Scam Emails – Santander

Someone seems to be rather keen to pose as Santander at the moment. Over the past couple of weeks, my Junk filter has picked up 4 emails – the latest 2 being just a day apart. They’re all coming from the same place too, and have a lot in common. Indeed, the latter 3 emails are practically identical, they mainly just have different links.

They’re all claiming there’s been a security issue with my account, so I need to verify myself. They all have from addresses with the same domain. They all have links constructed in a very similar way, with subtle differences. And the formatting and grammar of the body text isn’t great in parts. So I’ll show you the text of the emails, and then highlight why they’re obviously nonsense. And don’t forget you can check out all of my scam email posts to see other examples I’ve highlighted.

All of the emails appeared to have a genuine Santander email disclaimer at the bottom, which does have genuine links (including their phishing reporting address). However, the scammer has just copied and pasted those from genuine Santander email. So I haven’t reproduced that part here, as it’s already obvious the emails are fake before you get to it anyway. Links from the emails have also been disabled, but if your browser happens to make them active again, please don’t click on them!

Email 1

From: Santander (kaufman.kayla@uwlax.edu)

To: kaufman.kayla@uwlax.edu

Subject: You have a new secure message waiting

If you cannot see this email, click here

Dear Customer,

At Santander we know protecting your identity is important, that´s why we´re always looking at ways to guard you from identity theft and fraud. We´re also committed to help you use our online service securely.

As part of our ongoing commitment to customer security we are constantly looking for new and improved ways to protect you and your assets. Our Internet banking security notice that your account password is currently locked and you cannot perform any transaction online.

Due to security of your internet banking account we recommend you to reactivate & verify your account details. Please note that if you hold any joint accounts, only your details will be updated.

Please use the REGISTER NOW below to update your account profile from Step 1 to 3.

REGISTER NOW

Regards,

Fraud Prevention Team

The links to click if you cannot see the email or wish to register now both point to:

retail.santander.co.uk.logsuk.ns.ens.btochanneldriver.ssobto.dse.operationname.logon.dse.processor.logon.dse.processor.blueberryrumors.com/santander/

Emails 2, 3 & 4

These are all very similar, though the From address and clickable links are slightly different in each case, and one of the paragraphs in the message changes slightly.

From: Santander (bush.dylan@uwlax.edu / juenger.stephen@uwlax.edu / rush.noah@uwlax.edu)

To: bush.dylan@uwlax.edu / juenger.stephen@uwlax.edu / rush.noah@uwlax.edu

Subject: You have a new secure message waiting

If you are having trouble viewing this message, please click here.

Your security is our priority

Dear Customer:

We recently reviewed your account, and we suspect an unauthorized transaction .

Therefore as a preventive measure we will temporary limit your access to sensitive Santander Online features.

To ensure that your account is not compromised, please log in to your Santander Online and verify your identity to prevent deactivation.

(Email 2) Please use the hyperlink below to login to our secure Santander account Online.

(Emails 3 & 4) Please use the hyperlink below to login to our secure Santander account Online from Step 1 of 3 to verify your accounts.

Verify now »

Thank you for choosing Santander,

Christian Westcough

The Santander Online Banking Help Team.

The links to click on if you have trouble viewing the message or wish to “Verify now” point to these addresses:

  • retail.santander.co.uk.logsuk.ns.ens.btochanneldriver.ssobto.dse.operationname.logon.dse.processor.logon.dse.processor.logon.logon.verabaleva.com/santander/
  • retail.santander.co.uk.logsuk.ns.ens.btochanneldriver.ssobto.dse.operationname.logon.dse.processor.logon.dse.processor.logon.logon.kintechsynergy.com/retail/
  • retail.santander.co.uk.logsuk.ns.ens.btochanneldriver.ssobto.dse.operationname.logon.dse.processor.logon.dse.processor.logon.logon.ligamessirve.com/retail/

Analysis

If the emails had not been caught by my Junk filter, I would have seen the Santander logo and other imagery, which the scammers use to make these emails look more official. And, of course, they’re trying to claim you have a security issue to make you panic and act without thinking. But the signs are all there that they’re nonsense.

From Addresses

Although the name of the sender appears to be Santander, the From address in each case is actually from uwlax.edu – which is the University of Wisconsin-La Crosse, not Santander!

