Scam emails seem to arrive like buses sometimes, as the saying goes. I don’t get any for a while, and then 3 come along at once. And that happened earlier this month when I received a hat-trick of emails claiming to be from the TSB bank. 2 of them were identical, but one was different. And I’ve not had emails claiming to be from TSB before. But then scammers will try a variety of banks and financial institutions to see who they can catch, so getting scam emails for different banks isn’t surprising.
So it’s time for another instalment in my scam emails series. As usual, this is going to be rather repetitive in the signs to look out for, if you’ve seen the previous posts. But the more I can hammer this stuff home to make people aware, the better, as I do get comments from people who are grateful for the info I’m providing, and people do keep stumbling on the posts from web searches. So let’s get on to it.
Email Addresses
All of these emails had From Addresses ending in students.ecsu.edu, which is apparently the Elizabeth City State University in North Carolina. And that obviously has nothing to do with TSB! This is why it’s always worth checking the From Address, and not just the name that your email program displays. If an email claiming to be from your bank is actually coming from an educational establishment, or anywhere that isn’t the bank’s actual domain for that matter, then you can ignore it without reading any further.
In fact, most of the scam emails I’ve been getting to my blog email address seem to be originating from American educational establishments, or appear to be. I don’t know why. It could be that computers in those places have become part of a botnet (a network of hijacked computers used to send out malicious material, without the users realising it). Though you would hope their IT departments have the tools to detect and stop infections like that. I would certainly hope that no student is stupid enough to deliberately send out spam like this, especially as they’ve managed to get into a university in the first place. Or maybe their email addresses are being spoofed and it’s not coming from there at all.
The To Addresses are also just as informative, because they’re the same as the From Addresses. But that means they’re sending the emails back themselves, so how are we getting them? Well, as you’ll remember if you’ve seen my previous posts, this means you’re on the BCC (Blind Carbon Copy) list.
Normally, to send a copy of an email to someone, you would put it on the standard CC (Carbon Copy) list. But when you do that, everybody else can see that person’s address and will know that they’’ve received it. And let’s face it, a spammer wouldn’t want you to see that they’ve sent the same email out to thousands of other people, as that instantly gives the game away. So they want you to think it’s just for you.
So instead, if you want to keep it quiet from all the other recipients, you use the BCC list instead. Nobody else will know that person has got a copy then. So I must be on the BCC list here, because I can’t see my address. And I have no idea how many other people are on that hidden list. But it doesn’t matter, because a genuine email from a bank would never put your address in that list. The email will be addressed directly to you – i.e. your address will be the To Address.
So without even reading the emails, I know these are rubbish just by checking both of the addresses. The emails are not from the bank’s domains, and are not being sent directly to me. But let’s look at the rest of the contents anyway…
Email 1
From: TSB (jdharrington296@students.ecsu.edu)
To: Recipients (jdharrington296@students.ecsu.edu)
Subject: We’ve disabled access to your TSB Internet Banking
Customer Notice
We are contacting you today as you have not updated any of your personal details for some time as a security measure we have disabled online access to your account.
To ensure your protection, We’ve now disabled access to your TSB Internet Banking.
You now need to re-set your security. You won’t be able to gain access to certain features of online services until you’ve done this.
To restore access please click the link below to validate your information, this process should only take you a few minutes to complete.
Restore Access (link)
Please Note: Failure to restore full access can lead to permanent suspension of access to our online banking service.
Best regards,
TSB Bank
As per usual, there are clear signs from the body text that it’s fake.
Customer Notice
A genuine email would address me by name, not use a generic heading.
We are contacting you today as you have not updated any of your personal details for some time as a security measure we have disabled online access to your account.
This is 2 sentences rolled into one, without a full stop separating them. The second sentence should start “As a security measure…”
To ensure your protection, We’ve now disabled access to your TSB Internet Banking.
The word “We’ve” shouldn’t have a capital, as it’s still part of the same sentence and isn’t the name of anything.
You now need to re-set your security. You won’t be able to gain access to certain features of online services until you’ve done this.
Does re-set need a hyphen? And “certain features of online services” doesn’t quite feel right. Maybe “our online services” would sound better, otherwise it sounds like they’re referring to all online services on the entire internet.
To restore access please click the link below to validate your information, this process should only take you a few minutes to complete.
Again, 2 sentences bunched into one. That comma should really be a full stop.
Restore Access
When you hover over this link, you’ll see it’s actually pointing to:
http:// online.tsb.co.uk.personal.logon.login.jsp.submituseridaccountsummary.registration.onlinepersonalregistration.jsp.hpregnow.albnayat.com/online.tsb.co.uk/
This is sneaky, because they’ve put online.tsb.co.uk at the start and the end, which is their real domain. So if you glance at it quickly, you may assume it’s genuine. However, this link isn’t going there at all, and there are various signs pointing to that.
Firstly, the fact that it’s so long should be a clue for a start. Although it has words like “login”, “logon” and “registration” in it, there’s no need to have an address that long. If you want to login to your account, you would just need to go to the standard online.tsb.co.uk page.
Secondly, the beginning of the link is just http://. Any banking website will use a https:// prefix, because that means it’s a secure connection.
Thirdly, after the 2 slashes in that http prefix, look for the first instance of a slash in the address itself, and see what comes before it. Here we have albnayat.com/online.tsb.co.uk/. Notice that the online.tsb.co.uk part is coming after the first forward slash, not before. This is critical.
