/ Money

Scam warning: Santander security email

A convincing fake Santander email has been circulating during the New Year, asking customers to update their online banking security. Here’s what it looks like.

The new year has brought more phishing scams to watch out for, with ever-more convincing designs.

This attempt tells Santander customers to ‘confirm your personal details with us’, threatening that they’ll be locked out of their online banking if they do not follow the instructions.

It claims this is part of an online security update, but giving away your information will potentially give scammers access to your money.

In this case, the fake email looks particularly convincing. It uses high-quality Santander logos, and even includes an advert for a Santander bank account, featuring identical wording to genuine Santander marketing emails.

It’s also almost exactly the same as one we saw back in September, but this time the dates have been updated as the scammers attempt to con people going into 2020.

Santander scam email fake email

The link included takes users to a professional-looking website with fake security features that make it look real.

Its subject line reads ‘Action required’ which makes it sound official – it’s designed to rush people into carrying out the instructions before they get a chance to query if the email is genuine.

The inclusion of a random number that looks like it could be a customer or case number also adds to the impression it’s legitimate.

But it’s not perfect – you’ll note the bizarre ‘confirm your online’ wording, complete with the incorrect ‘your’.

We made Santander aware of this fake email, it said customers should:

⚠ Be extremely wary of links and attachments and never enter your banking details after clicking on a link. An email link may take you to a fake website which imitates Santander.

⚠ Watch out for language such as ‘you must act’

⚠ Phone the organisation the email or text purports to be from if you’re in any doubt on its official number, which you can find on its website

How to deal with phishing scams

If you’ve received this email, you should ignore it and report it as spam.

But if you’ve received it and have submitted your personal details, call Santander immediately.

Explain what’s happened and that your account security might be at risk. It’ll be able to help and will advise you on what to do next.

We’ve put together a guide that tells you all about these types of scam and how to spot them. You can also find out about what you might be able to do to get your money back if you’ve been targeted by a scam.

Have you or someone you know received this email? Did you think it was from Santander or were you suspicious?

Comments

One way of tackling this sort of scam would be for financial organisations to stop sending emails with links, instead asking customers to log into their account if action is needed. If this was done, then any email with a link could be assumed to be a scam.

Another mistake in the email is “…untill this has been done”

I think it was Derek who mentioned that requests to reset passwords often result in an email with a link, but I’m sure that alternatives such as a passcode sent by text.

Kevin says:
8 January 2020

Well, the Santander “Latest fraud updates” has a whole 2 articles, one on fake TV licensing emails, and one congratulating themselves for signing up to a push payment scam code, so I wouldn’t hold your breath waiting for a reply.

The Financial Ombudsman needs to bang some heads together to get the big banks to comply with a common security framework, so customers see some consistency between online bank security and aren’t exposed to the lamentable, ramshackle and dated security practises of some of the banks.

This should start with common 2 factor authentication using our chip and PIN cards and a generic card reader for all banks; I’m pretty sure a single card reader will read all VISA based cards at the very least. The bank could allow the customer to enroll the reader (if necessary) on their systems via a simple challenge/response process.

The problem is they spend too much time working out how to blame their customers for the flawed service they provide, or fleecing them in some other way. If it doesn’t affect the bottom line, they’re not interested.

2 Factor Authentication is already being mandated for all banks to introduce by 31 December this year.

As usual, it is the European Regulators that are tightening up on slack internet security, having already delivered GDPR, so make the best of this farewell gift from the EU.

Claude Juillet says:
10 January 2020

So, how secure is the internet? It has not stopped paper works! It seems it’s a never ending story. 2020 is another year like all the one before & nothing has changed in this world; it will go on & on for ever! We need a miracle from someone or rather somewhere.

Here the scam depends on a link being clicked, so if a bank customer falls for that, good security software might block that link and, if not, the customer may still have time to smell a rat and refuse the complete the online form.

But even the best security software might fail to block the link until after some human intervention, such as the first reports of this scam.

To answer Claude’s question, the internet is not completely secure, but I’m sure that many internet users judge that the benefits of internet use far outweigh any consequential security risks.

Anyone who chooses to shop or bank online is going to expose themselves to some financial risks, so their banks should help them to be as secure as they can.

If you bank with Santander and actually take the trouble to read the information they send you on every email, it says:

“Please do not reply to this email. It has been sent from an email address that does not accept incoming emails. Santander will never ask you to supply personal information such as passwords or other security information via email. As an additional security measure, every customer email will be addressed to you personally.”

Now go back and look at the scam email. It says: “Dear Customer”.

So let’s take a bit of personal responsibility for keeping our money safe, before we start finger pointing.

I’ve gone beyond the basics and can usually spot a scam email straight away, because I always allocate a different email address for every commercial relationship I enter into. Not only does this protect my “real” email address from spam, but if I receive a Santander email that is not addressed to santander@[mydomain].co.uk, it is a fake for sure. An email redirect service like this can be as cheap as £5 per year, so why don’t more people do it?

