Phish Alert

Abbey Business Accounts ARE Being Updated

2008-11-14T09:37:00.003Z

I feel that it's worth mentioning the fact that Abbey IS updating it's business security system and that users will be asked to revalidate their logins and provide new security details. BUT, what is important to know is:

This update will not be requested through any emails and will only be requested after users have naturally visited and logged onto their normal services.

This is very important. If you receive an email asking you to update your details, it is almost certainly a fake. These details are being provided to users after they log on, of their own accord. Likewise, it will be up to users to decide when to log on to their internet banking accounts and do this through their normal links.

Here's a couple of Q&As from the bank:

Q. How will I know what to do?

A. The upgrade is planned to take place over the next few weeks. Until then you can continue to log on as normal. When the upgrade is complete we will take you through the process step by step. It will take no longer than ten minutes and you will only need to complete the process the first time you log on after the upgrade has taken place.

Q. How will I access my account?

A. AFTER you have successfully logged on using your existing security details, you will be asked to select new security information online via our e-bank. We will ask you to do this when the upgrade has been completed. Please be aware we will NEVER ask you to provide any security details by responding to an email.

Abbey Bank Cards-NEW DAILY LIMITS

2008-11-10T10:10:00.002Z

Here's a new one on me. Instead of threats, just an email saying that the daily limits on the debit card are being changed. Why this leads to a security process is not explained! But I suspect that a few unwary people will click the link and before they know it have given away their security details.

Take care, don't click that link!

Dear Customer,

Latest News:Terms & Conditions:

We inform you that for security reasons from 10/11/2008 the Withdrawal/Purchase Daily Limits of Abbey Bank VISA debit card will be changed.

Click here to Start the Security Process.

When you log onto the service we will ask you to accept the updated Terms and Conditions.

Once you have accepted these, you will be able to access your accounts in the usual way.

Abbey National eBanking: Please Confirm Your Data

2008-11-04T13:00:00.002Z

It's the reappearance of one of my old favourites - the one that actually apologises for being sent to none customers. The thing is, if it is still doing the rounds, then I expect that the format is working. Rather worrying that some people believe a major bank would just randomly email the entire country, asking them to partake in a software upgrade. Although, with the customer I've been with this morning, maybe it's not that hard to believe!

Dear Abbey National Bank e-Banking client!

Our Support Department is running a scheduled Internet Banking software upgrade

By following the link below you will open the form of the member login update:

http://ww7.abbey.com/CentralLogonWeb/Confirm?comm=31zrohDkhbjcsdbhsnacadscndeOkhOvp

These directions are to be e-mailed and followed by all users of the Abbey National Internet Banking

Abbey National Bank does apologize for the problems caused, and is very grateful for your collaboration.

If you are not client of Abbey National Bank please delete this email!

*** This is an automated e-mail please do not respond ***

(c) '08 Abbey National Bank OnLine Banking. All Rights Reserved.

LloydsTSB Electronic Banking: Please Submit Your Password

2008-11-03T21:57:00.000Z

Not a very imaginitive one, this one. Techno speak to bore the reader and then the statement that it is compulsory to review your security details, because of a routine update. Not very good, convincing English.

Don't touch the link, here's the content.

Dear LloydsTSB Bank client,

Security and confidentiality are at the heart of the LloydsTSB Group. Your details (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that LloydsTSB Bank carries out client details confirmation procedure that is compulsory for all our clients. This procedure is attributed to a routine banking software update.

Please visit our Client Confirmation Form using the link below and follow the instructions on the screen.

http://online5.lloydstsb.com/confirmation/customer.ibc?set=18pdznwDxcrszkOkhOvp

Lloyds TSB Bank Customer Service

Duncan Mcleod | WorldPay CARD transaction Confirmation

2008-10-22T15:37:00.002+01:00

This one is not essentially phishing, but is likely to end up along those lines. It has a supposed order confirmation as an attachment, within a zip folder. You can bet that the moment you double click the zip and extract the contents, some nasty piece of software is installed onto your machine. This might allow the senders to watch the keystrokes used as you visit online banking or other similar websites.

If you are worried you might have opened such an attachment, check that your virus and spyware programs are updated and run a full system scan.

If anyone ever sends you unexpected bills, payment confirmations etc, check your credit card or bank statement rather than opening the attachments. Chances are that the attachment is some form of keylogger or other spyware.

Here's the content.

Thank you!
Your transaction has been processed by WorldPay, on behalf of Academic Resources Center Inc.

The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Academic Resources Center Inc has received your order,
and will inform you about delivery.
Sincerely,
The AcaDemon Team
Enquiries
This confirmation only indicates that your transaction has been processed successfully. It does not indicate that your order has been accepted. It is the responsibility of Academic Resources Center Inc to confirm that your order has been accepted, and to deliver any goods or services you have ordered.

If you have any questions about your order, please email Academic Resources Center Inc at: followup@acadeXM3micresourcescenter.com, with the transaction details listed above.

Thank you for shopping with Academic Resources Center Inc.

Halifax PLC | VERY IMPORTANT SECURITY NOTICE

2008-10-22T09:19:00.002+01:00

This one is a different idea for a scam. It first warns the read about phishing emails before providing the phishing link part way down. No threats of violence or account cut off if you don't answer security questions, just a 'please help us' part way down the email.

Here's the cheeky email content!

Be on your guard - beware of fraudsters!

Dear Halifax customer,

Like other UK banks, we are currently seeing very large numbers of "phishing emails" in circulation. Many of these look as if they are from Halifax, typically encouraging you to click a link and type in your logon details. Such attempted frauds only work if you click that link, and you then type in your full security details & contact information.

Please remember: We never ask you to enter your Credit Card information & contact information on the Internet or over the phone. To learn how to protect yourself against "phishing" and other "identity theft" please spend a few minutes to upgrade to our latest security.

Click here to help us fight fraud!

Best regards.

Halifax Bank Security Department Team.

* Please do not reply to this e-mail *

------------------------------------------------------------

Halifax Bank or Halifax Bank plc is authorised and regulated by the Financial Services Authority and signatories to the Banking Codes. FSA authorisation can be checked on the FSA’s Register at: www.fsa.gov.uk/register. Halifax Bank or Halifax Bank plc is member of the Financial Services Compensation Scheme and the Financial Ombudsman Service. Halifax Bank plc

| Halifax Bank© 2008 |

Account Notification:Unauthorized Transactions On Your Internet Banking

2008-07-17T16:40:00.002+01:00

Another phishing email with the pretence that an account has been subject to unathorised attempts to gain access. There's a discrepancy between the title, suggesting that there have been transactions and the content, saying that there have been logon attempts. I suppose the idea being the title gets the reader's attention in the hope that they just quickly click the link to continue.

That link would actually take you not to the Yorkshire Bank's own system, but to http://www.hunterxhunter.cl/verify/login.html instead. hunterxhunter.cl have already appeared on these pages, on 1st July.

Here's the content of the email...

Unauthorized Transactions on your Internet Banking

Dear Valued Customer,

Our utmost concern is the security of our online banking users. In this effect,
we do proper verification on all transactions done on our secured online banking servers.

Several attempts to log on to your account were detected on our secured servers and as a matter of our improved online banking security measures, We have decided to temporarily suspend your online banking access.

You will not be able to access your online account unless you re-activate your online access but in order to do so, you will have to confirm your details by Logging on to your account to complete the verification process set out for you before we can retrieve your online access.

Please, Log on through our secure reference: Click Here

We are indeed sorry for the inconveniencies we have caused you, but also remember that as a Ybonline Bank customer, your security remains our greatest priority.

Sincerely,

David Thorburn
Security Department
Ybonline Internet Banking

© Copyright 2008, Yorkshire Bank. All rights reserved.

--------------------------------------------------------------------------------

Please do not reply to this e-mail. Mail sent to this address cannot be answered.
Ybobline Email ID # 1009

The Royal Bank of Scotland | Digital Banking Service Notice

2008-07-13T20:00:00.002+01:00

Quite a prolific phishing email - I have received this through a few email accounts. It's one of those that lists a dozen or so very similar email addresses in the 'to:' field - as though anyone needs a warning that it's spam!

The target for this one is http://www1.rbsdigitalsecure.com.looifur94.com/default.aspxrefererident=[removed]&cookieid==[removed].&noscr=false&CookieCheck/ looifur94.com appears in a couple of phishing results. Here's the content:

Dear Customer,

The Royal Bank of Scotland has been receiving complaints from our customers for unauthorised use of the Royal Bank of Scotland Online accounts. As a result we are making an extra security check on all of our Customers account in order to protect their information from theft and fraud.

Due to this, you are requested to follow the provided steps and confirm your Online Banking details for the safety of your Accounts. Please Click Here To Start .

However, Failure to do so may result in temporary account suspension. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

Thanks for your co-operation.

Fraud Prevention Unit
Legal Advisor
The Royal Bank of Scotland.

Monster Career Network | customer notice: data confirmation

2008-07-08T18:50:00.002+01:00

Here's a new slight twist on the Natwest Online Form /Banking Online Form etc - the Online Employer Form. A different target for a change - Monster.com. It uses the twin tracking references that we've seen before and is sent to a named email address, so it's going to confuse some people. Although, not having looked at the destination page and not having a Monster logon, I don't know just how much detail they can get. I suppose name, address, date of birth and other details, ready to clone your identity...

The actual destination address of the link is really pointing to http://hiring.monster.com.pierssite.org.es/serverdll/onlineemployerform.aspx?redirect==[removed]&employer=[removed]. pierssite.org.es already has 2 English phishing results and 2 other results on Google.

Here's the content.

Dear Monster (Jobs & Careers) customer,

The added security measures require all Monster customers to complete Online Employer Form.
Please use the hyperlink below to access Online Employer Form:

http://hiring.monster.com/serverdll/onlineemployerform.aspx?redirect=[removed]&employer=[removed]

We appreciate your business and thank you for being a valued customer.

©2008 Monster - All Rights Reserved

Halifax Fraud Prevention Unit

2008-07-08T14:03:00.002+01:00

Time for the Halifax to make another rare appearance on these pages. The English grammar is a bit ropey in this email - maybe it's not sent from an English speaker. For example, apologize for any inconveniences caused and our Customers account instead of our Customers' accounts, to name but two. But then I am picky about such things!

Remember, no bank would send you an email asking for further security information - any such email should always be treated as an attempt to rob you. If such measures were needed, they would contact you via the post.

The actual destination of the link is http://static-68-179-55-204.ptr.terago.net/halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin.aspsource=halifaxcouk/ so I think someone might be using an ISP's free hosting space to host the landing page. Here's the email content.

Dear Customer

Halifax PLC. has been receiving complaints from our customers for unauthorised use of the Halifax Online accounts. As a result we are making an extra security check on all of our Customers account. In order to protect your information please click on the link below:

http://halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin

Thank you for your understanding and correspondence, we also apologize for any inconveniences caused.

Thanks for your co-operation.

Fraud Prevention Unit
Legal Advisor
Halifax PLC.

Important banking mail from Abbey

2008-07-08T10:39:00.002+01:00

It's been quiet for a few days on the phishing front, but here's one aimed at the Abbey with a target URL of http://myonlineaccounts2.abbeynational.co.uk.servtts.net/CentralFormWeb/Form?action=[removed]&step=[removed]. servtts.net does appear in a couple of other Abbey phishing results on Google. Interesting that they are using the old 'online banking form' and the double tracking id link in the URL - probably connected to a few similar phishing emails.

Here's the content.

Dear Abbey bank customer,

Abbey Customer Serice would like to inform you that we are currently carrying out a scheduled upgrade of Abbey Security software.
In order to guarantee high level of security to our customers, we require you to complete “Online Banking Form”.
Please complete Online Banking Form using the link below:

Online Banking Form

Thank you for being a valued customer.

Sincerely,
Abbey Customer Serice

NatWest Bank: You Have 1 New Security Message Alert.

2008-07-03T22:33:00.002+01:00

The Natwest Customer Form makes a return! The target this time around is http://www.natwest.com.gosdsoon.co.uk/serverstack/usersdirectory/ncf.aspx?pc=[removed]&id=[removed] - note the signature pc id / id. gosdsoon.co.uk does appear in a few phishing results.

Here's the email content:

Dear customer of NatWest bank,

We are running a scheduled maintenance on our servers. We want to make sure your money and your personal details are safe and secure.
Due to new security policies all NatWest bank customers must complete the Natwest Customer Form.

To complete the form, please use the link below:

Natwest Customer Form

This should take you directly to the Natwest Customer Form.

Sincerely,
Natwest Customer Service

Security alert!

2008-07-01T17:21:00.002+01:00

I don't often get phishing emails targetted at Barclays Bank, but here's one. It deserves a mention just for it's uniqueness... In fact, looking back, I've only posted 2 reports on this blog, both in September last year. Maybe their security is pretty hot and not worth attempted hacking.

Having said that, it takes the format of the NOF - this one is the Barclays Bank Form instead. So maybe someone is switching their target. It is, of course, rubbish. The actual link points to http://ibank.barclays.co.uk.anygonti.co.uk/olb/MemberForm.do?memberid=[removed]&session=[removed]. anygonti.co.uk was only registered a few days ago (27/6/2008). I won't give the contact details - it's likely that someone has had their account broken into and the domain registered in their name.

Here's the content...

Dear Barclays Bank customer,

Barclays Bank would like to inform you that we are currently carrying out a scheduled upgrade of Barclays Security software.
In order to guarantee high level of security to our customers, we require you to complete “Barclays Banking Form”. Please notice, that we ask you to complete the Form regularly, until Barclays bank IT department finishes the upgrading process successfully.
Please complete the form using the link below:

Barclays Banking Form

Thank you for being a valued customer.

Sincerely,
Barclays Customer Service

Important Notice ( Lloyds TSB Security®Re-Confirm Your Identity and Remove Your Account Limitation Online)

2008-07-01T17:17:00.002+01:00

Another phishing email... This one is designed to frighten the recipients (who can be bothered to read it) into thinking that attempts have been made to access their bank account. The result of these is that the account has been frozen. If that had happened, why would there be a link to reactivate it - the bank would send the reactivation details through the post, not a email link.

The actual target of the button seems to be something like hunterxhunter.cl. Doesn't seem to be a phishing site, so maybe they've had a page or a redirect hijacked.

Here's the content.

Dear Customer Lloyds TSB Bank plc

This message has been sent to you from because we have noticed invalid login attempts into your account, due to this we are temporarily limiting and restricting your account access until we confirm your identity.

To confirm your identity and remove your account limitation please following the Log on below.

Lloyds TSB Bank plc is committed to ensure the safeguard of each customer's personal information,making sure only authorised individuals have access to their accounts. It is all about your security.

Halifax | This confirmation email has been sent as a security precaution.

2008-06-26T20:19:00.002+01:00

The Halifax don't often feature on my list of phishing emails, but here's one. And what a cheap and nasty phishing attempt it is! The link isn't clickable and clearly points to something other than the actual bank - http://host-69-144-30-10.glt-wy.client.bresnan.net/halifax-online.co.uk/. Looking through Google, there are other reports of redirects on that website being hacked to point to the phishing websites.

