Research
Industry Comment


Foward Features









  In partnership with:

 

07 October 2005

Gone phishing in Halifax

SA Mathieson

UK bank sends out marketing email which its own staff identify as a fake

One of the UK’s largest consumer banks last month sent a marketing email to customers which showed several signs of being an attempt at ‘phishing’, without informing its security staff.

The email from Halifax Share Dealing Services, part of HBOS plc, invited readers to visit a log-on page from a link in the email’s text, and contained a link to a URL not registered to HBOS. Halifax’s security help page advises customers receiving emails apparently marketing bank services: “DO NOT access any links within the e-mail, disclose your sign-in details or reply to the e-mail.” Ironically, a similar warning appeared at the end of the email.

One customer of the share dealing service, who contacted the bank’s security department after entering her log-on details on the page linked to from the email, was told by staff that it was a fake, leading her to change her password. But when her son – Richard Thrippleton, a doctoral student at Cambridge University’s Computer Laboratory – contacted the internet service provider hosting the suspect URL to report abuse, he found out that the URL and the service are genuine, although provided to Halifax by a third party.

Halifax apologised for the inconvenience involved in providing incorrect information from its call centre. “We have taken measures to ensure staff are fully aware of this service and that this isolated incident remains so,” it said in a statement.

It added that Mr Thrippleton’s mother must have opted in to receive further information about the Halifax share-dealing service, and that the URL used in the email is mentioned on this service’s home page. Also, “this website contains no personal information and simply requests that customers select a password in order to personalise the service they receive by choosing their own share settings,” it said.

Mr Thrippleton said he was pleased that Halifax will brief its telephone security staff, but believes that it would have made more sense to use Halifax’s standard URL in such an email. “Even better would have been for the email to say, go to the site and click on this button”, he said.

The share price service advertised in the email is provided by Skinkers, which provides similar push technology services to clients including the BBC, Financial Times and London Stock Exchange: it is also the owner of the mystery URL. “I think the Halifax will inform people of the service in a slightly different way,” said chief operating officer Rob Noble.

Links

Halifax security help page

The full exchange of emails, on Richard Thripleton’s site.

Copyright SA Mathieson 2005.

Back to news index