And if you are using goofymail.com (you know who I mean) or another unpaid email service provider, you really shouldn’t be using online banking at all, at least not without the protection some independent means of 2-factor authentication.

“Goofy” and other free mail services have been caught out on a number of occasions, sharing email content internally and with a number of third parties. Why would they provide such a service if they weren’t snooping on your correspondence, if only to discover less sensitive information about you? Seems you can’t trust anyone these days when it comes to money – new technology, but same old scams.

Personally, I’m quite content to use gmail and other free email services. And I do also use online banking – but all my online bank accounts do use 2FA. I also reckon my Chromebook is the most secure “device” that I own. I did also have an iPhone for a short while and was content to use an online banking app on it.

Kevin says:
11 January 2020

Unless your email is encrypted in transit, the content is open to anyone who has access to the [possibly several] servers which transfer it en-route. The analogy commonly used is a postcard sent by ‘old’ mail, everyone can read it, from the postbox to the letterbox. As such, email content is not secure, whether it’s free or paid for.

It’s a tricky judgement deciding what is safe to put in an email, since apparently innocuous data can and is aggregated by Google etc to mine personal information; even simple traffic analysis on senders/recipients can reveal a lot about a person.

The last email I got from Santander is typical of the sloppy attitude of banks to security, since it contains two different domains for them, which undermines the confidence in the security certificate infrastructure we all rely on, they should pick one and stick to it, but their IT is driven by marketing, not security.

phishing@santander.com
pleasedonotreply@santander.co.uk

Some banks have an alphabetti spaghetti of various domains, below is Nationwide’s list of domains they use. These should all be “something@nationwide.co.uk”, but like Boeing, their email security seems to be “designed by clowns who in turn are supervised by monkeys”, (“service-nationwide.co.uk” and “nationwide-service.co.uk” are especially comical examples, along with the ironic “nationwide-email.co.uk” ):
nationwide@service-nationwide.co.uk
nationwide@alerts-nationwide.co.uk
nationwide@nationwide-communications.co.uk
nationwide@nationwide-service.co.uk
nationwide@nationwide-savingswatch.co.uk.
mortgagehub@nationwidemortgages.co.uk
nationwide@nationwide-email.co.uk
service@nationwidehomeinsurance.co.uk

At least these two escaped the attentions of the marketing budget:
noreply@nationwide.co.uk
MortgageUpdates@Nationwide.co.uk

I suppose that it is pointless to underline that email is a text protocol and using HTML is dangerous. Do not use any form of webmail. Do not read email in a browser.

These sort of scams are then easy to spot, and won’t do any harm anyway if you
do not permit any html or embedded scripts to operate. If you do read an HTML attachment in a browser, make sure that javascript is disabled for the site unless you have checked its authenticity.

Unfortunately Which is guilty of this insecure practice as well as most other organizations.

suggested alternatives to webmail? outlook, as in office suite? thunderbird?

No unencrypted email is totally secure, as it will normally have to pass through a number of email servers to reach its destination. However … .

The problem with any free email or other Internet service is that there is no legal contact between you and the service provider, irrespective of any “terms and conditions” you might have agreed to when signing up. This is because no money has changed hands (look up “legal consideration”, if you don’t understand the concept).

Because there is no legal contract, there is no remedy for any civil loss or damages, even if you could show that the service provider was negligent in managing your data. This would be extremely difficult to prove by-the-way, given the number of hand-offs involved in transmitting an email over the Internet.

But at least you would have some remedy if it could be shown that staff working for your ISP say, were regularly monitoring and selling off details taken from your emails. Note that whilst this would be a criminal offence regardless of any contract, criminal law and prosecution is not concerned about restoring your personal losses.

If I had to nominate a free web-based and mobile app email service provider, I would look at ProtonMail. They are a Swiss-based organisation, and as far as I can tell are altruistically motivated, but I could be wrong about that. I do use them for some sensitive communications and they seem OK.

ProtonMail is currently the most secure email around.

I’ve been using ProtonMail for a while too, particularly for any messages that I want to be “less insecure” than Gmail.

But I do also use Gmail, when security is not an important concern.

@Ian and @DerekP

Thanks for your endorsements of ProtonMail.

Dylan Morris says:
13 January 2020

I havent heard of ProtonMail, but will definitely check it out if you get less spam with it, thanks for the info.
As for your comments about it saying Dear Customer, totally agree that this is always a red flag for me, both on emails and texts. Sometimes I get texts that say I am due a refund or have won something, from companies that would surely know my name, but when it says something generic like that, Im always wary of a scam.
I wish there was something that could be done to just stop all of this, I do what I can, reporting to relevant companies by forwarding them the emails I’ve received, action fraud, any phone calls/texts I get I report and post on https://scam-caller.co.uk/ to warn people about the number, but the authorities dont seem too bothered about trying to take action