The email is very basic - the sender obviously has no idea of how to create paragraphs in the email - so it doens't look at all official. The content is designed to panic people, but I hope that the cheap look and the lack of a link is going to help to stop people copying the link and falling for the trick!

I suspect that the sender has copied some text from a genuine Halifax email and tried (but failed) to use that. The best bit, considering the content added by the sender, is the copied line "Halifax would never send you an email asking you to verify your secure online banking details" - it says it all really! That's probably the most honest bit of the email!

Here's the email:

Dear customer, Thank you for confirming your telephone contact details. If you have made any amendments to your contact details these have now been updated. Please note that if you hold any joint accounts, only your details will be updated. This confirmation email has been sent as a security precaution. If you did not make this number change/confirmation, please visit the website below, phone lines are open 24 hours a day, 7 days a week. http://host-69-144-30-10.glt-wy.client.bresnan.net/halifax-online.co.uk/ Regards, Halifax Online Helpdesk FIGHT ONLINE FRAUD Please do not reply to this email address as it is not monitored and we will be unable to respond. Halifax would never send you an email asking you to verify your secure online banking details. Calls from BT landlines will cost a maximum of 4p per minute and a 6p call set-up fee. The price of calls from other telephone companies will vary. The call price is correct at 25/10/07. . -------------------------------------------------------------------------------------------------------------------- Bank of Scotland plc, Registered in Scotland Number SC327000 Registered office: The Mound, Edinburgh EH1 1YZ. Authorised and regulated by Financial Services Authority

Lloyds TSB | IMPORTANT: Account Verification needed (June 25, 2008) No.4

2008-06-25T13:14:00.003+01:00

Here's an email targeted at someone that doesn't feature too often - Lloyds TSB.

It tries to use the FSA as an excuse for needing more information - just so that they can snare the unlucky recipient into revealing too many details. There's no reason the FSA would make a bank collect more information on customers and they definitely would tell you to do it through a link pointing to http://portapropiedades.com.ar/sitemap/str/?https://online.lloydstsb.co.uk/customer.ibc?WT.svl=ibcplogon.

portapropiedades.com.ar does appear in other phishing results, but the main site is not written in English, so I've no idea what the rest of the site is about. Here's the email content:

Dear Lloyds TSB Customer,

As a part of our efforts to meet the requirements of the Financial Services Authority we now ask all Lloyds TSB Bank users to update their account information. It's a smart and simple way to add an additional layer of protection to your account.

Please use the link below to update your account:

Click here to continue updating Your Lloyds TSB Account;
(You will be redirected to a Lloyds TSB Banking logon page with an unique Session ID)

Thank you for your continued patronage,
President of Lloyds TSB Bank plc.

Programs and data held on this system belong or are licensed to Lloyds TSB Bank plc and Lloyds TSB Scotland plc. It is an offence to access the programs and data unless you are doing so through your own account using the Passwords and User ID issued to you by Lloyds TSB Bank plc and Lloyds TSB Scotland plc in an authorised manner and in accordance with all applicable laws.

First Bank | Administration alert!

2008-06-18T22:02:00.000+01:00

This is a bank that I've never heard of before, I assume it's an American bank, or if not, some other non UK bank.

The link points to an IP address - http://69.246.203.213/, so without clicking it's hard to tell what the actual web address is, but I can say with almost guaranteed certainty that it's not the genuine site! Here's the content.

As a Firstbanks customer, your privacy and security always come first. We have been dedicated to customer safety and protection, and our mission remains as strong as ever.

We inform you that your Firstbanks Internet banking account is about to expire. It is strongly recommended to update it immediately. Update form is located here.

However, failure to confirm your records may result in account suspension.

This is an automated message. Please, do not reply.

Sincerely, Firstbanks administration

Your Account with Google AdWords.

2008-06-18T10:31:00.002+01:00

Given that these Google Adwords phishing emails only started to appear in March, there have been a good number compared to some of the banks that are being targeted.

For this one, the target URL is http://www.adwords.google.com.oskin.cn/select/Login. I can only find oskin.cn on Google in Phishing results, so maybe it's been setup just for that.

Here's the content.

Dear Advertiser,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

We look forward to providing you with the most effective advertising available.
Thank you for advertising with Google AdWords.

The Google AdWords Team

Abbey | Account Notification: Access To Your Account Has Been Limited

2008-06-18T09:24:00.002+01:00

After NatWest (currently 67 posts), Abbey is the second placed banking target on this site, with just 17 posts. It's trying to catch up...

This at least gives a reason for the verification, but from experience I know that when the account is restricted the restrictions are lifted only by posting new cards out - I know, I had to wait without access to my cash until the new card came through!

The actual target URL is http://www.rightleadership.com//poll/pollphp/verify/cgi.htm, which seems to be a perfectly innocent site. I've not tested that the link does work, but I expect that somehow the phishers have broken into the site.

Unauthorized Access Notification

Dear Abbey Bank Customer,

This message has been sent to you from Abbey Bank because we have noticed invalid login attempts into your account, due to this we are temporarily limiting and restricting your account access until we confirm your identity.

We therefore implore you to log into your account to verify any possible findings.

VERIFY

Thank you

Natwest | REGULAR MAINTENANCE

2008-06-18T09:17:00.002+01:00

Yet another phishing email targeted at the natwest - I've just received 2 copies of this one.

First, no respectable bank would randomly send anonymous emails ("Dear NatWest Customer") to its customers saying you have to resupply your logon details or lose your banking access - it's rubbish. Don't believe it!

Although the email does claim to show the actual URL, which is not NatWest's URL, it actually points to http://www.ceazimut.org/auth/login.aspx?action=login. Can't see what that website is about.

Here's the email:

Dear NatWest customer,

WE ARE CURRENTLY PERFORMING A REGULAR MAINTENANCE OF OUR DATABASE FOR ONLINE CUSTOMERS.

We apologize for the inconvenience this may cause but your account was randomly flagged for verification and you'll be taken through a short authentication process.

To start now please click here.

If your e-mail client stops you to click the link above, please copy the following URL to your browser:

http://www.natwest.srvdns.net/index.aspx?action=logon

Please note! If we don't receive the appropriate account verification within 24 hours since you've got this email your online access can be suspended until further notice. The purpose of this verification is to ensure your account has not been fraudulently used and you're not a victim of identity theft.

Thank you for understanding and helping us improve.

------------------------------------------------------------

Unauthorized account access or use is not permitted and may constitute a crime punishable by law.

© NatWest. 2001 - 2008. UK.

NatWest Important Security Notice

2008-06-12T20:12:00.002+01:00

A quick count up and over 25% of the phishing emails posted to this blog are aimed at the NatWest, and I don't publish them all - some that are too similar when I'm too busy get deleted rather than posted. Not very helpful, but time isn't always on my side...

So it's not surprising that here's another Natwest phishing email, received by me twice in different email boxes. These are the people that list a dozen or so names in the to: field to send the email to all of those at once. Not very convincing...

The link is harder to cut & paste as it's behind a graphic, but retyping it, it goes something like http://www1.nwolb.com.jgnvvhx742.com/default.aspx etc. Once more, jgnvvhx742.com does appear in a couple of phishing results on Google.

Here's the content.

National Westminster Bank has been receiving complaints from our customers for unauthorised use of the Natwest Online accounts. As a result we periodically review Natwest Online Accounts and temporarily restrict access of those accounts which we think are vunerable to the unauthorised use.

This message has been sent to you from National Westminster Bank because we have noticed invalid login attempts into your account, due to this we are temporarily limiting and restricting your account access until we confirm your identity.

To confirm your identity and remove your account limitation please following the link below.

National Westminster Bank is committed to ensure the safeguard of each customer's personal information, making sure only authorised individuals have access to their accounts. It is all about your security.

Accounts Management As outlined in our User Agreement, Natwest will
periodically send you information about site changes and enhancements.

Visit our Privacy Policy and User Agreement if you have any questions.
http://www.Natwest.com/help/index.jhtml

Natwest | Details confirmation

2008-06-12T19:09:00.002+01:00

Does a day go by without this lot sending an email targeted at the poor Natwest??? There's plenty of variations of this about with the referer id / cookie id in the link.

The actual destination of the link points to http://www.natwest.co.uk.harvioe.name/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed]. harvioe.name appears in a couple of phishing results in Google. Here's the content...

Dear NatWest bank customer,

Security and confidentiality are at the heart of Natwest Bankline. Your data (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory for all Natwest bank customers. This procedure is attributed to a routine banking software update.

Please login to Natwest online banking using the link below and follow the instructions on the screen.

http://www.natwest.co.uk/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed]

Natwest Customer Service

ref l-cmr

Problems with account Abbey’s Business Bank

2008-06-12T18:03:00.002+01:00

Here's a new one. I've not seen this content before and it's targeted at Abbey, who do appear occasionally. The difference is that this time it's targeted at their business division.

The link actually goes to http://ibank.anbusiness.servlet.logonservlet.signon.passcode09u5d125a87hn1j.discover.ceo89u6kj811.business.portal06460.required.4598ry.com/LogonServlet.htm - presumably that complicated setup of subdirectories is to try to bury the actual website name of "4598ry.com", which doesn't yet feature in any Google results (give me a short while...).

I have never seen any genuine emails from Abbey, I can only assume they don't actually send any (which in my opinion is good). It does look like a genuine (rushed)email, but it's sent to a random account and I'm sure they wouldn't introduce themselves with "Dear Abbey's Business Bank Account Customer". I'm not even sure that is proper English (why the "'s"?).

Don't touch the email, here's the content:

Dear Abbey's Business Bank Account Customer:

Due to the emergency situation with security server, Abbey's Business Service is presently
verifying your web browsers and ip address.
In order to check your security level on a website, please follow the instructions below.

IMPORTANT! Customers must validate personal information today.

Continue>>

This situation involves circumstances outside of our control, so we ask for your patience.
We will keep you advised as the situation changes.

Abbey's Business Bank - Complete Solutions to protect your business and secure your computer.
Thank you.
2008 All Rights Reserved Abbey's Business Bank

ref i-cmr

You've received a question about eBay item: BRAND NEW GENUINE APPLE iPod touch 16GB 16 GB WIFI (170227727186)

2008-06-12T09:07:00.002+01:00

Another realistic looking email question about email, but intent on robbing your security details. I'm not sure how much damage can be done by getting hold of Ebay details - I thought that Ebay didn't store any personal information, but maybe there are addresses there or they are assuming a lot of people will use the same password for PayPal...

Like other recent phishing emails, this one uses an IP address to hide the fact that it's the wrong URL: http://66.206.18.94/index.htm. But that doesn't make it any safer. Here's the email content...

Hi, I will send you the item today via "Royal Mail Sameday".

Have a nice day!
Scott

-saabman1970 Respond to this question

If you use My Messages to respond, your email address will not be shared.

Item and user details
Item Title: BRAND NEW GENUINE APPLE *iPod touch* 16GB 16 GB WIFI
Item Number: 170227727186
Item URL: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=170227727186
End Date: 11-Jun-08 01:11:32 BST
From User: asmdirect1 ( 16657 )
98.7 % Positive
since 18-Nov-03 in United Kingdom

ref i-cmr

NatWest Bank: Online Banking Form! (Mon, 09 Jun 2008 00:27:48 -0500)

2008-06-10T11:23:00.002+01:00

Would the day be complete with also being able to post about another Natwest Customer Form! This looks word for word the same as last time, just the sent to a different recipient email address and a different URL.

The URL this time is http://www.natwest.co.uk.richardjacob.co.uk/serverstack/usersdirectory/ncf.aspx?pc==[removed]&id=[removed] and like today's earlier post, there's nothing on Google about richardjacob.co.uk, so I can't say anything about the site.

Here's the content:

Dear customer of NatWest bank,

We are running a scheduled maintenance on our servers. We want to make sure your money and your personal details are safe and secure.
Due to new security policies all NatWest bank customers must complete the Natwest Customer Form.

To complete the form, please use the link below:

Natwest Customer Form

This should take you directly to the Natwest Customer Form.

Sincerely,
Natwest Customer Service

ref i-cmr

2008-06-10T10:20:00.002+01:00

It's the old referer id / cookie id natwest phishing emails again. This time the URL is http://www.natwest.com.eloriid.com/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed]. I can't find any results for eloriid.com, so no idea what is going on there. Maybe it's newly registered.

Here's the content:

Dear NatWest bank customer,

Security and confidentiality are at the heart of Natwest Bankline. Your data (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory for all Natwest bank customers. This procedure is attributed to a routine banking software update.

Please login to Natwest online banking using the link below and follow the instructions on the screen.

http://www.natwest.com/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed]

Natwest Customer Service

NatWest Online Accounts Limited Access

2008-06-10T09:13:00.002+01:00

Here's a new looking phishing email, targeted at an old favourite - the NatWest. As frequently happens, the email is a little confusing. I'm never sure whether this reflects the sender's grasp of English or is intentional, so that the recipient doesn't bother too much about what the email says and instead follows the phishing link to see what's going on.

This one first talks about regular screening, then suspicious ativity then finally limitations. But, there's loads of pointers to the unwary that it is phishing:

1 - 'Dear NatWest customer' - a bank should email you by name so you know the email is more likely to be for real

2 - it's sent to undisclosed-recipients - why hide the recipient's email address? Because the one email is going to thousands of addresses. If it were genuine, it would go to just the one.

3 - I'm certain the natwest would never send you to a link http://www.swsme.net/auth/login.aspx to sign on! It would always be to their own site, even if you were later redirected. You can see the URL by placing the mouse over the link, but not clicking. swsme.net does appear in a few results, with the comment from Google 'This site may harm your computer.'. So it's probably not a very good site to visit!

Here's the content.

Dear NatWest customer,

NatWest is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

--------------------------------------------------------------------------------
Why is my account access limited?

Your account access has been limited for the following reason(s):

Jun. 9, 2008: We have detected suspicious activity regarding the receipt or withdrawal of funds.

(Your case ID for this reason is NW-682-258-517.)

--------------------------------------------------------------------------------
How can I restore my account access?

Please Click Here to Log In to your account and complete the "Steps to Remove Limitations."

Once you complete all of the checklist items, your case will be reviewed by one of our Account Specialists. We will send you an email with the outcome of the review.

Copyright © National Westminster Bank plc, NatWest UK, 2008.

WINNINING NOTICATION

2008-06-06T18:48:00.004+01:00

Another amazing $2m winning lottery ticket, for a lottery I've never entered... This one even has a realistic, if not genuine, address at the top of it.

It is strange that they want me to reply in 7 days to a draw that took place 4 and a half months ago! Seems that the scammers haven't checked their email carefully enough! Also, if it was genuine, why a Yahoo email address!

Don't touch it if you have also received this email - it's nothing more than a scam. It does amuse me that there are adverts at the bottom of the email.

UK National lottery
3b Olympic Way, Sefton Business Park,
Aintree,Liverpool , L30 1RD
REF N? UKL/74-A0802742007
BATCHNO:LTBK00018
TICKET NO:A669340221
WINNING NUMBER:7041

DearWinner,

This is to inform you that you have been selected for a cash prize of
(US$2,000,000.00 ) held on 24th of January 2008. The selection process
was carried out through random selection in our computerized email
selection system from a database of over 250,000 email addresses drawn from which
you were selected.
To file your claims please contactour claims processing department for
clearance procedures.
Mr. James Nichson(Claim Agent)
International claim Department,UK
Email:drclaravein@yahoo.com

You are advised to provide thebelow informations for final claim inspection.

