Phishing emails: how I nearly got caught out

29 May 2014

A phishing email popped into my inbox this morning. That's hardly a rare occurrence, but what was unusual about this one is that I really wasn't sure, for a moment, if it was malicious or not.

Take a look:

This caught my eye, as I've recently returned from overseas travel, and I did (foolishly) log into my account on hotel Wi-Fi without taking any precautions. What if someone had nabbed my login credentials?

Of course, I would never click a login link embedded in an email, and the odd language raised my suspicions: "customers are not permitted to log in from different places at same time" is a strange thing to say, given it's impossible under the laws of physics. Hovering over the link showed the actual destination was something called "bodegon.mx" -- clearly nothing to do with NatWest.

Pretty straightforward stuff. So why did I even give it a second look? Because Outlook.com told me that the sender was in my "safe list".

It's true, the message had been sent from a sensible sounding email address, customerservice@natwestsecure.com -- but a hacker could have registered that domain themselves, or spoofed it, and a plausible domain name shouldn't be enough to trick a spam filter. So why did this go to my inbox, rather than being caught up in spam or my junk mail -- which is where most of my bank's real email missives land?

Out of curiosity, I searched for that email address in my Outlook.com account... and it showed up. As it turns out, I'd had a similar message two years ago from the same email domain, and had moved it to my inbox in order to forward it to NatWest's security team, because Outlook.com doesn't let you forward items from your junk mail.

That action added it to my safe list, ensuring I saw it this time. Thanks for that, Microsoft.

There is some good news: when I tried experimentally clicking the link, Google Chrome showed a big red warning that I was heading to a dodgy site. I clicked through anyway (front line of tech journalism, right here) and my AVG scanner wouldn't even let the page load.

Points to Chrome and AVG in the battle against phishing, and marks docked from Outlook.com, then. In case anyone's wondering, that recent trip overseas means I haven't any money left in my account to steal anyway.

Read more

Blogs