07 October 2005
Gone phishing in Halifax
UK bank sends out marketing email which its own staff identify
as a fake
One of the UK’s largest consumer banks last month sent a
marketing email to customers which showed several signs of being
an attempt at ‘phishing’, without informing its security
The email from Halifax Share Dealing Services, part of HBOS plc,
invited readers to visit a log-on page from a link in the email’s
text, and contained a link to a URL not registered to HBOS. Halifax’s
security help page advises customers receiving emails apparently
marketing bank services: “DO NOT access any links within the
e-mail, disclose your sign-in details or reply to the e-mail.”
Ironically, a similar warning appeared at the end of the email.
One customer of the share dealing service, who contacted the bank’s
security department after entering her log-on details on the page
linked to from the email, was told by staff that it was a fake,
leading her to change her password. But when her son – Richard
Thrippleton, a doctoral student at Cambridge University’s
Computer Laboratory – contacted the internet service provider
hosting the suspect URL to report abuse, he found out that the URL
and the service are genuine, although provided to Halifax by a third
Halifax apologised for the inconvenience involved in providing
incorrect information from its call centre. “We have taken
measures to ensure staff are fully aware of this service and that
this isolated incident remains so,” it said in a statement.
It added that Mr Thrippleton’s mother must have opted in
to receive further information about the Halifax share-dealing service,
and that the URL used in the email is mentioned on this service’s
home page. Also, “this website contains no personal information
and simply requests that customers select a password in order to
personalise the service they receive by choosing their own share
settings,” it said.
Mr Thrippleton said he was pleased that Halifax will brief its
telephone security staff, but believes that it would have made more
sense to use Halifax’s standard URL in such an email. “Even
better would have been for the email to say, go to the site and
click on this button”, he said.
The share price service advertised in the email is provided by
Skinkers, which provides similar push technology services to clients
including the BBC, Financial Times and London Stock Exchange: it
is also the owner of the mystery URL. “I think the Halifax
will inform people of the service in a slightly different way,”
said chief operating officer Rob Noble.
security help page
The full exchange of emails, on Richard Thripleton’s site.
Copyright SA Mathieson 2005.
Back to news index