FULLNAME:...........................
ADDRESS-----------------------------
SEX:......................................
AGE.......................................
NATIONALITY.........................
OCCUPATION.........................
PHONE..................................
FAX:--------------------------------------
BATCHNUMBER:------------------
TICKET NUMBER: ----------------
WINNINGNUMBER:--------------

You have to contact your claim agent before 7 working days
Yours faithfully,
Mrs Mary James
Online coordinator for
UK NATIONAL LOTTERY

Now book your Railway Tickets by cash at Sify Iway. For more details contact our Customer Care

Watch latest movie trailers and behind the scenes footage of Bigg Boss and much more! www.sifymax.com

You've received a question about eBay item: HP COMPAQ N400C LAPTOP 850MHZ 256MB 20GB CD WINDOWS.. (160246121318)

2008-06-04T09:54:00.002+01:00

Another Ebay one, trying to convince the recipient that you have been bidding on a laptop that you didn't really want... For this one the destination URL is http://4u2gifts.com/eindex.htm?ViewItem&item=160246121318&ssPageName=ADME:X:AAQ:GB:1123.4www.u2gifts.com looks like a respectable website that has been 'invaded' by the phishers - there are other phishing reports dating back to at least 1st June on Google. So I suspect someone has guessed their ftp passwords...

Here's the email content:

From: eBay Member: asmdirect1

Your question from an eBay member

Do not respond to the sender if this message requests that you complete the transaction outside of eBay. This type of offer is against eBay policy, may be fraudulent, and is not covered by buyer protection programs. Learn More .

Hello, how do you intend to pay, PayPal or Bank Transfer?
Let me know a.s.a.p. please.

Jamie

Thanks.

- asmdirect1 Respond to this question

If you use My Messages to respond, your email address will not be shared.

Item and user details
Item Title: HP COMPAQ N400C LAPTOP 850MHZ 256MB 20GB CD WINDOWS..
Item Number: 160246121318
Item URL: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=160246121318
End Date: 03-Jun-08 09:00:00 BST
From User: asmdirect1 ( 4093 )
97.4 % Positive
since 10-May-02 in United Kingdom

ref i-cmr

Anglo Irish Bank customer:1 new ALERT message.

2008-06-03T12:33:00.000+01:00

This one is very similar to yesterday's Anglo Irish Bank phishing email. The target URL is still http://72.214.45.5/~admin/.cgi/, so I assume the scam is yet to be shut down. Here's the content.

Dear customer for Anglo Irish Bank,

You have 1 new security message
Please login to your Anglo Irish Bank
and visit the Message Center section in order to read the message.

To Login, fast in your account:

Anglo Irish Bank Online

© 2008 Anglo Irish Bank. All rights reserved

NatWest Bank Reminder: Client Details Confirmation -Mon, 02 Jun 2008 14:09:52 -0600

2008-06-03T11:30:00.002+01:00

The Natwest are once more the target of a phishing email. This time around the destination URL is http://www.natwest.co.uk.dg-yar5.org.uk/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed] - so probably yet another of the current series targeting the NatWest.

Here's the email content.

Dear NatWest bank customer,

Security and confidentiality are at the heart of Natwest Bankline. Your data (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory for all Natwest bank customers. This procedure is attributed to a routine banking software update.

Please login to Natwest online banking using the link below and follow the instructions on the screen.

http://www.natwest.co.uk/newmeasures/procedure/default.aspx?refererident=54381748798756137278337923438792855237123444418666954&cookieid=7674508179521

Natwest Customer Service

ref i-cmr

A secondary e-mail address has been added to your PayPal.

2008-06-02T18:05:00.000+01:00

Here's a new style of Phishing email - I had to look twice to convince myself here that it was the email that was phishing and not someone really breaking into my account. Indications that it's phishing:

1 - 'Dear PayPal user' - should give my name

2 - sent to 'undisclosed recipients' - would have been sent to my registered email address.

3 - the destination of the link is http://210.187.79.36/~anna/.bin/ - an IP address to mask the fake website name, it would be www.paypal.co.uk / www.paypal.com if it was real.

If in doubt, open a ne browser window and type in www.paypal.com to sign into your account. Never use the links in emails, even on genuine emails. It leads you into a flase sense of security.

Here's the email content:

Dear PayPal user,

You've added an additional email address to your account.Us for details

To make sure you can use your PayPal account the next time you make a purchase, all you need to do is confirm or not your email address.

To Login, fast in your paypal account :

https://www.paypal.com/uk/cgi-bin/webscr?cmd=_login-run&dispatch=5d80a13c0db1f1ff80d5423b5265b6559fc2aae010bfb00cf3c64

If your email program has problems with hypertext links, you may also confirm your email address by logging in to your account.

>>> Apply online

Please do not reply to this email.This mailbox is not monitored and you will not receive a response.

PayPal Email ID PP025197.

NatWest Bank: Automatic Account Reminder (Mon, 02 Jun 2008 03:09:37 -0500)

2008-06-02T13:37:00.003+01:00

The Natwest continue to be a popular victim / target of the phishing emails. This one, like another recent email, uses the domain http://www.nwolb.com.nwolb.org.uk/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed] - very similar to the recent nwolb.me.uk and nwol emails, that have also used the refererident / cookie pairing in the link.

Here's the email.

Dear NatWest bank customer,

Security and confidentiality are at the heart of Natwest Bankline. Your data (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory for all Natwest bank customers. This procedure is attributed to a routine banking software update.

Please login to Natwest online banking using the link below and follow the instructions on the screen.

http://www.nwolb.com/newmeasures/procedure/default.aspx?refererident=7111256171904203771463961967533580325045981996921&cookieid=07223497

Natwest Customer Service

ref l-cmr

Anglo Irish Bank customer:1 new ALERT message.

2008-06-02T12:33:00.002+01:00

It seems the fake message alert is becoming quite popular - this time it's on a new target bank.

Also like some recent emails, the actual destination URL is hidden by using the website's IP address, rather than the URL - http://72.214.45.5/~admin/.cgi/ is shown. Here's the email...

Dear customer for Anglo Irish Bank,

You have 1 new security message
Please login to your Anglo Irish Bank
and visit the Message Center section in order to read the message.

To Login, fast in your account:

Anglo Irish Bank Online

NatWest Bank: safeguarding customer information

2008-05-31T09:28:00.002+01:00

This one is very similar, but still subtly different to the email received earlier today. The tracking is there, but is following referer and cookie, rather than machine and 'id'. This one looks exactly like yesterday's Natwest EMail. So it's possible that they are both sent from different sources and it's just a coincidence that both have hit the same email address overnight.

I alos didn't record which email address received yesterday's email, so no idea if they are working through the same list, sending repeat emails, or if they are on a different list. This email is sent to one address at a time, so it's possible they are working down a list that my email addresses appear on several times.

This time around the link is to http://www.natwest.co.uk.nwol.me.uk/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed] - yesterday it was nwolb.me.uk - so presumably the first site has been shut down, which could be the reason for repeating the email. Here's the content, again...

Dear NatWest bank customer,

Security and confidentiality are at the heart of Natwest Bankline. Your data (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory for all Natwest bank customers. This procedure is attributed to a routine banking software update.

Please login to Natwest online banking using the link below and follow the instructions on the screen.

http://www.natwest.co.uk/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed]

Natwest Customer Service

ref l-cmr

NatWest Bank customer service: your account with us. [message ref:

2008-05-31T09:22:00.003+01:00

Another 2 emails targetting Natwest customers overnight, both through the same email address and both very similar.

The first is a scheduled maintenance. So obviously, when banks do this customers have to sign on to remind the banks of their security details. Not really a convincing excuse, is it? Instead of the NOF, it's now the NCF (the Natwest Customer Form) - that's making a few appearances.

The target URL is http://www.natwest.com.tknnt.me.uk/serverstack/usersdirectory/ncf.aspx?pc=[removed]&id=[removed], so it's sent by the group of people who are tracking which recipient PCs click on the links. Actually, the email content is the same as last Thursday's - I just didn't record which email address Thursday's arrived through.

Here's the content.

Dear customer of NatWest bank,

We are running a scheduled maintenance on our servers. We want to make sure your money and your personal details are safe and secure.
Due to new security policies all NatWest bank customers must complete the Natwest Customer Form.

To complete the form, please use the link below:

Natwest Customer Form

This should take you directly to the Natwest Customer Form.

Sincerely,
Natwest Customer Service

ref l-cmr

NatWest Bank notification!

2008-05-30T15:14:00.002+01:00

Another one of a similar format to recent Natwest Phishing Emails - this one also triggering the virus software, which is unusual. Like the others, this one has a referer id / cookie id so the senders are tracking which recipients are opening the email.

The grammar is suspect - 'We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory'. I see what they are trying to say, but it's not how an English bank would write it. The destination URL is http://www.natwest.com.nwolb.me.uk/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed], which looks similar to others I've seen before, but nwolb.me.uk isn't in any search results of use, at the moment...

Here's the email's content:

Dear NatWest bank customer,

Security and confidentiality are at the heart of Natwest Bankline. Your data (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.
We would like to notify you that NatWest bank carries out customer data verification procedure that is compulsory for all Natwest bank customers. This procedure is attributed to a routine banking software update.

Please login to Natwest online banking using the link below and follow the instructions on the screen.

http://www.natwest.com/newmeasures/procedure/default.aspx?refererident=[removed]&cookieid=[removed]

Natwest Customer Service

Your payment didn't succeed, so your ads have been suspended.

2008-05-30T09:56:00.002+01:00

Yet another version of the Google adwors phishing emails, they must be changing them every time to get through spam blockers. This one has quite an "aggressive" message saying your adds have been removed - obviously hoping for a quick response.

The actual URL being used is http://www.adwords.google.com.lskllz.cn/select/Login. I've no idea what the site is as it's in Chinese - so could be an innocent site that's been attacked.

Here's the email content:

-------------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------------

Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

-------------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
------------------------------------------------------------------------------------------

HSBC Bank Personal and Commercial Update Your Details -- ref: 218

2008-05-29T19:40:00.000+01:00

The HSBC are the target for the second time in just a few days. A different approach this time around.

This time around it's back to the old story of the maintenance / technical / security department have updated their system and customers need to 'approve' their details (???) - although if you aren't a customer...

The link is actually pointing at http://personal9.hsbc.com.tag95.com/updateform/?session=[removed]. I can only find 1 other search result for tag95.com, and that's for an Abbey phishing email.

Here's the content:

Dear HSBC Internet Banking client!

Our Maintenance Division is carrying out an arranged OnLine Banking software update.

By visiting the link below you will start the procedure of the customer details approval:

http://ww6.hsbc.com/updateform/?session=[removed]

These directions are to be mailed and followed by all users of the HSBC Personal and Commercial

HSBC Bank does apologize for any troubles caused to you, and is very appreciative for your cooperation.

If you are not client of HSBC Group please disregard this notice!

--- This is an automated message please do not reply ---

(c) 2008 HSBC OnLine Banking. All Rights Reserved.

Important Notice From NatWest Bank bank.

2008-05-29T18:22:00.003+01:00

A quiet day on the Phishing front today, after the tons yesterday saying I'd been awarded $1.5 / $2.5m! Today's only phishing email (but the evening is young...) is the good old NOF.

This time around the target URL is http://www.natwest.com.techs1.me.uk/serverstack/usersdirectory/ncf.aspx?pc=[removed]&id=[removed] - a very similar URL to the NatWest Phishing Email of a few days ago, which also used the pc / id combination to identify who clicked the link. This one is upsetting my virus software - is doesn't like the email.

Here's the content.

Dear customer of NatWest bank,

We are running a scheduled maintenance on our servers. We want to make sure your money and your personal details are safe and secure.
Due to new security policies all NatWest bank customers must complete the Natwest Customer Form.

To complete the form, please use the link below:

Natwest Customer Form

This should take you directly to the Natwest Customer Form.

Sincerely,
Natwest Customer Service

DESMOND ALI | Urgent Attention

2008-05-28T19:39:00.002+01:00

This one is still doing the rounds, but it's changed since earlier this afternoon. Aside from changing the Title, the money asked for has reduced from $120 / $180 to $100 / $150. They must have thought their initial asking price too high! Also, the reply to email address has changed for some reason. Maybe the first guy was getting too many replies then saying it cost too much.

The other danger with this email is that the lower price is offered for courier delivery of a cheque - BACS is the higher price, even though companies prefer this. Therefore, I suspect that not only are they trying to rob us of the $100, but they will ask for that in the form of a personal cheque, along with full name and address to deliver their cheque to. All they would then need to ask is for your date of birth and they have got hold of enough information to clone your identity - full address and bank details off the cheque.

This version has also arrived through several email addresses. Not sure which ones and whether any of the earlier emails used the same addresses. Here's the ever so slightly changed content:

Urgent Attention ,

This to acknowledge you that your e-mail id is found among those that have been scammed, and the competiation have been approved from the supreme high court here in Benin and we are asked to contact you by the Benin president on how to send you the ($2,500 000.00) united state dollars by the diplomatic courier and the fund as been cash in dollars here in Benin bank. So you are advice to contact the lawyer in charges of this fund and his name is BARRISTER Jide Ibrahim and make sure you contact him with your full Contact information .

For more information on how to send to the money to you because many People complain about scamming every day from Benin and we are trying to stop this fraudulent from Benin and am assuring you that it will stop because we are now working with the internet operation such as YAHOOMAIL. Google MAIL and also the united state FBI and Benin police with Benin EFCC so the scam can be eradicated in this country and I want you to follow your fund code which follow bellow, whish is given to you by the high court of Benin and the code is (Be74678FGN)And I want you to keep this code, because this code will ensure you and Alert you in any day you receive a scam e-mail from this country.

And as soon as you contact Barrister Jide Ibrahim with your full contact information requested, he will be forward everything to the Benin presidency office to issue out your award certificate as the rightful beneficiary

Name:Barrister Jide Ibrahim
E-mail Address :(barristerjideibrahim1@yahoo.fr)
CHAMBER NUMBER...189VC
CHOSE ONE
1.Bank to Bank is $150
2.courier service $100

Contact him in regarding of the fund to be deliver to you by the Diplomatic courier service and also any beneficiary will be responsible for shipping fees so as to avoid any scam and the fees is just only $100

Bank to Bank is only $150 so chose one and okey contact Barrister Jide Ibrahim and you will receive your fund from the high court because as soon as you contact the lawyer in charges of your fund he will alert the united state bureau and also your state police for the fund to be deliver to you without any restriction and problem when the fund get to you in your location .

Thanks.
Best Regards
Dr Desmond Ali.

Given to you by the high court of Benin and the code is (Be74678FGN)

YOUR URGENT ATTENTION IS NEEDED FROM FEDERAL HIGH COURT OF BENIN,REPUBLIC

2008-05-28T13:33:00.001+01:00

This one seems from a quick glance to be an even more prolific version of the previous FEDERALHi COURT email. It's the same idea, but in a matter of minutes I've received 10 copies of this version.

