Lloyds TSB Attacked by Phishing Scam
Look what landed in my inbox this morning:
We’ve all heard of the online banking fraud that goes on, but I hadn’t seen such a blatant example still live on the web until today. As part of the Rising Tide server switch, I’ve had to temporarily alias a couple of mailing list subscribe / unsubscribe address to my own email account, and I got a spam email to one of them this morning. To me it was immediately apparent that it was a fake, but it’s easy to see how a large number of non-technical internet users are drawn in by these extremely realistic looking scams.
Check out these screen shots:
The real Lloyds TSB online banking site.
The fraudulent site.
My first reaction was to check out the domain name the fraudsters were using — lloydstsb-bank.biz — turns out it’s registered through the New Orleans Leftover Data Center, a rather dubious company who I’ve come across before - they bought up theyellowhouse.info, the domain name for a site about eco-housing one of my colleagues made (now located at www.theyellowhouse.org.uk) when he accidently missed a renewal payment. Even though the site was part of a non-profit doing some really great work, they refused to even consider selling it back.
They didn’t answer their phone, so I emailed them to tell them they really should pull that domain name off the web, and I then called Lloyds TSB online… turns out they already knew about the fraud, and are trying to get it shut down, but at the time of writing this the fake site is still live. I won’t link to it though, that would be stupid.
I doubt Lloyds will make public how many accounts are compromised, but I know there will be some. It is sad the lengths some people will go to driven by greed. (Put it this way, I doubt the perpetrators were planning to donate the money to OCAP.)
Update: It gets better. I had a look in more detail at the site, and - can you believe it? - they’re pulling all the images and the css straight off the real Lloyds TSB site! Not only are the scammers trying to rip off customer details, but Lloyds TSB are paying for most of the bandwidth! Incredible. I called them up again to let them know that they could simply and easily make the fraudulent site look, well… not so much like Lloyds TSB online anymore. By simply changing the names of the images they use on the real site, and maybe replacing the old image with a different image of the same name that would then be served as part of the fake site… “This site is a fake - don’t enter any of your online banking information” ought to do it. Or even more simple - just swap out the css file and replace it with:
body { display: none; }
Personally I’d probably go for a more creative edit 
Of course their tech department closed at 5pm UK time and the poor people on the Internet Banking helpdesk don’t have access to do that kind of thing. I’ll check the fake site again tomorrow morning - hopefully it will look a little different!
October 3rd, 2005 at 18:17
i opened my online banking this morning and to my horror found that somebody had accessed my lloydstsb current and savings account and emptied them both. i have never replied to any lloyds emails fake or otherwise but still this has happened to me. i contacted lloyds who are dealing with the issue but will not start until i have a crime reference number from the police . i go to the police they CANT issue crime reference number until they now where the crime was committed!!!!! its great to be british haha. give me five minutes with whoever did this and ill make sure he never uses a keyboard again.
October 3rd, 2005 at 19:00
Ouch, that’s brutal. Even if you never went to a fake site or replied to a phishing email, it’s possible you have caught a virus, trojan or worm that was monitoring your keyboard activity for things like banking passwords and sending them to who knows where. I would make sure you have up to date anti-virus and anti-malware software running, scan your whole computer, and don’t use online banking until then.
The incredible thing with that scam back in February (which is long since shut down, although I don’t doubt there have been many many others since) was that they were hotlinking the images and CSS straight from the real LloydsTSB website… I tried to explain this to LloydsTSB fraud people but they didn’t have the technical knowledge or authorisation to take the (very simple) steps to render the fraudulent site immediately useless. It would have taken me a few minutes, been much quicker than waiting to get the site disconnected by the hosting ISP, and might have saved some people the horrible experience you’ve gone through of having your accounts emptied.
May 25th, 2007 at 06:38
They say there’s no fool like an old fool.
Yes! I fell for the supposed Lloyds TSB Security Email asking me for details to upgrade my online security. And yes they emptied both my own account and our joint account:£5,100
TSB have replaced the money back into our accounts, but we are left wondering what steps to take to avoid it happening again.
I update my Norton A.V.(corporate edition) on a weekly basis, my windows firewall is set to automatic updates, and I also update my Spybot-Search and Destroy.
I was hoping for some advice from TSB regarding cancelling my accounts and opening new ones, changing online passwords, changing credit and debit cards etc. etc. but with the exception of not being able to use my credit card, it seems to be carry on as normal.
It is the not knowing just how much information these fraudsters now have that is causing us to worry.
Patrick. (aged 72)
June 16th, 2007 at 16:40
That’s brutal Patrick… I’m glad Lloyds TSB returned all your money. Unfortunately anti-virus software doesn’t really help with phishing scams like this. The new version of the Firefox web browser (a good alternative to Microsoft Internet Explorer that I recommend to people) has a built in fake site warning for sites that have been reported, so you could give that a try - although having been caught out once, I doubt you would be a second time.
October 25th, 2007 at 02:26
We can’t seem to access the real lloyds website at all from our home computer at all after getting several fake (Phising emails) that we didn’t click on but we can open the site from other locations in Beijing. No idea if our money has been taken or not as I don’t want to use my passwords on an internet cafe website. Any ideas on how to check if there is something installed on the home computers that is doing this. I have run all of the norton anti virus scanning and the microsoft anti virus and spyboot. Still no luck. Any ideas would be helpful. Thanks
Paul
December 10th, 2007 at 23:55
I got an e-mail from [email removed], Using Lloyd bank, That I had won a lottery, and asking for my name, and other personal information, I e-mailed them back telling them that if this was a scam and this was an ID theft, it wouldn’t do them any good, my credit is ruined.