_id=r001_20071228

Thank you for using our services.

Best regards,

National Westminster Bank Online Branch team.

Unauthorized account access or use is not permitted and may constitute a crime punishable by law. National Westminster Bank does business as NatWest.

© National Westminster Bank, PC. 2001 - 2008. UK.

SOUTH AFRICAN 2010 WORLD CUP LOTTERY AWARD

Here's another lottery winning email, in bad English, telling me I've won a fantastic amount of money in a lottery I've neither heard of nor entered.

It's sent to 'undisclosed-recipients' - a warning flag if you don't believe me that it's a scam. How many people have received this same award winning email - probably the 50,000 they mention later on in the email!

They also insist, as many such emails do, that you keep it quiet until the award has been awarded. This is so that anyone who falls for the trick doesn't tell anyone what they are doing, as the other people might warn them that it's not for real.

As they say at the end of 'The Real Hustle', if it sounds to good to be true then it probably is. There's no reason why anyone would win $2.5m on a lottery they haven't heard of. Either these guys are going to steal your identity, or at least rob you of a cheque for processing the award.

Here's the content. If you want to see other lotteries that I've 'won' in recently, then view them here. They all seem to take the same sort of lines.

LOTTERY AWARD
PROMOTIONALPROGRAMME


SOUTH AFRICAN 2010 WORLD CUP LOTTERY AWARD.
LOTTERY HEADQUARTERS: 31, BRITON COURT,
KEMPSTON PARK, JHB.
BATCH: (13/26/DC36.)
FROM: SA NATIONAL LOTTERY
TICKET NUMBER: 74454774
SERIAL NUMBER: 144-66584
BATCH NUMBER: BT-4478474121P

DRAWS NUMBERS:
AWARD NOTIFICATION:

We are pleased to inform you of the release, of the long awaited results
of the South African 2010 World cup Bid award INTERNANTIONAL LOTTERY
PROMOTION held in Zurich, Switzerland on the 30 April 2008.You were
entered as dependent clients with: Reference SERIAL NUMBER: 144-66584 and
Batch number BT-4478474121P.
Your email address attached to the ticket number: 74454774 that drew the
lucky winning number, which consequently won the sweepstake in the first
category,in four parts. You have been approved for a payment of
$2,500.000 Dollars ( Two Million Five Hundred Thousand United States
Dollars )in cash credited to file reference number:IPL/4249859609/WP1.This
is from a total cash prize of 20 million Dollars shared among the ten
international winners in first categories.


All participants were selected through a computer ballot system drawn from
50,000 (Fifty thousand) names of email users around the world, as part of
our international promotion program. Due to mixed up of some names and
addresses, we ask that you keep this award personal, till your claims has
been processed and your funds remitted to you. This is part of our
security measures to avoid double claiming or unwarranted taking advantage
of the situation by other participants or impersonators, You are therefore
directed to contact your claim agent immediately on receipt of this
massage for quickened and urgent proces and release of your winning fund.
Agent contact and infomation are as:

NAME: DR. DAVID MOOR
(CLAIM AGENT)
Email:(ndlovu.raph@com)
TEL:+27-73- 32 54 911 .
He is your agent, and responsible for the processing and transfer of your
winnings to you. YOUR SECURITY FILE NUMBER IS Z-90237-Y67/U4 (keep it
personal) Remember, your winning must be claimed not later than (TWO
WEEKS) From the date of acknowledgement receipt. Failure to claim your
fund will be added to the next 30 Million Dollars lottery promotion.
Furthermore, should there be any change in your address, do inform your
claims agent as soon as possible. Once again, Congratulations.
Best Regards,
MARIA STEVE.

NatWest Bank security upgrade!

The Natwest seem to be a popular target for phishing emails, at leat the ones that I receive. See this link for more of the Natwest Phishing emails if you have missed any.

This one os the standard 'NOF' fraud, along with a load of hidden junk at the bottom of the email (white text on a white background, but you can see it if you highlight it!). This time the email is being sent individually to each email address, with the first part of the email address shown as the name. The destination URL is http://natwest.co.uk.lfiieu8.zj.cn/NOF/startupdate.aspx?refererident=[removed]&cookieid=[removed]. I'm guessing that zj.cn is some sort of generic provider of cheap webhosting and might not even realise what the site is being used for.

Here's the content of the email.

Dear NatWest Bank customer,

We have implemented security measures consistent with our internal information security practices to help us keep your information secure. These measures include technical and procedural steps to protect your data from misuse, access or disclosure, loss, alteration or destruction.

One of these security measures is NOF (NatWest Online Form) to help us to keep your personal and banking data up to date.

You should complete NOF on a regular basis.

Please complete NOF using the link below:

NatWest Online Form

NatWest Automated Mail Service. Please do not respond to this mail.

ref i - cmr

PayPal | Remove limitations

It's been a quiet few days - nothing to post here for a while. Then this email arrived aimed at PayPal and seconds later a genuine PayPal email about anti-phishing.

The email looks genuine enough and as it was received with a genuine security email, did make me wonder, for a half second. Then I saw the "click on the following link" and knew straight away it was fake (Ebay would not include such a link). Then a quick glance at the To: field (undisclosed-recipients) and there's no doubt that it's phishing - Ebay would only email me if there was an account problem and would mention my name in the email.

Lastly, the email claims that something happened on February 15th - that's ages ago. Why would PayPal take almost 11 weeks to respond?

The link claims to go to https://www.paypal.com/cgi-bin/webscr?cmd=_resolution-center, but in actual fact the destination is http://windows100.neodigit.com/online.paypal.com/www.paypal.com/us/webscr.html?cmd=_login-run. I can't find anything about the site, but it looks dangerous. Don't touch the link.

Here's the email content:

PayPal is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

Why is my account access limited?

Your account access has been limited for the following reason(s):

Feb 15, 2008: We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection.

(Your case ID for this reason is PP-257-057-154.)


To remove the limitation click on the following link:


https://www.paypal.com/cgi-bin/webscr?cmd=_resolution-center


Regards,
PayPal Security Departament