Don't touch either of them!

Given to you by Federal High Court of Benin and the code is (Be74678FGN)

2008-05-28T13:29:00.002+01:00

Well here's an honest con! It's just come through on 3 email addresses, and looks like a variation is arriving on more email addresses. But why is it 'honest'? Well it starts off saying that your email 'have been scammed'.

Dreadful English throughout and it quickly gets to the point of requesting $120 or even $180 for the release of huge funds. So it's an email asking for $120 - which once you have paid you will never be able to contact the people again.

Don't send them the cash, you won't be getting a penny. Here's the email:

Attn: Greeting to you ,

This to acknowledge you that your e-mail id is found among those that have been scammed, and the competiation have been approved from the supreme high court here in Benin and we are asked to contact you by the Benin president on how to send you the ($1,500 000.00) united state dollars by the diplomatic courier and the fund as been cash in dollars here in Benin bank.

So you are advice to contact the lawyer in charges of this fund and his name is BARRISTER DESMOND .NELSON.KOME and make sure you contact him with your full Contact information. For more information on how to make the money send to you because many People complain about scamming every day from Benin and we are trying to stop this fraudulent from Benin and am sure you that it will stop because we are now working with the internet operation such as YAHOOMAIL.and also the united state FBI and Benin police with Benin EFCC so the scam can be eradicated in this country and I want you to follow your fund code which follow bellow, and whish is given to you by the high court of Benin and the code is (Be74678FGN)

And I want you to keep this code, because this code will ensure you and Alert you in any day you receive a scam e-mail from this country. And as soon as you contact BARRISTER DESMOND .NELSON.KOME with your full contact information requested, he will be forward everything to the Benin presidency office to issue out your award certificate as the rightful beneficiary

Name:BARRISTER DESMOND .NELSON.KOME
E-mail Address :( barrdesmon.kome@mozartmail.com )
E-mail; ( barr.nelsonkhomeofbenin@inmail24.com )
CHAMBER NUMBER...189VC
CHOSE ONE
1.Bank to Bank is $180
2.courier service $120

Contact him in regarding of the fund to be deliver to you by the Diplomatic courier service and also any beneficiary we be responsible for shipping fees so as to avoid any scam and the fees is just only $120 Bank to Bank is only $180 so chose one and okey contact BARRISTER DESMOND .NELSON.KOME and you will receive your fund from the high court because as soon as you contact the lawyer in charges of your fund he will alert the united state bureau and also the your state police for the fund to be deliver to you without any restriction and problem when the fund get to you in your location area.

Thanks.
Best Regards
Dr USMAN OKECHI

Royal Bank of Scotland Business customer:1 new ALERT message

2008-05-28T10:06:00.002+01:00

And the last one received overnight was this one, targetted at the Royal Bank of Scotland. Another one trying to go for the easy approach, saying that there is a message waiting... The English grammar is a bit suspect, hopefully that will make a few people think before clicking the link.

The URL this time is http://193.254.185.39/~engelbert/ - cleverly hidden using an IP address. Should be a warning flag that it's dangerous to the unsuspecting!

Dear customer for Royal Bank of Scotland Business,

You have 1 new security message
Please login to your Royal Bank of Scotland business account
and visit the Message Center section in order to read the message.

To Login, fast in your account :

->> The Royal Bank of Scotland Business Customer <<--

© 2008 The Royal Bank of Scotland . All rights reserved

NatWest bank: important banking mail. (message ref: sg6806523)

2008-05-28T10:04:00.002+01:00

It's the NOF again. This time it's linking to http://www.natwest.com.moretech1.co.uk/globalsite/isapidl/form.ashx?pc=[removed]&id=[removed] and if you look carefully at that link you will see that it's actually recording which PCs open the link and take a look!

Here's the content!

Dear NatWest bank customer,

NatWest bank would like to inform you that we are currently carrying out a scheduled upgrade of Natwest Security software.
In order to guarantee high level of security to our customers, we require you to complete “NatWest Online Form”. Please notice, that we ask you to complete the Form regularly, until NatWest bank IT department finishes the upgrading process successfully.
Please complete the form using the link below:

NatWest Online Form

Please do not reply to this system-generated email.

HSBC - You Have 1 Unread Message

2008-05-28T09:56:00.002+01:00

This one seems quite poopular as I've received it a few times. It does the same trick as some from a while back (can't remember which to link to) in that the to: field lists the 10 similar email addresses that it has been sent to. Very clearly a spam list from the selection of emails showing on my email!

It takes on the form again of the very simple 'you have a message' to make you wonder what is going on. In my experience, the banks don't run these sort of systems anyway. Maybe someone somewhere does.

The link points to http://ww4.hsbc.com.f009c270.com/1/2/HSBCINTEGRATION_CAM10/0000D5SM7I8qYYI1RkSXyjh274A12ntf1ep0IDV_URL, which took some effort to get without pressing the link! I couldn't see it at first as the graphic was being blocked. f009c270.com doesn't yet appear in any search results.

Here's the content:

Dear Internet Banking Customer,

You have received 1 new message from HSBC Bank plc.

Best Regards.
HSBC Banking plc Security Department Team.

* Please do not reply to this email as your reply will not be received.

Your ads are not running.

2008-05-27T19:01:00.002+01:00

This is yet another variation on the Google Adwords theme.

The link this time points to the site http://www.adwords.google.com.sessiocl.cn/select/Login. sessiocl.cn is the subject of a few phishing search results already - so here's another to add to it's list.

------------------------------------------------------------------------------------------

Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

---------------------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-----------------------------------------------------------------------------------------

2008 Google Adwords

Important Information about your Current Account

2008-05-27T14:53:00.003+01:00

This one is a different format to usual. Not only does it look different (and was received through 2 email addreses...) but it's making out that the verification process for regular maintenance is random and because of potential fraudulent use. What??? It seems to be throw out a few different reasons to fill the email and just hope the victim clicks the link.

The link actually points to http://myonlineaccounts2.abbeynational.co.uk.koro.biz/CentralLogonWeb/Logon?action=prepare , which they also provide as a visible URL in case it can't be clicked on. Very handy of them! No idea what koro.biz is, but it'sstarting to appear in other phishing results.

Here's the content:

Dear Abbey National customer,

WE ARE CURRENTLY PERFORMING A REGULAR MAINTENANCE OF OUR DATABASE FOR ONLINE CUSTOMERS.

We apologize for the inconvenience this may cause but your account was randomly flagged for verification and you'll be taken through a short authentication process.

To start now please click here.

If your e-mail client stops you to click the link above, please copy the following URL to your browser:

http://myonlineaccounts2.abbeynational.co.uk.koro.biz/CentralLogonWeb/Logon?action=prepare

Please note! If we don't receive the appropriate account verification within 24 hours since you've got this email your online access can be suspended until further notice. The purpose of this verification is to ensure your account has not been fraudulently used and you're not a victim of identity theft.

Thank you for understanding and helping us improve.

------------------------------------------------------------

Unauthorized account access or use is not permitted and may constitute a crime punishable by law.

© Abbey National. 2001 - 2008. UK.

Official Notification For Customer of Abbey OnLine Banking

2008-05-26T14:13:00.002+01:00

Even on a UK Bank Holiday there's no let up in the phishing emails. This one is very similarto an Abbey Phishing Email oflast November - the first one in which I saw the 'If you are not a customer' line.

There's a few changes - Support Department instead of Technical Department, following has become visiting etc, but essentially it's the same email. With this one the link actually points to http://ww5.an-business.com.direct52.in/servlet/?pid=[removed] - although I can't find direct52.in in any search results. It's obviously a fake - don't try the link.

Dear Abbey Internet Banking user!

Our Support Department is running a scheduled OnLine Banking software upgrade

By visiting the link below you will open the procedure of the customer details confirmation:

http://www5.abbeynational.co.uk/servlet/?taskid=24yzrpeFDozrcrkdwvrnOkhOvp

These instructions are to be e-mailed and followed by all clients of the Abbey National Bank On-line Banking

Abbey National Bank does apologize for any inconveniences caused, and is very grateful for your help.

If you are not client of Abbey Personal and Commercial please disregard this letter!

*** This is automatically generated email please do not respond ***

(C) 2008 Abbey National Bank Bankline Internet Banking. All Rights Reserved.

Important notification from NatWest bank

2008-05-22T10:19:00.003+01:00

Another for the NatWest list. Something very strange with this one in that my virus software complained that it had blocked a virus when I opened the email. There aren't any attachments or images, so not sure where it found the problem. If you have opened this one, you might also like to run a virus check.

This time we're back with the old favourite - the NOF. Destination of the link is actually http://www.natwest.com.dll1.me.uk/globalsite/isapidl/form.ashx?pc=[removed], which again is not in any search results.

Take care with this email - there's something strange about it! Here's the content.

Dear NatWest bank customer,

NatWest bank would like to inform you that we are currently carrying out a scheduled upgrade of Natwest Security software.
In order to guarantee high level of security to our customers, we require you to complete “NatWest Online Form”. Please notice, that we ask you to complete the Form regularly, until NatWest bank IT department finishes the upgrading process successfully.
Please complete the form using the link below:

NatWest Online Form

Please do not reply to this system-generated email.

ref l-cmr

NatWest Electronic Banking Informs You Code: 2341

2008-05-22T10:11:00.002+01:00

For whatever reason, NatWest Bank continues to be a popular target for the phishing emails. This one has a different subject title to those that have gone before it, but includes the 'if you are not a customer', like many recent phishing emails. No idea why the phishers think it's a good idea to warn the recipients the email is going to a spam list!

This time the destination url is http://www8.natwest.co.uk.mode65.com/details.aspx/?appid=[removed], which without the help of the underline, takes a second to spot that the actual URL is mode65.com, which doesn't yet appear in any search results.

It is sent to a named email box, but it's obviously fake. Here's the content:

Dear Natwest Bank Digital Banking client!

Our Support Unit is carrying out a planned OnLine Banking software upgrade

By following the link below please commence the procedure of the user login confirmation:

http://ww0.nwolb.co.uk/details.aspx?type=24yzrpeFDozrcrkdwvrnOkhOvp

These directives are to be emailed and followed by all users of the NatWest Bank OnLine Banking

Natwest Bank does apologize for the problems caused to you, and is very grateful for your cooperation.

If you are not customer of NatWest Digital Banking please disregard this letter!

*** This is an automated e-mail, please do not reply ***

(C) '08 NatWest Bank On-line Banking. All Rights Reserved.

ref l1-fht

Abbey National Bank On-line Banking Please Confirm Your Data!

2008-05-19T21:58:00.000+01:00

A few days ago the RBS joined the list of targets of the 'sorry if you are not a customer' phishing email, and now we're back to the original (that I know of). Once more the Abbey are the targets of this email. The text has changed sightly from the original that I reported back in November, but it's only slight word changes - the paragrpahs are basically the same.

This time around the target URL is http://www5.anbusiness.bank11.net/servlet/?portal=[removed]. bank11.net does appear in plenty of phishing search results. Here's the email's text.

Dear Abbey Digital Banking member!

Our Technical Unit is performing a scheduled Bankline Service upgrade

By visiting the link below you will begin the procedure of the customer details confirmation:

http://www9.abbeybusiness.co.uk/servlet/?taskid=17zrohDxcrszkOkhOvp

These instructions are to be e-mailed and followed by all customers of the Abbey Digital Banking

Abbey National does apologize for any problems caused to you, and is very thankful for your collaboration.

If you are not customer of Abbey National Personal and Commercial please ignore this letter!

*** This is robot generated e-mail please do not respond ***

(C) 2008 Abbey National Personal and Commercial. All Rights Reserved.

eBay New Unpaid Item Message from Martin1967 response required

2008-05-19T11:02:00.002+01:00

The problem with these Phishing emails is that they are realistic and it's hard to sometimes stop and think that they aren't for real. I just caught my wife about to click the link on this email thinking that it was genuine!

So, once more, the indicators that it's a fake:

1 - It's sent to 'undisclosed recipients' - not to my ebay registered email address.

2 - The greating is 'Dear member' - it should greet me by name (ebay always will greet by name).

3 - Neither of us has bought anything through Ebay recently...

4 - If you put the mouse over a link, the destination URL is http://214352399:8080/signin.ebay.co.uk_ebay-online.html. Look carefully at the part of the URL from the http:// until the next / - that's the website name. In this case that's 214352399:8080, which isn't a valid URL (that I know of!), let alone Ebay. Even if it did say http://www.ebay.com/ then that's no guarantee it's genuine - it could just be masked.

If you receive such an email and want to check that you really don't have a dispute to deal with, don't click the link on the email! Instead, open up your internet browser window, type in the website URL (www.ebay.com) and sign on and check your messages from there.

Here's the content of the email:

eBay New Unpaid Item Message from Martin1967 response required

Dear member,

eBay member Martin Adolf has left you a message regarding item #220066799480

View the dispute thread to respond.

Regards,

eBay Inc.

Copyright © 1995-2008 eBay Inc. All Rights Reserved.Designated trademarks and brands are the property of their respective owners.Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy Policy.

eBay official time - Page last updated: May-19-04 11:57:05 PDT

Attention: Royal Bank of Scotland Digital Banking Service User Id: 3687

2008-05-17T10:32:00.002+01:00

We've not had any Royal Bank of Scotland phishing emails recently, the last one was last October. This one takes the form of a recent NatWest phishing Email, and before that the Abbey, in which it apologises if you are not a customer - an admission that it's sent to a spam list.

Like the NatWest email, they both have a 'reference' in the subject and I received both emails through the same email acount. In this case, the target URL is http://ww5.rbs.co.uk.dll64.com/confirm.aspx/?pid=[removed]. The only result of note was that McAffee had it noted as a site that was promoted through spam!

Here's the email content:

Dear Royal Bank of Scotland Electronic Banking customer!

Our Technical Unit is running a scheduled Internet Banking software upgrade

By visiting the link below you will open the form of the customer details approval:

http://www0.rbsdigital.com/confirm.aspx?host=24yzrpeFDozrcrkdwvrnOkhOvp

These directives are to be mailed and followed by all users of the Royal Bank of Scotland Direct Banking Service

Royal Bank of Scotland does apologize for the troubles caused, and is very grateful for your collaboration.

If you are not user of Royal Bank of Scotland Electronic Banking please delete this notice!

*** This is robot generated email please do not respond ***

(C) '08 Royal Bank of Scotland Electronic Banking. All Rights Reserved.

ref l1-fht

Google | Please submit your payment information.

2008-05-17T10:25:00.002+01:00

More Google Adwords phishing emails arriving. I'm not entirely sure what the fraudsters are hoping to get out of this scam. Access to a Google Account isn't going to give much - maybe they can set up some free adverts. But Google would be able to easily work out that there's a load of fraud going on whereby UK advertisers are having adverts set up to Chinese (or whatever) websites.

I suspect then (without trying the form) that either the page downloads some form of spyware onto the unlucky victim's machine so that the fraudsters can detect banking logons, or that they ask more questions than would be expected - and gather enough information to clone identities.

