Email Spam Alert - Lloyds Bank Phishing Scam

We blocked a huge phishing spam campaign this morning disguised as an urgent email from Lloyds Banking Group / Lloyds Bank PLC. This one is using several techniques employed by spammers to get past many security systems, like huge volumes, real company names, logos and addresses, and constantly changing outbound servers and "click-me" links.

Don't click on the links in these emails. Lloyds Bank has posted a warning that it would never send such an email to its customers and that clicking the links could lead you to giving away your username and password.

How Phishing Scams Work

The spammer sends an email that looks like it comes from a bank, credit card company or some other place where people have accounts with access to money or other sensitive information. The message in the email is urgent, trying to get you to click on one of the links in it.

Never click the links in such an email. They take you to a site that's owned or has been hacked by the scammer, with a "login" page where you enter your username and password.

Some then take you to the site they appear to have come from to make them seem authentic. Regardless, the scammer already has your login credentials and can steal your money or identity.

About this Phishing Spam

This campaign looks fairly authentic and uses tricks that spammers employ to make you think it's real. Here's what one of the emails looks like:

Phishing Spam Alert - Lloyds Bank - September 2014

Massive "Lloyds Bank" Phishing Email Spam

You may see variations, but features that make it seem authentic include:

  • Realistic logo: The logo looks very close to one of those actually used by the company.
  • Third-Party Product Name: This is something we don't see too often. The email implies that the links are protected by a Cloud-based secure mail product. That appears to be an actual product. This is probably done to add authenticity and also give the user a false sense of security that clicking the links is safe.
  • Legitimate Addresses: This is also something we don't always see. At the bottom of the email are real street addresses for Lloyds and others, designed to lend credibility.

This campaign also employs tricks designed to fool antispam systems:

  • Changing IP addresses: This is used in a lot of spam. The sending servers are constantly changing, and are likely zombie machines under the control of a spambot. Almost all antispam programs have an IP blacklist to block these servers. But you don't want to block them after their respective admins disinfect them.
  • Changing "Click-me" links: The hallmark of phishing is a "click-me" link (or "URL") to a site that has a fake and dangerous login page. To make that work, the spammer needs to own the web site or hack into another's, which adds to the time and cost of sending the spam. So URLs often don't change much during a campaign.

It's difficult for individual IT admins who have to do their own tuning or constantly teach their spam filter to keep up with this. We're able to because we update our database every few minutes.

How We Blocked This Spam

Despite the tricks employed in this campaign, our 24/7/365 spam review team caught and blocked it right away, protecting our customers.

Some antispam programs (including SpamStopsHere) block based on IPs and URLs. That's good, but if you stop there, a campaign that constantly changes them will get more messages through.

One of our additional tools is our phrase filtering. Many spam filters block based on individual words (like "Viagra"). It would be tempting to add the word "Lloyds" or the short phrase "Lloyds Bank" to block this campaign. That would probably work, but possibly TOO well, also blocking legitimate messages (known as "false positives") like the warnings that Lloyds might email to its customers during an attack like this.

When we see a campaign like this, we block the unique phrases and variations that we know are only going to appear in the spam. As a result, a lot of the campaign is blocked by our phrase filter initially. But we also add the URLs that appear in it to our database. As the campaign evolves and the URLs start repeating, the URL filter takes over and does most of the work.

The bottom line? Without our complex phrase filtering and our professional 24/7/365 threat analysts, a lot of this spam would get through.

For More Info

SpamStopsHere works differently from other anti-spam programs. It blocks 99.5% of spam while delivering over 99.999% of legitimate emails. That means we block fewer that 1 out of 100,000 good emails, which is why businesses and professionals love our service.

Our spam review team, along with our proprietary Spamalyzer 3.0, analyzes and blocks email threats for our customers 24/7/365. That's a claim almost no other antispam provider can make.

Click here for more about SpamStopsHere and our 24/7/365 live support

This article is for informational purposes. The marks referred to are the property of their respective owners. No endorsement by third parties is implied and none should be inferred.