Scam of the Week: Crafty phishing scam targets Santander, HSBC and Royal Bank of Scotland customers

September 12, 2019 9:23 am Geraldine Strawbridge

Fraudsters are using new online security checks to trick banking customers into handing over their financial details and personal data.

Banks, card providers and retailers across the EU are currently in the process of emailing customers asking them to provide up to date contact information, as part of new checks for online card payments known as strong customer authentication (SCA).

Criminals keen to take advantage of this flurry of online activity have been imitating the emails being sent out by banks in the hope of snaring unsuspecting victims.

Consumer group Which? warned that attackers are imitating emails from Santander, HSBC and Royal Bank of Scotland.

The emails state that if the recipient fails to confirm their details then their bank account will be suspended. To update their details, they are encouraged to click on a link included within the email.

If the user clicks on the link, they will be directed to a fake site set up to harvest their banking details. Which? believes we will see more of these scams over the next 18 months during the phased implementation of SCA.

Image: Example of a phishing email (Source: Which?)

What is SCA?

As part of the EU Payments Services Directive (PSD2), additional security measures are being introduced for any online transactions over 30 euros.

Customers will need to provide two of three possible methods to confirm their identity. This could be a one-time passcode, a unique password or biometric data such as a fingerprint, facial recognition or voice recognition.

PSD2 Strong Customer Authentication will come into effect from September 14, 2019. However, the Financial Conduct Authority has delayed enforcement of the new regulation by 18 months, giving businesses more time to comply with the new system.

Unfortunately, this will also give attackers more time to launch their phishing scams in the hope of tricking more victims.

How to spot a phishing email

Despite the increasing sophistication of these emails, there are often lots of subtle signs that can alert you to the presence of a phishing email. 

  • A mismatched URL – To check the validity of a link, hover your mouse over the link without clicking on it. You will then see the full hyperlinked address appear. If the link in the email is different from the address displayed, it could indicate a phishing email.
  • A generic greeting – Phishing emails typically use generic greetings such as ‘Dear valued customer’, ‘Dear Account Holder’, or ‘Dear member’. If you are dealing with a legitimate company that you regularly do business with, they would know your name and use it in all official correspondence.
  • A request for personal information – If you receive an email asking for personal information such as an account number, password, pin or security questions, there’s a good chance it’s a phishing email and should immediately be deleted. it’s unlikely to have come from an official organisation.
  • Poor spelling and grammar – Legitimate companies will tend to have all their official correspondence proofread. If you spot lots of grammatical errors or unusual phrases, it’s unlikely to have come from an official organisation.
  • Threatening or urgent language– A common phishing tactic is to promote a sense of fear or urgency to rush someone into clicking on a link. Be cautious of subject lines that claim your account has had an “unauthorised login attempt” or your “account has been suspended”. If you are unsure if the request is legitimate, contact the company directly via their official website or official telephone number.

Metaphish provides a robust defence against phishing attacks by training employees how to identify and respond appropriately to these threats. Get in touch for further information on how we can help protect your business.