To Addresses

None of the emails are directly addressed to me. As with previous examples I’ve posted, the sender has used their email address as the primary recipient, hiding all the actual recipients in the ‘blind copy’ field. If the email was truly for me, I would be in the To field and nobody else.

Salutation

At the start of each message, I’m addressed as “Dear Customer”. Santander NEVER do this. They always address you by name, and often show you a bit of your postcode as well as additional proof.

Links

The links you’re asked to click on all go to very similar addresses:

  • retail.santander.co.uk.logsuk.ns.ens.btochanneldriver.ssobto.dse.operationname.logon.dse.processor.logon.dse.processor.blueberryrumors.com/santander/
  • retail.santander.co.uk.logsuk.ns.ens.btochanneldriver.ssobto.dse.operationname.logon.dse.processor.logon.dse.processor.logon.logon.verabaleva.com/santander/
  • retail.santander.co.uk.logsuk.ns.ens.btochanneldriver.ssobto.dse.operationname.logon.dse.processor.logon.dse.processor.logon.logon.kintechsynergy.com/retail/
  • retail.santander.co.uk.logsuk.ns.ens.btochanneldriver.ssobto.dse.operationname.logon.dse.processor.logon.dse.processor.logon.logon.ligamessirve.com/retail/

They all start off in the same way, appearing to go to retail.santander.co.uk. But, again, notice that the address continues after the “.co.uk” part. There’s no forward slash there, which you would expect at that point. So wherever you’re going is NOT within that domain.

Instead, there’s another dot followed by a load of other stuff, containing the word “logon” quite a lot. And then you get to the true end of the address. Before the first instance of a forward slash, you get one of these, which are clearly nothing to do with the bank:

  • blueberryrumors.com
  • verabaleva.com
  • kintechsynergy.com
  • ligamessirve.com

After that you get a forward slash, followed by either “santander” or “retail”. But whatever those pages are, they’re clearly not on the Santander site. So those links are clearly unsafe.

Body Text

The body text starts off looking ok, but as usual they are grammatical oddities:

Email 1:

Our Internet banking security notice that your account password is currently locked…

The first part of that sentence makes no sense. It’s as if it’s missing a word between “security” and “notice”, and even then “notice” should probably be “notices”

Due to security of your internet banking account we recommend you to reactivate & verify your account details.

The word “internet” here has a lowercase “i”, inconsistent with the capital “I” in the line above. And phrasing like “we recommend you to reactivate” doesn’t round quite right.

Please use the REGISTER NOW below to update your account profile from Step 1 to 3.

This is missing a word between “REGISTER NOW” and “below”. And why does “Step” have a capital S?

Emails 2 to 4:

These emails are all very similar. The first 3 anomalies below appear in both of them.

We recently reviewed your account, and we suspect an unauthorized transaction .

There is a space before the full stop. A sloppy mistake to make on the first line.

Therefore as a preventive measure we will temporary limit your access to sensitive Santander Online features.

This whole sentence feels odd. Should be it be “preventative”? Certainly it should say “temporarily”. And “sensitive”? Have I upset the feelings of the system’s online “features”?!

To ensure that your account is not compromised, please log in to your Santander Online and verify your identity to prevent deactivation.

Surely it would be my “Santander account” not my “Santander Online”?

This final paragraph changes between the two emails:

Please use the hyperlink below to login to our secure Santander account Online.

Please use the hyperlink below to login to our secure Santander account Online from Step 1 of 3 to verify your accounts.

Ok, so they get the word “account” in here this time – but it’s “our” account, not “your”? And there’s the word “Step” with an initial capital again.

Christian Westcough

The Santander Online Banking Help Team.

After using a generic “Fraud Prevention Team” sign-off on the first email, they’re now trying to make it look a bit official by using a genuine person’s name from the bank. Too little too late though, the emails were clearly fake long before that.

And there you have it, that’s more than proof enough that those emails are dodgy. Remember, stay vigilant and stay safe. 🙂

Author: Glen

Love London, love a laugh, love life. Visually impaired blogger, culture vulture & accessibility advocate, with aniridia & nystagmus, posting about my experiences & adventures.

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: