In the previous Thoughtful Phisher blog, we looked at some visual clues that should tip you off that a email from a ‘bank’ is not to be trusted. Just as interesting here, though, is the variety of social engineering gambits used by this wave of phish campaigns. It’s worth taking a closer look at some of the messages just because they include quite a few standard phishing techniques, but some of the others are even more interesting because they’re a little more inventive, and those are ones I’m focusing on in this article. The actual text of each message is italicized to distinguish it from the comments I’ve added.

What a bargain!

Here is one of the most interesting, in that it moves away from the standard “this is something you must read for your own security” gambit to “here’s your chance to get something for nothing”. Here’s a tip: in these days of economic meltdown, banks aren’t giving too much away. (Heck, they can barely be persuaded to pay you interest on the money you entrust to them…)

NatWest is giving you a chance to shop for free !

[The unnecessary space before the exclamation mark is the scammer’s error, not mine!]

Dear Valued Customer,

NatWest is giving out free shopping vouchers for your favorites stores for Christmas.

This offer is only for NatWest Credit Card Online Services users and it will be valid to use until the 31st of December, 2013

To Qualify for this opportunity, Kindly Click here now.

After validation your voucher will be sent via text message or posted to your Mailbox.

Yours Sincerely,
NatWest Credit Card Services.

You may notice one glaring Americanism in the spelling (which shouldn’t have been a plural either), even though it’s sent to a UK email address. Tsk, tsk: whatever happened to knowing your market?

Apart from that, it's a little short on circumstantial information, maybe. Which stores would that be? Well, I suppose my card provider might know something about my shopping patterns, but not very much. Especially as I live in an area not noted for a multiplicity of chain stores. (And not that I have a NatWest card anyway.) What’s really interesting and fairly novel, though, is that it uses a carrot rather than a stick, a marketing technique rather than a threat. Note, though, that there’s still pressure on you to take action as soon as possible (i.e. before 31st December).

Of course, legitimate marketing is also limited by time or availability: a commercial organization doesn’t want to be giving away items it no longer has a budget for, years after the marketing campaign finished. Ask the British division of Hoover, which lost around £50m when it underestimated the demand for giveaway air tickets. Well, you could have asked if it hadn’t been sold off. Moral: scammers do marketing too. And some of them are better at it than some legit marketers.

Can I have my money back?

Here’s another phish with a ‘something for nothing’ angle: in this instance, you’re supposed to believe that:

  • You are entitled to a refund – well, banks certainly make mistakes
  • Your bank is hurrying to correct its error – not so likely
  • Your bank is so incompetent that it can’t fix the error without your help.

Well, maybe the last point is the most believable: bankers haven’t covered themselves in glory in recent years in almost any respect but the ability to draw huge bonuses.

REFUND SLATED ON YOUR ACCOUNT.

Our record shows that you have a refund slated on your card account due to charges made against your card account by us.

We do apologies for this mistake which was caused by errors from our system. This transaction cannot be completed due to the errors present in your account information.

You are required to click on the LOGON below to fix this problem immediately. Please note, it will take 3 working days to credit your account with the refund.

LOG ON HERE

Thanks
NatWest Card Services

Well, who can resist a refund? Certainly phishers and other scammers are convinced you can’t, because they often use this gambit to get you to click on a malicious link or attachment.

Interestingly, there is no ‘Dear Valued Customer’ (nor any similar generic salutation) here. We’ve been pointing out for a long, long time, that this sort of generic (non-personalized) salutation just means that the scammer doesn’t know your name, because he’s mailing the message out en masse to hordes of potential victims. Perhaps scammers have noticed our saying this, and are hoping that having no salutation is less conspicuous than having a generic salutation, and that the recipient will not notice the omission. The moral: the complete absence of a salutation should be considered just as suspicious as a generic salutation. But don’t forget that it’s also possible – though not so common – to derive a name automatically from an email address. Though that name may or may not be convincing. As far as I’m concerned, ‘dear dharley3467’or ‘dear dharley@myISP.com’ is not a personalized salutation…

Note also that the scammer tells you that it will take three days for the credit to go through. More to the point, it gives him plenty of time to plunder your account. Good to see that phishers still have problems with their English, though, since it’s often an indication that all isn’t right… (Sometimes it just means the office junior can’t spell, though.)