This means the link is actually pointing to a page within albnayat.com, created to have the same name as the online TSB site. So albnayat.com is where you’re actually being sent, because that’s the last part before the first forward slash. Any slashes after that don’t matter, it’s always the first one that matters. And albnayat.com clearly has nothing to do with TSB. So whatever you do, don’t click it.
Please Note: Failure to restore full access can lead to permanent suspension of access to our online banking service.
Best regards,
TSB Bank
That last part does make sense, although it’s interesting that they call it an online “service” here and not “services” as before. Little bit inconsistent there. And “Best regards” seems an odd way to finish a very formal and serious email, as if they’re somehow your friend.
So that email’s clearly nonsense. Let’s see if their other email, which I received twice, is any better.
Email 2
From Address (Version 1): TSB (ksmitchell395@students.ecsu.edu)
From Address (Version 2): TSB Bank plc (ercooper027@students.ecsu.edu)
To Address: Same as From address, meaning I’m on the blind copy list again.
Subject: We’ve disabled access to your TSB Internet Banking
Dear Customer.
Thank you for banking with TSB Bank .
As part of our ongoing security effort we are carrying out various spot checks on accounts.
Having checked your account we have noticed that there are transfers that have left your account on the 5th Feb.
Please log on to our personal homepage and check your account. If there are any transactions that you do not recognise, please call our contact centre as soon as possible.
To view this transaction and your current balance,please use the secure link below :
https:// online.tsb.co.uk/personal/logon/login.jsp (disguised link – see note below)
If you have any questions related to this message or the funds transfer, please contact the our customer service.
Kind Regards,
Head of Communication.
Regards
Philip Robinson
TSB Bank plc Contact Centre Manager
—————
TRACKING NUMBER: A00001540684-00004644766 *********************
Internet communications are not necessarily secure and may be intercepted or changed after they are sent. cahoot does not accept liability for any such changes.
If you wish to confirm the origin or content of this communication, please contact the sender using an alternative means of communication. This communication does not create or modify any contract.
This email may contain confidential information intended solely for use by the addressee. If you are not the intended recipient of this communication you should destroy it without copying, disclosing or otherwise using its contents.
Please notify the sender immediately of the error.
Copyright 2018 TSB Bank plc.
This is a little bit better, in particular because the link they want you to click is disguised to look like it’s the correct website, and they’ve copied a footer section from what I assume is a genuine TSB Bank email.
But there are still key giveaway signs here that this is a scam.
Dear Customer.
Thank you for banking with TSB Bank .
There are 3 issues here already. Again, it doesn’t address me by name. Secondly, the full stop after “Dear Customer” looks wrong – it should either not be there, or replaced by a comma. And thirdly, there’s a space before the full stop after “TSB Bank .”
https:// online.tsb.co.uk/personal/logon/login.jsp
Now, this is sneaky, because it looks like the actual link. However, if you hover over the link without clicking on it, to reveal where it’s actually going, it’s not that address at all.
Remember, you can make the text displayed for a link say anything you like – “click here”, “register now”, “login”, etc. Any text can be displayed for a link, and that includes a web address if you so wish.
Because that’s what they’ve done here. They’ve used a real TSB address as the text of the link. But hovering over the link shows that it’s actually going to:
http:// online.tsb.co.uk.personal.logon.login.jsp.submituseridaccountsummary.registration.onlinepersonalregistration.jsp.hpregnow.onlineservices.jabuka-zagreb.com/online.tsb.co.uk/
As with the first email above, this again has the text online.tsb.co.uk at the end – but after a forward slash. If you check what’s just before that slash, you can see the real website it’s going to is jabuka-zagreb.com. So they’ve attempted to be clever here, and it could well catch some people out.
So remember – just because you see a web address you can click on that looks correct, it does not mean you can trust it. You should be able to hover over the link to reveal the true address.
If you have any questions related to this message or the funds transfer, please contact the our customer service.
Kind Regards,
Head of Communication.
RegardsPhilip Robinson
TSB Bank plc Contact Centre Manager
The end of the main message is a bit of a mess. “contact the our customer service” makes no sense. And you seem to have a double signature. You get “Kind Regards” from the “Head of Communication.” (which doesn’t need a full stop on the end). And then you get “Regards” from “Philip Robinson”, who is the “TSB Bank plc Contact Centre Manager”. This makes it look really odd, because you never get a double signature like that.
After that, there’s a “tracking number” and the standard data protection disclaimer you find at the end of many emails these days. This has simply been copied from a genuine TSB email to make this one look official, hence it’s all written properly. But having a disclaimer at the end doesn’t prove the email is really because, like here, they’re easily copied.
So that disclaimer can be ignored. And besides, by this point we know that the email is rubbish anyway. But if you were really unsure, you could contact TSB with the tracking number to ask them. Or even without a reference like that, you could still contact them to find out if the email is genuine, as they would be able to check that. Just remember to use Google or a link in your bookmarks to go to their website – don’t use a link in the email.
So that’s it. A couple more dodgy emails picked apart quite easily when you know what to look for. The second email is sneakier, but there are some signs that spammers can’t hide very easily, or at all. So if you’re careful and vigilant, you shouldn’t fall prey to these scams.
Share this:
Well Eye Never 