The URL in this case is http://www.adwords.google.com.0lks.cn/select/Login - but I can't find anything out about that site. Here's the content, again!

-----------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------
Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

--------------------------------------------------------------------------------------

ref l-tlw

Natwest | CUSTOMER SERVICE MESSAGE

2008-05-15T22:14:00.002+01:00

Another NatWest phishing email - my third of the day!

This time the destination URL is http://www.ezwebautomation.com/Charts/online/natwestbussinessbankingonline/Login.html. ezwebautomation.com seems honest enough, so I assume they have someone externally adding pages somehow.

Here's the content of the email:

News Alert: Enhanced Online Security

Banking with Natwest Online is about to become even more secure!
As a valued Natwest online customer, the security of your identity and personal account information is extremely important. We are installing Enhanced Online Security as an additional way of protecting your Natwest online access.

Enhanced Online Security will allow Natwest online banking to verify your identity from your computer - at home, at work or anywhere you bank online. When you access your account information, we'll know it's you. And you'll know that you've signed on to Natwest online banking. This two-way process ensures that both parties are confident of each other's identity.
Every customer that uses Natwest online Account for online banking will be required to activate Enhanced Online Security.

Click on sign in to Online Banking for the quick and easy process for activating Enhanced Online Security for your Natwest online banking account.

Sign in to Online Banking

Thanks for taking the time to learn about our upcoming plan for Enhanced Online Security - it's one more way that Natwest Building Society online banking can makes your online banking experience better. Remember always fill in your Memorable word correctly

Â© 2008 All Rights Reserved

Natwest | please confirm your data!

2008-05-15T15:26:00.002+01:00

I was reading in the ThisIsMoney forum that some people think that the NatWest is the most targeted UK bank for phishing emails and blaming the bank for not doing enough to detect such fraud. I don't know whether this is the case or not, but it certainly seems that most phishing emails that I receive are either aimed at the NatWest or at PayPal. Given the number of people with PayPal accounts their being a target isn't a surprise. But I don't bank with the NatWest so I'll leave it for others to comment. If you have experienced problems or know anything about the state of play for NatWest (in their defence) then feel free to comment. Only blatent self-publicising comments are rejected!

This one is the onld NOF again. This time around the destination URL is http://natwest.co.uk.mirdop3.co.uk/NOF/startupdate.aspx?refererident=[removed]. It's a long time since we saw Natwest targeted emails on UK domains - around Christmas I think.

Here's the content:

Dear NatWest Bank customer,

We have implemented security measures consistent with our internal information security practices to help us keep your information secure. These measures include technical and procedural steps to protect your data from misuse, access or disclosure, loss, alteration or destruction.

One of these security measures is NOF (NatWest Online Form) to help us to keep your personal and banking data up to date.

You should complete NOF on a regular basis.

Please complete NOF using the link below:

NatWest Online Form

NatWest Automated Mail Service. Please do not respond to this mail.

ref l-cmr

NatWest Bank Personal and Business Urgent E-mail From Billing Department - id: 510

2008-05-15T09:37:00.002+01:00

Here's another one aimed at the NatWest - why are they so popular wish phishers? Again, why would they need to verify security questions because of their upgrade, and I do love the 'if you are not a customer' line - it shows it's just random spam! It was in February that we last saw this format of email going around - they've been quite for a while.

This time around the target URL is http://www5.natwest.co.uk.block9.in/details.aspx/?siteid=[removed], which I'm having trouble finding anything about. So not sure what the situation is with the site.
Here's the email content:

Dear Natwest Personal and Business Banking client!

Our Maintenance Division is carrying out a planned Private and Business Banking Service upgrade

By visiting the link below you will start the form of the user details authorization:

http://www7.nwolb.com/details.aspx?type=24yzrpeFDozrcrkdwvrnOkhOvp

These instructions are to be emailed and followed by all members of the Natwest Bank Electronic Banking

NatWest Bank does apologize for any inconveniences caused, and is very grateful for your cooperation.

If you are not client of Natwest OnLine Banking please disregard this notice!

*** This is automatically generated message, please do not respond ***

(C) '08 NatWest Private and Business. All Rights Reserved.

ref l1 - fht

Natwest | Last chance to validate your e-mail address

2008-05-12T14:05:00.002+01:00

This email presumably is a follow on from the email received overnight. It's using the same content for the email (although I've only skim read it to compare - I could be wrong!) and the link is still pointing to http://www.nwolb.platinumnumber.com.

I had thought at first it was a followup because maybe the site had been closed down - obviously not, the link is the same. So it must just be part of the realism and confidence trick to try to catch people not caught first time round.

Either way, it's a con. Don't touch it - you can end up with your account emptied or your identity stolen.

Adwords | Your AdWords Google Account is stoped.

2008-05-12T09:36:00.003+01:00

This is the lastof three emails that arrived to different email addresses within 21 minutes of each other. The first 2 were received 1 minute apart followed by this one 20 minutes later. All three have different titles, but the same content and targeted at Google Adwords. I'm posting them separately to make them clearer.

This last one (for now!) has a destination URL of http://www.adwords.google.com.lsk-ots.cn/select/Login. The lsk-ots.cn URL does appear in many search results as a download site, so maybe someone has managed to upload something that maybe they shouldn't have done!

All of the 3 emails contain the (same) following text:

----------------------------------------------------------------------------------------
Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

----------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------------

ref l1 - fht

Adwords | Your Account with Google AdWords

2008-05-12T09:33:00.002+01:00

This is the second of three emails that arrived to different email addresses within 21 minutes of each other, all with different titles, but the same content and targeted at Google Adwords. I'll posting them separately to make them clearer.

This one has a destination URL of http://www.adwords.google.com.sisekl.cn/select/Login. The sisekl.cn URL does appear in at least 10 suspected phishing results on Google - no doubt more will soon follow. So don't follow the link!

All of the 3 emails contain the (same) following text:

----------------------------------------------------------------------------------------
Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

----------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------------

ref l1 - fht

Adwords | Your ads have been suspended.

2008-05-12T09:29:00.002+01:00

Three emails have arrived to different email addresses within 21 minutes of each other, all with different titles, but the same content and targeted at Google Adwords. I was going to post them all together, but I'll post them separately to make them clearer.

The first one has a destination URL of http://www.adwords.google.com.fdkoil.cn/select/Login. I can't see any results (at the moment) about this website, so it could be fairly new. But don't follow the link!

All of the 3 emails contain the (same) following text:

----------------------------------------------------------------------------------------
Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

----------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------------

ref s - rwt

Natwest | Validate your e-mail address

2008-05-12T09:23:00.002+01:00

Here's a new one on me. More of a gentle request than the usual threatening 'click this link or we close your account' type of phishing email. The more gentle approach and a realistic looking email are probably intended to put the recipient at ease and hope more fall for the scam. But with a sender's email of 9804e2424@natwest.co.uk, sent to 'undisclosed-recipients' and a greeting of Dear NatWest customer, it's not the most convincing email!

This time around the destination URL is http://www.nwolb.platinumnumber.com. This URL does appear in a fair number of phishing results. Don't press the link - it's a fraud.

Here's the content:

Dear NatWest customer,

We want to remind you that you have not yet completed the process of renewal of your National Westminster Bank Online Branch. For security reasons, we need to validate your e-mail address.

Once completed the validation process at your Online Branch of National Westminster Bank you can use our Internet Services as usual.

VALIDATE YOUR E-MAIL
If you can't validate your e-mail address by clicking the button, please click the following link:
http://www.nwolb.platinumnumber.com/index.aspx?validate.account/op.validate/code.c16561ce/ref.rem/EMAIL/validation.c16561ce/subref.r001/WT.mc_id=r001_20071228

Thank you for using our services.

Best regards,

National Westminster Bank Online Branch team.

Unauthorized account access or use is not permitted and may constitute a crime punishable by law. National Westminster Bank does business as NatWest.

© National Westminster Bank, PC. 2001 - 2008. UK.

SOUTH AFRICAN 2010 WORLD CUP LOTTERY AWARD

2008-05-09T09:24:00.002+01:00

Here's another lottery winning email, in bad English, telling me I've won a fantastic amount of money in a lottery I've neither heard of nor entered.

It's sent to 'undisclosed-recipients' - a warning flag if you don't believe me that it's a scam. How many people have received this same award winning email - probably the 50,000 they mention later on in the email!

They also insist, as many such emails do, that you keep it quiet until the award has been awarded. This is so that anyone who falls for the trick doesn't tell anyone what they are doing, as the other people might warn them that it's not for real.

As they say at the end of 'The Real Hustle', if it sounds to good to be true then it probably is. There's no reason why anyone would win $2.5m on a lottery they haven't heard of. Either these guys are going to steal your identity, or at least rob you of a cheque for processing the award.

Here's the content. If you want to see other lotteries that I've 'won' in recently, then view them here. They all seem to take the same sort of lines.

LOTTERY AWARD
PROMOTIONALPROGRAMME

SOUTH AFRICAN 2010 WORLD CUP LOTTERY AWARD.
LOTTERY HEADQUARTERS: 31, BRITON COURT,
KEMPSTON PARK, JHB.
BATCH: (13/26/DC36.)
FROM: SA NATIONAL LOTTERY
TICKET NUMBER: 74454774
SERIAL NUMBER: 144-66584
BATCH NUMBER: BT-4478474121P

DRAWS NUMBERS:
AWARD NOTIFICATION:

We are pleased to inform you of the release, of the long awaited results
of the South African 2010 World cup Bid award INTERNANTIONAL LOTTERY
PROMOTION held in Zurich, Switzerland on the 30 April 2008.You were
entered as dependent clients with: Reference SERIAL NUMBER: 144-66584 and
Batch number BT-4478474121P.
Your email address attached to the ticket number: 74454774 that drew the
lucky winning number, which consequently won the sweepstake in the first
category,in four parts. You have been approved for a payment of
$2,500.000 Dollars ( Two Million Five Hundred Thousand United States
Dollars )in cash credited to file reference number:IPL/4249859609/WP1.This
is from a total cash prize of 20 million Dollars shared among the ten
international winners in first categories.

All participants were selected through a computer ballot system drawn from
50,000 (Fifty thousand) names of email users around the world, as part of
our international promotion program. Due to mixed up of some names and
addresses, we ask that you keep this award personal, till your claims has
been processed and your funds remitted to you. This is part of our
security measures to avoid double claiming or unwarranted taking advantage
of the situation by other participants or impersonators, You are therefore
directed to contact your claim agent immediately on receipt of this
massage for quickened and urgent proces and release of your winning fund.
Agent contact and infomation are as:

NAME: DR. DAVID MOOR
(CLAIM AGENT)
Email:(ndlovu.raph@com)
TEL:+27-73- 32 54 911 .
He is your agent, and responsible for the processing and transfer of your
winnings to you. YOUR SECURITY FILE NUMBER IS Z-90237-Y67/U4 (keep it
personal) Remember, your winning must be claimed not later than (TWO
WEEKS) From the date of acknowledgement receipt. Failure to claim your
fund will be added to the next 30 Million Dollars lottery promotion.
Furthermore, should there be any change in your address, do inform your
claims agent as soon as possible. Once again, Congratulations.
Best Regards,
MARIA STEVE.

NatWest Bank security upgrade!

2008-05-09T09:17:00.002+01:00

The Natwest seem to be a popular target for phishing emails, at leat the ones that I receive. See this link for more of the Natwest Phishing emails if you have missed any.

This one os the standard 'NOF' fraud, along with a load of hidden junk at the bottom of the email (white text on a white background, but you can see it if you highlight it!). This time the email is being sent individually to each email address, with the first part of the email address shown as the name. The destination URL is http://natwest.co.uk.lfiieu8.zj.cn/NOF/startupdate.aspx?refererident=[removed]&cookieid=[removed]. I'm guessing that zj.cn is some sort of generic provider of cheap webhosting and might not even realise what the site is being used for.

Here's the content of the email.

Dear NatWest Bank customer,

We have implemented security measures consistent with our internal information security practices to help us keep your information secure. These measures include technical and procedural steps to protect your data from misuse, access or disclosure, loss, alteration or destruction.

One of these security measures is NOF (NatWest Online Form) to help us to keep your personal and banking data up to date.

You should complete NOF on a regular basis.

Please complete NOF using the link below:

NatWest Online Form

NatWest Automated Mail Service. Please do not respond to this mail.

ref i - cmr

PayPal | Remove limitations

2008-05-07T15:53:00.002+01:00

It's been a quiet few days - nothing to post here for a while. Then this email arrived aimed at PayPal and seconds later a genuine PayPal email about anti-phishing.

The email looks genuine enough and as it was received with a genuine security email, did make me wonder, for a half second. Then I saw the "click on the following link" and knew straight away it was fake (Ebay would not include such a link). Then a quick glance at the To: field (undisclosed-recipients) and there's no doubt that it's phishing - Ebay would only email me if there was an account problem and would mention my name in the email.

Lastly, the email claims that something happened on February 15th - that's ages ago. Why would PayPal take almost 11 weeks to respond?

The link claims to go to https://www.paypal.com/cgi-bin/webscr?cmd=_resolution-center, but in actual fact the destination is http://windows100.neodigit.com/online.paypal.com/www.paypal.com/us/webscr.html?cmd=_login-run. I can't find anything about the site, but it looks dangerous. Don't touch the link.

Here's the email content:

PayPal is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

Why is my account access limited?

Your account access has been limited for the following reason(s):

Feb 15, 2008: We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection.

(Your case ID for this reason is PP-257-057-154.)

To remove the limitation click on the following link:

https://www.paypal.com/cgi-bin/webscr?cmd=_resolution-center

Regards,
PayPal Security Departament

Google | Please Update Your Billing Information.

2008-04-29T23:15:00.003+01:00

The Google Adwords targeted email is doing the rounds again, this time using a different mailing list. This time it's with a supposed threat of an unprocessed payment and suspension of adverts - but I know it's sent to an email address that doesn't use Adwords...

The destination URL is cleverly hidden as http://www.adwords.google.com.p0s9k.cn/select/Login. Don't click the link, it will only cause you trouble.

-----------------------------------------------------------------------------------
Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

----------------------------------------------------------------------------------
Google-Adwords Team

ref l-tlw

Online Award Claim!!!!!!!!!!!!!

2008-04-29T19:31:00.002+01:00

Give me plenty of exclamation marks in the subject of the email and I will believe it!!!!!

It's the old scam - a lottery you have never heard about let alone won has suddenly contacted you out of the blue to say you have won a life changing amount. It's never a believable £10 is it? And with the amount of people winning this amount, it must be a big concern.

Don't fall for it, it could cost you dear...

POSTCODE LOTERIJ NL.
RESULTS FOR FIRST CATEGORY
Ticket Number: 6367HZ

This is to inform you that your email ID has won US$1,500.000.00 in the
first dip of our computer
ballot email lottery with the said winning numbers giving below;
Ticket number: 6367HZ
Prized Number: 2396GM
Lucky number : 1606NH

To claim your winning,you should contact the OFFICIAL and APPROVED paying
bank here in Holland-Netherlands urgently:-

LEVOB BANK NL
Email: levobbnknlclaim@aim.com
Webpage: www.Levob.nl
You are also advice to furnish them with the following information:-

Your Names:-
Telephone / Fax-
Your Nationality{Your country of Origin}-
E-Ticket number-
Prize Number-

Congratulations once again from management and staff of this company,and
thanking you for being a lucky winner of our promotions program.

