I just got this message by e-mail:
Its "From" address was "[email protected]".
I could tell immediately that it was a phishing scam, not a legitimate bank message... for one thing, I don't even have an account with NatWest.
However, they seem to be more clever than most phishers; they didn't do most of the blatantly obvious stuff that usually indicates a scam, like have hyperlinks that show one URL in the visible text but actually link somewhere else entirely, like a raw IP address or a subdomain with a country code in Eastern Europe or Asia. In fact, the message was in plain text form, and the web addresses given were free of tricky stuff like username syntax obscuring where they went. They in fact wanted you to go to the site at natwest-onlinebank.com. If you actually check the WHOIS on it, you'll find that it was registered yesterday and doesn't belong to NatWest bank; however, the site at that address is a decent imitation of a real bank site (I haven't actually been to the real NatWest site, but I presume they ripped off the code from it, including a menu system that doesn't work properly in my Mozilla browser.) It has a form that asks for info like your account number, PIN, and web site password. (I filled in stuff that had no resemblance to any of my account numbers, PINs, or passwords to check that the form worked; it does.) An alert user might notice that it's all at an "http" address instead of a secure "https" one, but otherwise it's pretty realistic.
The "natwest-banking.com" domain is also recently-registered and doesn't seem to belong to the bank either; there seem to be mail headers showing that the message actually did originate on a server at that address, though such things can be faked; if the phisher owns the domain, though, the headers might be real and could prevent the message from getting filtered as fake.
What makes such scams more likely to succeed, of course, is the fact that banks really do use a bewildering assortment of Stupid Unnecessary Domain Names [tm] instead of logical subdomains of their main domain; Citibank, for instance, uses citibank.com, citi.com, citicards.com, and many others. Thus, one might easily believe that a message like this containing two different variations of "natwest-something.com" might actually be legitimate, since it's little different from the sorts of domain use banks really engage in.
Dear valued NatWest customer,
We want to inform you that our bank is trying to apply new antifraud system with updating
security standards. We perfect confidence that the new updated technologies will insure
the safety of your transactions through NatWest bank. NatWest bank will modernize both
software and hardware.
We were unable to process your recent transactions on your account.
To ensure that your account is not suspended, please update your information.
If you recently updated your information, please disregard this message as we are
processing the changes you have made. Follow this link to update your details and to
prevent illegal using of your account. http://natwest-onlinebank.com/
When you've finished, always 'log off' from Internet banking and if you're in a public
place - please close your browser.
We highly appreciate you understanding and assistance,
NatWest Credit/Debit Cards Service Dept.
Its "From" address was "[email protected]".
I could tell immediately that it was a phishing scam, not a legitimate bank message... for one thing, I don't even have an account with NatWest.
However, they seem to be more clever than most phishers; they didn't do most of the blatantly obvious stuff that usually indicates a scam, like have hyperlinks that show one URL in the visible text but actually link somewhere else entirely, like a raw IP address or a subdomain with a country code in Eastern Europe or Asia. In fact, the message was in plain text form, and the web addresses given were free of tricky stuff like username syntax obscuring where they went. They in fact wanted you to go to the site at natwest-onlinebank.com. If you actually check the WHOIS on it, you'll find that it was registered yesterday and doesn't belong to NatWest bank; however, the site at that address is a decent imitation of a real bank site (I haven't actually been to the real NatWest site, but I presume they ripped off the code from it, including a menu system that doesn't work properly in my Mozilla browser.) It has a form that asks for info like your account number, PIN, and web site password. (I filled in stuff that had no resemblance to any of my account numbers, PINs, or passwords to check that the form worked; it does.) An alert user might notice that it's all at an "http" address instead of a secure "https" one, but otherwise it's pretty realistic.
The "natwest-banking.com" domain is also recently-registered and doesn't seem to belong to the bank either; there seem to be mail headers showing that the message actually did originate on a server at that address, though such things can be faked; if the phisher owns the domain, though, the headers might be real and could prevent the message from getting filtered as fake.
What makes such scams more likely to succeed, of course, is the fact that banks really do use a bewildering assortment of Stupid Unnecessary Domain Names [tm] instead of logical subdomains of their main domain; Citibank, for instance, uses citibank.com, citi.com, citicards.com, and many others. Thus, one might easily believe that a message like this containing two different variations of "natwest-something.com" might actually be legitimate, since it's little different from the sorts of domain use banks really engage in.