The life of Riley

Here’s another example with a very similar message, but the presentation is much more sophisticated (not to mention looooooonnnnnggggggg...). I have several examples of these that all have more stereotyped subject lines than the previous example: ‘Your MINT Card Important Notification !’, or ‘Fix The Error On Your MINT Card.’ So the subject line is alarming enough to catch your attention, though the content is more reassuring. Is that deliberate, so that relief will incline you to lower your defences? I don’t know, but it could have that effect.

Dear Valued Customer ,

Our record shows that you have a refund slated on your MINT Credit Card account due to charges made against your MINT Credit Card account by us.

We do apologies for this mistake which was caused by errors from our system. This transaction cannot be completed due to the errors present in your account information.

You are required to click on the LOGON below to fix this problem immediately. Please note, it will take 3 working days to credit your account with the refund.

LOG ON HERE

We hope you find our Online Credit Card service easy and convenient to use.

Yours sincerely,

Paul Riley 
Head of Credit Cards

About this email 
This email is confidential and intended for the addressee only. Please delete if that is not you. 

This is a service message designed to keep you informed of important information associated with your account. 

Please do not reply to this email as the address is not monitored. Visit our Support Centre if you have any queries and we'll be happy to help. 

Important Security Information 
To help you identify our email and as an extra security measure the second half of your postcode is shown at the top. If you have not provided us with this information or you have changed address please contact your local branch to update your details. 

MINT will NEVER ask for your full PIN or Password when identifying you on the phone or online, and willNEVER ask for Card Reader codes on the phone or when logging in. 

Fraudsters may claim to be the bank to try and access security information. If you receive a call or email from MINT that you are suspicious about, cease the call immediately, or forward the email tophishing@rbs.co.uk. Visit mint.co.uk/security for more information and advice. 

MINT is a business name of The Royal Bank of Scotland plc registered in Scotland No 90312. Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB.

First of all, the salutation is non-specific. ‘Dear Valued Customer’ doesn’t mean that your custom is valued but not so much that we can be bothered to personalize this letter by including your name. It means we have no idea who you are, but we’re hoping you’re a Mint customer gullible enough to fall for a fake login and give us access to your money, which we certainly do value.

Interestingly, the acres of boilerplate verbiage at the end of the pseudo-letter (which may well be lifted from genuine RBS material – the occasional missing space character suggests a cut and paste from PDF to me, but that’s just a guess) claims that To help you identify our email and as an extra security measure the second half of your postcode is shown at the top. Of course, that would have been miraculous, as RBS has no reason to know my address: I’m not one of their customers and the message isn't from RBS at all, so there is no postcode in the message. Clearly, the scammers don’t expect you to read the small print. But then, nor do many legitimate financial providers, insurance companies, pensions providers…

Once again, they want you to give them three days to plunder your account and move on. The scanned signature is a nice touch (but proves absolutely nothing, of course). Interestingly, all of the scam messages that appear to be signed by an individual rather than by the name of the bank are claimed to be signed by ‘Paul Riley’, who appears to be ‘Head of Credit Card(s)’ for two credit card providers. Well, that’s just greedy. We’ll get back to the versatile Mr Riley shortly.

(As far as I can tell, there is no Paul Riley who holds a genuine role like this in RBS or its associated financial institutions: if there is, I apologise for any confusion, but I’m sure he is not in any way responsible for the very common misuse of his name in this type of phishing scam.)

David Harley CITP FBCS CISSP
ESET Senior Research Fellow