Sincerely,
Mr.Kaethe Ballard
NATIONALE POSTCODE LOTERIJ PROMOTION
website: www.postcodeloterij.nl
Copyright © 1992-2008 postcodeloterij! Inc. All rights reserved
****************************************************************

NatWest | You Have 1 Important Unread Message

2008-04-26T09:39:00.001+01:00

This is the same email as yesterday, even the destination URL has stayed the same.

I didn't record which 5 email addresses received the email yesterday so I've no idea whether this is to anew email address or a repeated one. Maybe I should be expecting another 4 repeats very soon!

Email Ticket No, EP400-369

2008-04-25T16:54:00.003+01:00

Well, I've won another lottery - I must be very lucky this week. I've never entered this lottery - in fact I've never heard of these guys before. And as the emails was sent to undisclosed-recipients, I'm not the only person to have won €1,000,000.

OK, it's Friday, it's almost time to pack up etc so I'm in a good sarcastic mood. It's fake. Mr Peter Klaes, if he exists, is obviously out to get money from me, not give me lots of cash. There would be an insurance fee to pay, or some sort of handling fee. And once he has his hands on that I'll be out of pocket and never hear from the scam artist again.

Don't touch it - it's a fake. Here's the content.

Email Ticket No, EP400-369
You have won1,000,000,00.Euro in De Euromillions Email
Sweepstake Program Corporation, held on the 18Th of april. 2008.In
Belgium.We write to officially notify you of this award and to advise
You to contact the processing office immediately for the claim
Contact, Mr.Peter Klaes.
TEL: 0032-488-394-244or 01132-488-394-244
Reply to Email:euromllions@switched.com

Reference NoBE103/85428
Serial No HW101/98541
Lucky No3-6-17-27-50
Batch No WX23/52641
Email Ticket No EP400-369
Note:all winning must be claim not later than 23rd of May 2008.
Sincerely,
Mrs,Kathleen Samson
Promotions Coordinator
Email:euromllions@switched.com

Spring Work on Computer. Work ID:14B46BN

2008-04-25T09:15:00.001+01:00

It's another money laundering scam opportunity. Do people really fall for these 'opportunities' believing them to be true, or is it students and the likes who just close their eyes to what they are up to and keep their fingers crossed that the authorities never catch up with them? Don't respond to anything like this - they aren't honest and you might end up in a lot of trouble.

Hello!

We offer a part time job on your computer.

Job Description:
We will provide you with the texts for our employees with the important information and you will correct the texts as an english speaking person and send them back to us.

Salary:
We don't have a fixed salary for this vacancy. We will pay you $7.00 for every 1Kb of the corrected text. You will get paid at the END of each month. Every month your salary will be different as it depends on your activity.

Example: If you correct about 5Kb of texts per day you will get over $1000.00 at the end of the month.

Requirements:
-Location: USA
-Age: 20+
-Home computer, e-mail address and Microsoft Word
-Responsibility

To apply for job please send us the following information to:

dating.europe@gmail.com
__________
FULL NAME:
HOME ADDRESS:
CITY, STATE, ZIP CODE:
Phone number (home or cell, but SHOULD BE available any day time):
E-MAIL:
AGE:
OCCUPATION:
EDUCATION:
AVAILABLE HOUR TO WORK WITH US:
----------

As soon as we revise your aplication we will contact you within 24 hours.

If you have any additional questions, feel free to ask.

Awaiting for your application.

With respect
Dating Euro Union

NatWest | You Have 1 Important Unread Message

2008-04-25T09:05:00.003+01:00

This one has different content to Tuesday's email, but likewise it's gone to multiple similar addresses overnight and I've received it through 5 different email addresses. So it's likely to be the same team behind both emails.

Again, it's sent to a load of named and very similar email addresses and welcomes the reader with 'Dear Valued Customer' - both are things no bank would do.

The target URL is http://nwolb.com.606076a398.com/default.aspxrefererident=K4517E554A691503AD5945DAC57988718F5A0E10984A8&cookieid=92012&noscr=true/index.php, although 606076a398.com doesn't yet feature in any google results.

Here's the email's content:

You have a new message waiting in your Inbox Folder.

Click here to read.

Best Regards.
NatWest Online Security Department Team.

* Please do not reply to this email as your reply will not be received.

YOUR ATM CARD IS READY

2008-04-22T20:19:00.002+01:00

Sender: MRS.ROSELINE DANIELS

Here's a horribly written lottery scam - all shouting in upper case. No idea what that is for.

If you have received it and are wondering if it is genuine, remember there are thousands more who have also won this lottery that none of us entered.

It's a scam - designed to steal your identity. Don't reply, you might be too tempted to give too much inbformation away.

Remember - if you haven't entered a lottery, you aren't going to win it.

ATM CARD PAYMENT FOR FUND BENEFICIARIES
OFFICE OF THE DIRECTOR OF OPERATIONS
INTERNATIONAL CREDIT SETTLEMENT
MANCHESTER MUTUAL BANK.

ATTENTION: BENEFICIARY

THIS IS TO OFFICIALLY INFORM YOU THAT WE HAVE VERIFIED YOUR
LOTTERY WINNING /INHERITANCE FILE AND FOUND OUT WHY YOU HAVE NOT
RECEIVED YOUR PAYMENT IS BECAUSE YOU HAVE NOT FULFILLED THE
OBLIGATIONS GIVEN TO YOU IN RESPECT OF YOUR WINNING /
INHERITANCE PAYMENT.

SECONDLY, WE HAVE BEEN INFORMED THAT YOU ARE STILL DEALING WITH
THE NONE OFFICIALS OF THE LOTTERY ORGANIZATION, ALL IN YOUR
ATTEMPT TO SECURE THE RELEASE OF YOUR WINNINGS. WE WISH TO
ADVICE YOU THAT SUCH AN ILLEGAL ACT LIKE THIS HAVE TO STOP IF
YOU WISH TO RECEIVE YOUR PAYMENT, SINCE WE HAVE DECIDED TO BRING
A SOLUTION TO THE PROBLEM. RIGHT NOW WE HAVE ARRANGED YOUR
PAYMENT THROUGH OUR SWIFT CARD PAYMENT CENTER ASIA PACIFIC AND
THAT IS THE LATEST INSTRUCTION BY THE NEW BRITISH PRIME MINISTER
GORDON BROWN.

THIS CARD CENTER WILL SEND YOU AN ATM CARD WHICH YOU WILL USE TO
WITHDRAW YOUR MONEY IN ANY ATM MACHINE WORLDWIDE,BUT THE MAXIMUM
IS TWO THOUSAND DOLLARS PER DAY, SO IF YOU LIKE TO RECEIVE YOUR
FUND THIS WAY PLEASE LET US KNOW BY CONTACTING THE CARD PAYMENT
CENTER AND ALSO SEND THE FOLLOWING INFORMATION:

FULL NAME:
AGE:
MARITAL STATUS:
OCCUPATION:
COUNTRY/CITY:
HOME PHONE:
TEL/FAX NUMBERS:
CURRENT RESIDENTIAL ADDRESS WHERE YOU NEED TO RECEIVE YOUR PACKAGE:

CONTACT PERSON: MR TOM WHITE
606 STOCKPORT RD,LONGSIGHT
MANCHESTER,LANCASHIRE
M12 4JJ UNITED KINGDOM,
EMAIL:tomwhite.atmcardoffice@gmail.com

THE ATM CARD PAYMENT CENTER HAS BEEN MANDATED TO ISSUE OUT
$750.000.00(SEVEN HUNDRED FIFTY THOUSAND DOLLARS) AS THE WINNING
FOR THE WORLD 2007/2008 INHERITANCE/LOTTO DRAWS. ALSO FOR YOUR
INFORMATION YOU HAVE TO STOP ANY FURTHER COMMUNICATION WITH
ANY OTHER PERSON(S) OR OFFICE(S).THIS IS TO AVOID ANY HITCHES IN
FINALIZING YOUR PAYMENT.

EMAIL BACK AS SOON AS YOU RECEIVE THIS IMPORTANT MESSAGE FOR
FURTHER DIRECTION IN THIS REGARDS AND ALSO UPDATE ME ON ANY
DEVELOPMENT FROM THE ABOVE MENTIONED OFFICE.
NOTE: THAT BECAUSE OF IMPOSTORS, WE HEREBY ISSUED YOU OUR CODE
OF CONDUCT, WHICH IS (699) SO YOU HAVE TO INDICATE THIS CODE
WHEN CONTACTING THE CARD CENTER AND THAT CODE IS FOR YOU TO
KNOW YOUR ACCOUNT BALANCE WITH THE BANK.

MRS.ROSELINE DANIELS
ATM CARD PAYMENT DPT

Islamic Bank of Britain | Rewards balance currently unavailable.

2008-04-22T15:18:00.002+01:00

Here's a new (to me) target - the Islamic Bank of Britain. Not seen an email targeted at them before.

It's a little confusing to read, but is making out that there's an account problem. It tries to look official with some account waffle at the bottom, but ultimately no bank would send such an email, and they should use your name (not "Dear customer") and it wouldn't be sent to 'undisclosed-recipients'.

And the destination URL would definitely not be http://tlg.thk-jc.or.jp/~test/. I wonder what the '~test' is there for? I can find this result in other searches.

Here's the content:

Dear customer,

Your Islamic Bank of Britain Rewards balance is currently unavailable for one of the following reasons:

* Your credit card* and/or Check Card has recently been enrolled in the Rewards program. It takes up to five business days for the Rewards account to become active.

* You are not the primary owner of the checking and/or credit card account. Islamic Bank of Britain accounts are set up in the primary owner?s name and therefore can only be accessed online by the primary owner.

* There is a problem with your home address or personal information we have on file.

If you dont get authenticated within the next 48 hours, then we will assume this account is fraudulent and will be suspended.

To solve this problem we advise you to log in to your online banking account and check the validity of your personal information and specially your home address. To access your account and rectify this issue now follow the link below:

https://www.islamic-bank.com/islamicbanklive/GuestHome/1/Home/1/Home.jsp

If I want to get future statements online only can I still request a paper copy if I need one? Yes, simply call us on 08457 404 404 (Textphone 08457 125 563) or pop into your local branch and we'll be happy to arrange one for you. Lines are open from 8am to 10pm every day (except Christmas Day, Boxing Day and New Year's Day). Calls may be monitored or recorded for quality purposes.

NatWest | Technical Notice: Recent Change In Your Personal Information

2008-04-22T14:49:00.002+01:00

It's the usual 'multiple attempts have caused you to be suspended' phishing email. In my experience, when this sort of thing happens for real they telephone or write to you.

The destination URL is http://www.busterspetalumacafe.com/joomla/mambots/verify/detr.php - very similar to yesterday's A&L email (http://www.busterspetalumacafe.com/joomla/mambots/verify/alli.htm). So doesn't look like the owners have fixed the break in to their website yet.

Here's the content:

We are committed to protecting you when you bank with us. Our banking services are designed with your security in mind.

Our Online Banking Security Team observed multiple logons on your account, from different IP's

For your security, your online banking profile has been restricted.

Please click on VERIFY below to be able to claim ownership of account.

VERIFY

Thank you

ref kj-t

Natwest | Your account access has been temporarily restricted

2008-04-22T09:31:00.002+01:00

I've recieved this email 5 times over night, each to different email addresses. The email looks very similar to the 1st March NatWest email, excpet the 'advert' at the bottom has changed.

This one has obviously been sent in batches of 15 emails - as all of the 15 email addresses are shown in the to: field. If you needed convincing it's phishing - this would be it. Why would they send the email to 15 people with similar email addresses at the same time - thus revealing their customers' details. Banks don't ask for information from you this way - don't divulge it!

The actual target URL is http://nwolb.com.c8ca237dcb.com/default.aspxrefererident=GA60917E554A67117F945DHC5726787123A5A0E052K8&cookieid=791230&noscr=true/index.php. c8ca237dcb.com already appears in a few phishing results in Google.

Here's the content, don't touch the email!

Automated Security Notice

• As part of our security measures, We believe that, in everything else,
you deserve the best in banking too. Therefore protective measures is
been applied to satisfy our striving costumer needs. Our technical
service department is currently upgrading our SSL servers to enhance
adequate banking security, to give our costumers a better, fast and
secure online banking service. We noticed several unsuccessful login
attempts and therefore have decided to temporarily restrict your online
access. To regain access to your online banking Please click on
• Online Banking Logon to continue the verification process.
• (Failure to verify your Online Access service changes will lead to account
disconnection)

Thank you.
Online Banking Security Team
NatWest Internet Banking.
(c)2007 All Rights Reserved

Alliance and Leicester | Security Notice: Unable to Verify Your Account Dated 21 April 2008

2008-04-21T10:39:00.003+01:00

This one is aimed at the Alliance And Leicester customers. Not had any for these since November.

Strangely, it was sent to the same email address twice in 6 minutes. What I did notice though was that although it was received at about 10:30, the times actually say 05:22 and 05:28. Obviously sent from a time zone currently 5 hours behind BST.

It is sent individually to the name email address, which not only helps it get through more spam blockers but also makes it more realistic. But the email is badly written - "Our Technical Security Observe Multiple Error Logins" - not exactly English!

No bank would ever email you asking you to click a link to verify ownership. If they already knew your email address, why would you then need to again prove it? And they certainly wouldn't use a link http://www.busterspetalumacafe.com/joomla/mambots/verify/alli.htm. When I searched for the URL in Google, one of the first results back was "HackeD By UyuSsman ( Turkish Hacker )" - so we know what's happening there!

Here's the email content:

Unable to Verify Your Account 21 April 2008
We have been unable to verify your account with us.

Our Technical Security Observe Multiple Error Logins from your Customer ID, Please do verify your account by clicking on the ACCOUNT VERIFICATION below to prove account ownership .

Ebay | You've received a question about eBay item: @NEW designer DKNY latest watch with diamond spring 08@ (110243158561)

2008-04-21T09:06:00.002+01:00

I've received this one twice overnight, to two different email addresses. Similar in look and style to the other recent Ebay question about emails received recently.

This time around the target URL is actually http://tattoo-picture-designs.com/0?ViewItem&item=110243158561&ssPageName=ADME:X:AAQ:GB:1123 - it doesn't even try to ide the URL by using subdomains and the website tattoo-picture-designs.com seems respectable, so I assume they have been hacked and don't realise they are hosting these pages.

It pretends to be from member labeltree and has been sent to individual mailboxes, so the recipient's email is shown in the to: field.

The email is on it's way to Ebay, here's the content:

Hi,
Everything is packed and ready to go, I am waiting for payment. Let me konw as soon as the payment is made.

Have a nice day!
Lyns Jamie.

- labeltree

Item and user details
Item Title: @NEW designer DKNY latest watch with diamond spring 08@
Item Number: 110243158561
Item URL: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=110243158561
End Date: 21-Apr-08 00:54:45 BST
From User: labeltree (881)
99.8% Positive
since 05-Aug-03 in United Kingdom

ref i-cmr / q-j

Halifax | Message from Halifax Online

2008-04-19T19:31:00.002+01:00

Well here's a (fake) claim that Halifax have received security complaints and are taking actions. Of course, the whole point is to breach your security, not protect you.

The URL the link points to is http://toroon12-1168099092.sdsl.bell.ca/halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin.aspsource=halifaxcouk/

Presumably this means the security on bell.ca has been breached! No doubt that will get quickly plugged!

Here's the content of the email.

Dear Customer

Halifax PLC. has been receiving complaints from our customers for unauthorised use of the Halifax Online accounts. As a result we are making an extra security check on all of our Customers account. In order to protect your information please click on the link below:

http://halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin

Thank you for your understanding and correspondence, we also apologize for any inconveniences caused.

Thanks for your co-operation.

Fraud Prevention Unit
Legal Advisor
Halifax PLC.

ref i-cmr

Email | GET BACK TO US ASAP.

2008-04-18T16:22:00.001+01:00

And at the same time as the fake lottery, there's also the job offer for money laundering....

Don't ever reply to these. If you get involved then at best you are assisting criminals with money laundering. At worst you could have your identity stolen, have your bank accounts emptied or end up in prison. It's not worth the risk. No honest company would recruit by sending spam.

Here's the email:

Dear Sir/Madam,
First, as a way of introduction, I am Mr. Xiao Jun (hails from Taiwan) Managing Director of Solenoids Industrial Co Ltd.Taichung Taiwan. We are Taiwanese based investors, We are into Calcite, Barytes, Manganese Dioxide , Dolomite, Mica , China Clay, MangneseDioxide,Ferrous(Iron ) Oxide,Paints, Rubber, Plastics,Construction chemicals and we export from Asia and export into Europe,America and Australia.
We are also into export and import of the above mentioned products /equipments.
our company "Solenoids Industrial Co Ltd."is a newly established firm that proposed to come up with a lot of business innovation in the
nearest future. We are interested in employing your services, to work with us as ourpayment agent who can help us eastablish a medium of recieving payment on our behalf for Goods and raw materials we supplied to our customers in Europe, South and North America,Australia e.t.c If you are interested in transacting business with us.
we will be very glad.Subject to your satisfaction you will be given the opportunity to negotiate your mode of payment which we will pay for your services as our representative in Europe, America, Australia e.t.c.
Please if you are interested forward to us the following details to our private email address:
agent_consultant_xiaojun@yahoo.com.hk
FULL NAME:
CONTACT ADDRESS:
OCCUPATION:
NATIONALITY:
AGE:
PHONE NUMBER:
FAX:
EMAIL ADDRESS:
PRESENT COUNTRY:
Thank you as we await your further response.
Sincerely
Xiao Jun
Director;
Solenoids Industrial Co Ltd.
55 An Suing East 9th Street,
Taichung, Taiwan
Email Address: agent_consultant_xiaojun@yahoo.com.hk
Tel:/fax 886-9162278842

ref q-j

Email | HELLO!!!

2008-04-18T16:18:00.002+01:00

It's time to get another fake lottery scam. Again, with a Spanish reply-to email address. I wonder why they all come from there?

It's not realy - it's sent to 'undisclosed-recipients' bacause they are sending so many and can't be bothered to send them individually. If you respond, you might end up giving away enough details to have your bank emptied or your identity stolen.

If you are worried that you might have been the victim of such an identity theft, look at the free report from Credit Expert to put your mind at rest.

Here's the email:

HELLO!!!

MICROSOFT E-MAIL PROMOTION OFFICE.
CALLE LA LUNA 45,
COIGO POSTAL 21145
MADRID-ESPAÑA.

I the co-ordinator of the microsoft new year promotion in madrid
spain,has therefore come to you with this great surprise.
Your e mail address came a winner of this great promotion as a 4th
category winner,with the sum of 170,000.00 euro.
Your e mail address attached to a ticket
number:01,05,22,45,88,reference number:ES/NP/CC/08 and batch
number:15558.
The above informations must not be undisclosed to any other person,to
avoid double claim.

Your fudiciary agent.Mr.Alonso Julian shall process your claim as soon

as you contact him.You are advise to take to every instructions given
to you by the agent to avoid disqualification of claim.
Contact your agent Mr.Alonso Julian with the following informations:
//////////////////////////////////////////////////////////////////////

Your full name:
Country:
Address:
Tel/Fax:
The won e mail address:
Alternative e mail address:
Ticket number:
Reference number:
Batch number:
//////////////////////////////////////////////////////////////////////

Contact:

CLAIM DEPARTMENT
Mr.Alonso Julian
Tel/Fax: +34-656-276-595
E mail: microsoftclaimdepartment@ozu.es
//////////////////////////////////////////////////////////////////////

Any one below the age of 18 is authomatically disqualified.

Great wishes from the co.ordinator.
(MRS)Fernandez Miguel Laura

Google | Reactivate Your AdWords Google Account

2008-04-15T20:07:00.002+01:00

Same idea as the other Google phishing emails and sent to the same email address, but a slightly different message this time.

With this email the target URL is http://www.adwords.google.com.v6zd2.cn/select/Login - v6zd2.cn doesn't (yet) have any results in Google (it very soon will do!).

It's a slightly different tack so they are trying to target people they obviously think have Google accounts and are trying to panic them into signing on. What the point is, I'm not sure. OK, they can get name & address, but what then? Date of birth, credit card details etc are hidden. Maybe they then use your account to run up a load of advertising?

Here's the email content:

---------------------------------------------------------------------------------
Dear Google Adwords Customer, Your ads have stopped running because we were unable to process your billing information.
To activate your account and start running your ads, enter your billing information.

In order to activate your account and start running your ads, enter your billing information.
Pease sign into your account at http://adwords.google.com/select/login, and update
your billing information.

Once your account is reactivated and your billing information has been processed,
any your ads and campaigns can begin running immediately on Google.

----------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.

----------------------------------------------------------------------------------

Google Adwords Team

ref s-rwt

Google Adwords | Please Update Your Billing Informatio

2008-04-13T18:06:00.002+01:00

Same as the recent google email sent a few weeks ago. This time the destination URL is http://www.adwords.google.com.hki045.cn/select/Login. hki045.cn appears in a few results already for google adwords phishing.

Sent to the same email as last time as well - this one's got the ability to send to one email address at a time, which helps make it look convincing. But it's not real - don't believe it.

---------------------------------------------------------------------------------
Dear Google Adwords Customer, Your ads have stopped running because we were unable to process your billing information.
To activate your account and start running your ads, enter your billing information.

In order to activate your account and start running your ads, enter your billing information.
Pease sign into your account at http://adwords.google.com/select/login, and update
your billing information.

Once your account is reactivated and your billing information has been processed,
any your ads and campaigns can begin running immediately on Google.

----------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.

----------------------------------------------------------------------------------

Google Adwords Team

Skype | Please Update Your Billing Information

2008-04-11T11:57:00.002+01:00

Here's a target that I've never seen before - Skype. It's a plain text email and the displayed URL looks realistic enough, but the actual target URL is http://secure.skype.com.j71501.cn/member/Login/. This is a URL that doesn't appear in any search results yet, as it appears to have been registered in Hong Kong yesterday.

Looking in Google it's not the first time Skype have been victims of these attempts, but I'm having problems finding where to report it, so trying just security@skype.com.

Here's the email content:

Dear Skype Customer!

In order to update your billing information, please sign in
to your Skype account at https://secure.skype.com/store/member/login.html?message=login_required,
and update your billing information.

Thank you for choosing Skype.

Sincerely,

The Skype Team.

------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
------------------------

ref s-rwt

Ebay| You've received a question about eBay item: Timberland Mens Boots size 11.5

2008-04-11T09:35:00.002+01:00

This one's the same as the email from couple of days ago.

From 'eBay Member: vlc223' it is sent to a different email address than the one I picked up the earlier one from and this time the destination URL is http://paulcrites.com/item?ViewItem&item=230237678367&ssPageName=ADME:X:AAQ:GB:1123 - paulcrites.com being hacked into and innocently holding the phishing pages by the looks of it.

A copy is on it's way to Ebay. Here's the content:

Hi,
Everything is packed and ready to go, Let me know if you paid already. I am waiting for your answer as soon as possible.

Have a nice day!
Sandra.

- vlc223

Item and user details
Item Title: Timberland Mens Boots size 11.5
Item Number: 230237678367
Item URL: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=230237678367
End Date: 07-Apr-08 08:37:42 BST
From User: vlc223 (161)
99.4% Positive
since 29-Nov-03 in United Kingdom

ref i-cmr

Credit Card Danger

2008-04-10T19:10:00.003+01:00

This one isn't phishing, but it's security so I'd thought in a quiet moment I'd recount the tale.

Last Friday my family and I went out for a meal. We hadn't intended to be going anywhere that we'd need any money (just taking my daughter for a swimming lesson) so I didn't have my wallet. So at the end of the meal my wife paid and put the cost onto my credit card.

Now I'm always telling her to hide her pin number when she types it in - yet once more it was in full view of the waiter. After she handed the machine back, he then quickly walked off saying 'I'll just print you a receipt'. My suspicions were aroused as he was holding a Chip & Pin terminal with a built in printer.

I tried to call him back, but he 'didn't hear' and was quickly back at the till with me watching the card from the table. Most of the time the machine was in full view, but at one point he removed the card and held it out of sight briefly.

Now this could have been an innocent move, but my daughter is well trained and said she'd watched him watch my wife typing in her PIN and that he smiled when she'd finished.

This was all so suspicious, but with no proof of any wrong doing what can you do? Well I drove her straight to the nearest cash machine and she changed her PIN immediately.

I'm hoping that's the end of the tale - no mysterious transactions yet, but I've asked her to look when she next uses the card to see if any attempts have been made with an incorrect PIN.

PayPal | Notification of Limited Account Access

2008-04-09T09:17:00.002+01:00

Here's an email that apologises for being an inconvenience - if anyone falls for it, it will be a very big inconvenience.

It claims to be from PayPal following 'unusual activity' on the account. But it's not.

The target URL is http://static-68-179-55-98.ptr.terago.ca/paypal.com/managament/cgi/, terago.ca being the host of another recent PayPal phishing email. In fact, that one sent last week went to exactly the same destination URL. Presumably PayPal have not been able to get those pages shut down, or the site has been hacked again. Looking through the search results for the site, it does look to be an innocent victim.

Other indications that it's phishing are that it's sent to 'undisclosed-recipients'. If this had really happened, it would have affected 1 email at a time and PayPal would deal with it by contacting one member at a time. They would also not start off without an introduction using your name and the sent time on the email is 6th April, 00:00, even though it was received 07:45 on the 9th April. Someone has been playing with headers and forgotten to change them.

Lastly, PayPal would never ask you to click a link and then reveal your security details. If such action was required then they would be unlikely to email you (as your email could have been compromised - you do have different PayPal and email passwords, don't you???) and they would ask you to enter the PayPal address into your browser.

Here's the content, email is on it's way to PayPal for them to sort.

Notification of Limited Account Access

As part of our security measures, we regularly screen activity in the PayPal system. We recently noticed the following issue on your account:

Unusual account activity has made it necessary to limit sensitive account features until additional verification information can be collected.

We have been notified that a card associated with your account has been reported as lost or stolen, or that there were additional problems with your card.

Case ID Number: PP-071-362-996

Click here to verify your account

Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

If you choose to ignore our request, you leave us no choice but to temporary suspend your account.

Sincerely,
PayPal Account Review Department.

--------------------------------------------------------------------------------

Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the "Help" link in the footer of any page.

To receive email notifications in plain text instead of HTML, update your preferences here.

ref i - cmr

Ebay | You've received a question about eBay item: Timberland Mens Boots size 11.5 (230237678367)

2008-04-08T16:09:00.002+01:00

Pretty much the same as other Ebay question about phishing emails.

This time around the email links to the website http://www.thejoyofcrafting.com/lndex.htm?ViewItem&item=230237678367&ssPageName=ADME:X:AAQ:GB:1123. Presumably an innocent victim, but I have found other reports of the website being used for similar purposes, with Google's cach being dated around 2 weeks ago - so it looks like they are a serial victim.

Here's the email content.

Hi,
Everything is packed and ready to go, Let me know if you paid already. I am waiting for your answer as soon as possible.

Have a nice day!
Sandra.

- vlc223 Respond to this question

If you use My Messages to respond, your email address will not be shared.

Item and user details
Item Title: Timberland Mens Boots size 11.5
Item Number: 230237678367
Item URL: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=230237678367
End Date: 07-Apr-08 08:37:42 BST
From User: vlc223 (161)
99.4% Positive
since 29-Nov-03 in United Kingdom

ref q - j

PayPal | Warning Notification

2008-04-05T10:26:00.001+01:00

Another Phishing email targeted at PayPal.

Pointers for the unwary that it's phishing:
1 - emailed to 'undisclosed recipients'
2 - starts 'Dear Customer', rather than using my name
3 - PayPal would never send an email asking me to enter personal details
4 - the link is actually pointing to http://static-68-179-55-98.ptr.terago.ca/paypal.com/managament/cgi/ - terago.ca are actually a broadband provider, so I assume someone is misusing some account space on their site.

It's not real, don't click the links. I've sent a copy to PayPal. Here's the text.

Dear Customer,

It has come to our attention that your PayPal® account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service.

However, failure to update your records will result in account suspension. Please update your records before April 8, 2008.

Once you have updated your account records, your PayPal® account activity will not be interrupted and will continue as normal.

Click here to update your PayPal account information

Reporting Adwords Phishing Emailos

2008-04-04T23:37:00.000+01:00

Google finally got back to me this afternoon after I asked them where to report a Google Adsense phishing email. Part of their answer read:

In order for us to determine the source of the attack, please forward
the entire email, including the full message header information, to
spoof@google.com or phishing@google.com. We investigate all reports sent
to this address

So send any Google phishing emails you wish to report to either of these addresses.

Natwest Bank Private and Corporate New Security Features Activation

2008-04-04T23:32:00.000+01:00

Very similar to other Natwest phishing emails this one, just it tries to cover both private and corporate recipients.

This time the target URL is http://www4.nwolb.com.agent84.in/default.aspx?agent=17zrohDxcrszkOkhOvp - agent84.in appears in a few phishing results already.

I've forwarded a copy to the Natwest, but on previous experience there aren't acknowledgements. Here's the content.

Dear NatWest Bank On-line Banking member!

Our Technical Department is running a scheduled Internet Banking software upgrade

By following the link below please begin the procedure of the user details authorization:

http://www4.natwest.com/default.aspx?session=17zrohDxcrszkOkhOvp

These directives are to be emailed and followed by all customers of the Natwest Private and Corporate

NatWest Bank does apologize for any problems caused, and is very grateful for your help.

If you are not customer of NatWest Bank Digital Banking please delete this letter!

*** This is robot generated message please do not reply ***

(C) '08 NatWest Bank Bankline Internet Banking. All Rights Reserved.

Ebay | You've received a question about eBay item: 2x Weekend Tickets V Festival - Weston Park + Camping (280212913563)

2008-04-03T20:46:00.003+01:00

This one has the same convincing appearance as other similar ebay phishing emails, so I won't put up a picture.

This time the target URL is http://www.mpedubai.com/index.htm?ViewItem&item=280212913563&ssPageName=ADME:X:AAQ:GB:1123. mpedubai.com gets a few mentions on Google in phishing search results.

It's not for real - don't worry about it. I've forwarded the email to Ebay already.

Here's the content:

Hi,
Let me know if PayPal is ok to pay for my item. I am waiting for your answer as soon as possible.

Thank you.
Scott.

- dychie478 Respond to this question

If you use My Messages to respond, your email address will not be shared.

Item and user details
Item Title: 2x Weekend Tickets V Festival - Weston Park + Camping
Item Number: 280212913563
Item URL: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=280212913563
End Date: 31-Mar-08 08:55:31 BST
From User: dychie478 (173)
99.5% Positive
since 13-Jan-05 in United Kingdom

Halifax | Online Banking - You Have 1 Unread Message

2008-04-01T22:51:00.000+01:00

The Halifax seems to be a new sudden victim of a few Phishing emails.

This one has gone to some effort to look the part, but gives the game away as the email has been sent to 10 different "keith" email addresses - only 1 of which is mine! Of course, as I frequently say, no respectable financial institution would greet you in an email with 'Dear Valued Customer' - it would be by your full name.

It takes the form of various Abbey Phishing Emails of a few months ago in that it doesn't tell you anything, it just claims there's a message that needs your attention.

The destination URL is http://halifax-onlines.com/halifax-online.co.uk/_mem_bin/formslogin.asp_source=halifaxcoukHOME/account.php. halifax-onlines.com is obviously a very clever domain name - it looks very realistic, but it does already appear in several Phishing results on Google.

Here's the email content:

You have a new message waiting in your Inbox Folder.

Click here to read.

Best Regards.
Halifax Banking plc Security Department Team.

* Please do not reply to this email as your reply will not be received

ATTN:DONT FORGET TO ATTEND TO THIS EMAIL

2008-04-01T16:10:00.003+01:00

Here's a strange email. It's the usual internet lottery that I've supposedly won without entering that do the rounds every so often. But it's so poorly written as to make it very difficult to read.

Hopefully that will put a lot of people off replying. Why do these scams so often claim to be from Spain?

Here's the content:

ATTN:DONT FORGET TO ATTEND TO THIS EMAIL

MICROSOFT E-MAIL PROMOTION CENTRE
CALLE LA LUNA,45.PRIMERA PLANTA.
CODIGO POSTAL 28845.
MADRID ESPAÑA.

Complete the following and send it to your fudiciary agent Mr.Julian
Alonso immediately for the claim of 170,000.00.Euros.
Which you have won on the microsoft 2008 e mail promotion conducted in
madrid spain,for internet users.

Contact Mr.Julian Alonso to process your claim.
Tel : 0034-656-276-595
E mail : publicfinancedpt@ozu.es

YOUR WINNING DATAILS:

Your ticket #: ES/NP/CC/08
Your Batch #: 1558
Your Reference #: 01,05,22,45,88

COMPLETE THE FOLLOW AND SEND TO YOUR AGENT ON THE E MAIL ADDRESS:

Your country:_
Your full name:_
Your address:_
Alternative e mail address:_
Your tel:_

Your's Sincerely,

Mrs.Miguel Laurita Perez
Co-ordinator.

Ahora también puedes acceder a tu correo Terra desde el móvil.
Infórmate pinchando aquí.

PayPal | PayPal account information needs to be updated

2008-03-31T13:29:00.002+01:00

Here's a new PayPal email that threatens to close your account pretty soon (2 days' notice) unless you update certain details. PayPal state they would never ask for this via email, plus they always use your name in the email and don't email "undisclosed-recipients:".

The destination URL is actually http://stolnick-8marta-8b-r1-c1-45.ekb.unitline.ru/www.paypal.com/managament/cgi/, making it the second Phishing email to be posted in these pages within 48 hours using the unitline.ru domain.

Here's the email - already forwarded to PayPal for them to investigate.

Dear valued PayPal member,

It has come to our attention that your PayPal account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service.

However, failure to update your records will result in account suspension. Please update your records on or before April 02, 2008.

Once you have updated your account records, your PayPal session will not be interrupted and will continue as normal.

To update your PayPal records click on the following link:
http://www.paypal.com/cgi-bin/webscr?cmd=_login-run

Thank you,
PayPal Customer Center.

Accounts Management As outlined in our User Agreement, PayPal will periodically send you information about site changes and enhancements.

Google Adwords | Please Update Your Billing Information

2008-03-31T13:25:00.001+01:00

Here's one that got through the net first time I recieved it. I believed it, deleted the email (permanently) then went onto the Google site to follow it's instructions. Only then did I realise that the email address it had been sent to wasn't associated with a Google adwords account that I maintain...

At first I thought I was mistaken until I received the email about. Assuming I was wrong and maybe I had used that email address for a Google Adsense account in the past I was about to try to login again, until I noticed that the target URL was http://adwrods.google.select.asolf3.cn/select/index.html

asolf3.cn makes several appearances in Google Phishing search results. But it got past me the first time, and nearly this time, because I was using a shortcut on my desktop to sign on, rather than the link in the email.

Here's the content - it's dangerous! I can't find an address to report this to Google, so I've sent them a contact form and awaiting a response.

This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
--------------------------------------------------------------------------------------

Dear GoogleAdwords Customer,

In order to update your billing information, please sign in to your AdWords account at https://adwords.google.com, and update your billing information. Your account will be reactivated as soon as you have entered your payment details. Your ads will show immediately if you decide to pay for clicks via credit or debit card. If you decide to pay by direct debit, we may need to receive your signed debit authorization before your ads start running, depending on your location. If you choose bank transfer, your ads will show as soon as we receive your first payment. (Payment options vary by location.)

Thank you for choosing AdWords. We look forward to providing you with the most effective advertising available.

----------------------------------------------------------------------------------------
The Google AdWords Team

Halifax customer service: online banking notification!

2008-03-30T11:36:00.004+01:00

First we had the NOF, now we've got the HOF. The HOF looks just like the NOF phishing email, just with the bank's name changed to 'Halifax'.

This time around the target URL is http://halifax.co.uk.sistemlog6.ms/_mem_bin/onlineform.asp?source=[removed] - sistemlog6.ms being a site that appears in a few Phishing results on Google.

The email is at least addresses on the to: section just to my email address and displayed the name part (before the URL) to try to make it more convincing. but 'Dear Halifax bank customer' is not how a bank would address a customer.

As always, no bank would send an email like this. It is purely an attempt to empty your account of funds and maybe even steal your identity. Don't click the link. If you are worried about accidentally clicking these links, use a phishing safe browser such as Firefox (free download from the button on the right).

Here's the content of the email.

Dear Halifax bank customer,

We have implemented security measures consistent with our internal information security practices to help us keep your information secure. These measures include technical and procedural steps to protect your data from misuse, access or disclosure, loss, alteration or destruction.

One of these security measures is HOF (Halifax Online Form) to help us to keep your personal and banking data up to date.

You should complete HOF on a regular basis.

Please complete HOF using the link below:

Halifax Online Form

Halifax Automated Mail Service. Please do not respond to this mail.

ref cmr

Halifax | IMPORTANT SECURITY ALERT

2008-03-29T22:58:00.002Z

This one has taken the time to put a Halifax banner across the top of the email - along with a picture of the guy from their adverts. There's also some waffle down the bottom about needing Flash 5 to access the site. This has been taken from the bank's own website, but it's over ayear out of date. Must be a phishing template from some time ago...

The email tries to make out that the recipients Halifax Bank Account has been subject to some attempted breach of security, and that these actions are to reinstate access to the account. This sort of email would never be sent. If a bank had reason to suspend access to an internet account system they would do so, then post the new security details via Royal Mail (been there, had it happen). So don't fall for this trick.

In this case the target URL is http://stolnick-8marta-8b-r1-c1-45.ekb.unitline.ru/halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin.aspsource=halifaxcouk/ - but I've no idea what unitline.ru is nor whether it is just an innocent website that's been hikacked for this purpose. Looks like that might be the case.

Anyway, leave the link and delete the email.

IMPORTANT SECURITY ALERT

--------------------------------------------------------------------------------

Please note that our system recently noted that your attemption of signing on to your account was failed while some errors occured during the processing update of your online account you are having with our bank..

We sincerely here by to notify you that you should kindly follow below link to update your online account for your security safety ensured by our financial insititution.

https://www.halifax-online.co.uk/_mem_bin/FormsLogin.asp?source=halifaxouk

Thank you for your prompt attention to this matter. Please understand that this is a security measure meant to help protect you and your account.

We apologize for any inconvenience.

If you choose to ignore our request, your account may leads to be temporarily suspended

Nationwide | Important Notice!

2008-03-27T22:58:00.000Z

Here's a neat looking email, that was determined to get through as it was simultaneously sent to three possible email addresses within my domain, 1 being real. They even know my name, which could be worked out from the email, but the email was also sent to links@, using my name.

The target URL for the link is actually http://www.nationwide.co.uk.login.account.kmpa0up8vuocae0huto.31c5f18a7f.com/NationWide/secure/login/index.html?id=[id removed]. 31c5f18a7f.com is the subject to many Google search results about phishing sites.

Here's the email:

Dear keith@[url removed],

Nationwide is proud to announce about their new updated secure system. We updated our new SSL servers to give our customers a better, fast and secure online banking service.

Due to the recent update of the servers, you are requested to please update your account info at the following link.

- Update Access Now!

*Important*
Please provide these information correctly and completely, failing to comply may result temporary suspension of your online banking.

Ruben M. Ortiz
Security Advisor
Nationwide

Ebay | eBay New Unpaid Item Message - Respond Now !!

2008-03-20T16:07:00.001Z

This one came through twice in quick sucession, probably via different email accounts. Sent to 'undisclosed-recipients' and the target URL is http://www.forum-ebay.9hz.com. 9hz.com is a free website forwarding service, so it is hiding the actual destination of the phishing site.

Here's the content:

Dear member,

eBay member Tixcity has left you a message regarding item #220055788880

View the dispute thread to respond.

Regards,

eBay Inc.

Copyright © 1995-2007 eBay Inc. All Rights Reserved.Designated trademarks and brands are the property of their respective owners.Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy Policy.

eBay official time - Page last updated: Mar-19-03 11:57:05 PDT

Phish Alert

Abbey Business Accounts ARE Being Updated

Abbey Bank Cards-NEW DAILY LIMITS

Abbey National eBanking: Please Confirm Your Data

LloydsTSB Electronic Banking: Please Submit Your Password

Duncan Mcleod | WorldPay CARD transaction Confirmation

Halifax PLC | **VERY IMPORTANT SECURITY NOTICE**

Account Notification:Unauthorized Transactions On Your Internet Banking

The Royal Bank of Scotland | Digital Banking Service Notice

Monster Career Network | customer notice: data confirmation

Halifax Fraud Prevention Unit

Important banking mail from Abbey

NatWest Bank: You Have 1 New Security Message Alert.

Security alert!

Important Notice ( Lloyds TSB Security®Re-Confirm Your Identity and Remove Your Account Limitation Online)

Halifax | This confirmation email has been sent as a security precaution.

Lloyds TSB | IMPORTANT: Account Verification needed (June 25, 2008) No.4

First Bank | Administration alert!

Your Account with Google AdWords.

Abbey | Account Notification: Access To Your Account Has Been Limited

Natwest | REGULAR MAINTENANCE

NatWest Important Security Notice

Natwest | Details confirmation

Problems with account Abbey’s Business Bank

You've received a question about eBay item: BRAND NEW GENUINE APPLE *iPod touch* 16GB 16 GB WIFI (170227727186)

NatWest Bank: Online Banking Form! (Mon, 09 Jun 2008 00:27:48 -0500)

NatWest Online Accounts Limited Access

WINNINING NOTICATION

You've received a question about eBay item: HP COMPAQ N400C LAPTOP 850MHZ 256MB 20GB CD WINDOWS.. (160246121318)

Anglo Irish Bank customer:1 new ALERT message.

NatWest Bank Reminder: Client Details Confirmation -Mon, 02 Jun 2008 14:09:52 -0600

A secondary e-mail address has been added to your PayPal.

NatWest Bank: Automatic Account Reminder (Mon, 02 Jun 2008 03:09:37 -0500)

Anglo Irish Bank customer:1 new ALERT message.

NatWest Bank: safeguarding customer information

NatWest Bank customer service: your account with us. [message ref:

NatWest Bank notification!

Your payment didn't succeed, so your ads have been suspended.

HSBC Bank Personal and Commercial Update Your Details -- ref: 218

Important Notice From NatWest Bank bank.

DESMOND ALI | Urgent Attention

YOUR URGENT ATTENTION IS NEEDED FROM FEDERAL HIGH COURT OF BENIN,REPUBLIC

Given to you by Federal High Court of Benin and the code is (Be74678FGN)

Royal Bank of Scotland Business customer:1 new ALERT message

NatWest bank: important banking mail. (message ref: sg6806523)

HSBC - You Have 1 Unread Message

Your ads are not running.

Important Information about your Current Account

Official Notification For Customer of Abbey OnLine Banking

Important notification from NatWest bank

NatWest Electronic Banking Informs You Code: 2341

Abbey National Bank On-line Banking Please Confirm Your Data!

eBay New Unpaid Item Message from Martin1967 response required

Attention: Royal Bank of Scotland Digital Banking Service User Id: 3687

Google | Please submit your payment information.

Natwest | CUSTOMER SERVICE MESSAGE

Natwest | please confirm your data!

NatWest Bank Personal and Business Urgent E-mail From Billing Department - id: 510

Natwest | Last chance to validate your e-mail address

Adwords | Your AdWords Google Account is stoped.

Adwords | Your Account with Google AdWords

Adwords | Your ads have been suspended.

Natwest | Validate your e-mail address

SOUTH AFRICAN 2010 WORLD CUP LOTTERY AWARD

NatWest Bank security upgrade!

PayPal | Remove limitations

Google | Please Update Your Billing Information.

Online Award Claim!!!!!!!!!!!!!

NatWest | You Have 1 Important Unread Message

Email Ticket No, EP400-369

Spring Work on Computer. Work ID:14B46BN

NatWest | You Have 1 Important Unread Message

YOUR ATM CARD IS READY

Islamic Bank of Britain | Rewards balance currently unavailable.

NatWest | Technical Notice: Recent Change In Your Personal Information

Natwest | Your account access has been temporarily restricted

Alliance and Leicester | Security Notice: Unable to Verify Your Account Dated 21 April 2008

Ebay | You've received a question about eBay item: @NEW designer DKNY latest watch with diamond spring 08@ (110243158561)

Halifax | Message from Halifax Online

Email | GET BACK TO US ASAP.

Halifax PLC | VERY IMPORTANT SECURITY NOTICE

You've received a question about eBay item: BRAND NEW GENUINE APPLE iPod touch 16GB 16 GB WIFI (170227727186)