back to article If NatWest texts you about online banking fraud, don't click the link

British customers of the NatWest bank should be on their guard against a particularly convincing SMS-based phishing scam, Action Fraud warns. The spoofed texts being sent out by fraudsters “could catch you out if it appears in an existing message thread,” the UK's national fraud & cyber reporting centre advised on Wednesday. …

  1. Colin Miller


    Is he sure it's not a spoofed sender, anda scatter-gunned SMS.

  2. Steve Davies 3 Silver badge

    Spoofing Numbers

    is that the so called 'Microsoft Support Centres' called John use all the time

    so do the PPI Claims scammers




    There seems nothing that Ofcom (them again) will do about it.

    The Telco's (not only BT I might add) won't do anything because theyt get paid (possibly) to let the shitbags get access to the UK PSTN.

    OFCOM are a bunch of toothless numpty's IMHO.

    1. Mark 85 Silver badge

      Re: Spoofing Numbers

      No one in States touches that group either. I keep hoping a drone mission will be ordered. A couple of Hellfires ought to solve the problem quickly. Then again, maybe not.... <sigh>

  3. Tim Warren

    This might be on the rise.

    I've recently received phishing text of similar guise claiming to be PayPal. Correctly addressed me by name in the text too so not just blanket spam but rather a targeted and well executed exercise.

    1. veti Silver badge

      Re: This might be on the rise.

      As more and more people take to shifting their money about online - yes, it's become much more professional these days.

      What grinds my gears is how much harder it's making life, if you really do want to shift your money about online. I tried to move some (of my own) money from Blighty to New Zealand a couple of months ago. It took weeks. It would literally have been quicker to get on a plane, stuff my trousers full of banknotes, and flown back - that's how convenient "internet banking" is now, if you want to do something international.

      All because the banks assume I'm laundering my money, and want proofs of identity that, frankly, are not easy to provide from 11,000 miles away.

      Technology is supposed to make this kind of thing easier. I can tell you first-hand, it's got noticeably harder in the last 10 years.

      1. Ashley_Pomeroy

        Re: This might be on the rise.

        "stuff my trousers full of banknotes" - on the other hand there's less chance of a full body cavity search if you transfer money online.

      2. Coen Dijkgraaf

        Re: This might be on the rise.

        "stuff my trousers full of banknotes, and flown back"

        Make sure you declare if you are carrying more than NZ$10,000 or more in cash, or foreign equivalent, otherwise they will catch you with the money sniffing dogs

  4. Simon Harris

    What's worrying...

    Is that we've managed to create a phone system where messages can be convincingly enough spoofed that one caller ID can appear to come from a different number.

    Is there no way that telephone systems can detect a discrepancy between where a message or call actually comes from and where it says it comes from?

    1. georgied

      Re: What's worrying...

      Number spoofing is illegal in the UK but many of these come in from services outside the UK and there are no checks to validate the source. Although you think they would be able to validate UK numbers.

      RCS may be the way forward and it's slowly replacing SMS in some parts.

    2. RFC822

      Re: What's worrying...

      Not in these VoIP days, when spoofing CLIP is as easy as spoofing a MAC address, IP address or any other such "identifier".

      (Which doesn't stop the legislators from foolishly thinking that you can trivially easily tie an IP address to a human being. Sigh.)

    3. Crazy Operations Guy

      Re: What's worrying...

      Far too trivial to spoof... I've been getting phone calls from impossible numbers recently, such as all 9's, my own phone number, or just '7'. Of course this a drop in bucket compared to the ones I keep getting from malware-riddled phones.

  5. Fred Dibnah

    Every time I contact my bank's call centre about something, they remind me that they don't have my mobile number in their records. Here's why.

    1. Anonymous Coward
      Anonymous Coward

      But they probably do have your POTS number (if you have one - I don't) which is pretty much equal in susceptibility to anyone who tries

    2. Just Enough

      Used to be the same for email

      I managed 12 years internet banking without giving the bank my email address, for exactly the same reasons. It meant constant "reminders" when logging in, but I could then sit back and scoff at all the phishing emails.

      Unfortunately it came to the point where it was literally impossible to do anything without filling in the compulsory email field. I fear my mobile number may be prised out my hands the same way.

  6. Kubla Cant

    OT: NatWest again

    Yesterday I heard a story about NatWest on BBC news.

    It seems that they send out password-reset SMS messages for online banking. But it's perfectly possible to persuade the mobile network to redirect messages to another phone. The BBC reporter did this with a colleague's mobile number, whereupon she was able to log in to the account, change the security credentials, and transfer money to her own account. Apparently it's happened to a number of NatWest customers in real life.

    When they devised the password-reset scheme, didn't anyone think to ask whether sending to a mobile phone really guarantees the identity of the recipient? Let's hope NatWest don't start running piss-ups in breweries/

    1. just another employee

      Re: OT: NatWest again

      Get your facts right.

      The BBC report DOES NOT say money was paid away - only that someone accessed an account of a colleague.

      Paying away means setting up new payee - which requires a Chip'n'Pin verification phase.

      So - if I have access to your mobile phone and can convince someone at the bank to change the log-on credentials.....I have access to the same information as if I intercepted your printed statements.

      Please - there is a weak spot in ID reset procedure, but nothing here indicates a flaw in paying away. Unless you have additional information ?


      1. Anonymous Coward
        Anonymous Coward

        Re: OT: NatWest again

        And that the frist payment to a new payee can't be done from their mobile App.

        Better than at least one other UK Bank that I have an account with.

        Anon because, just in case.

      2. John McCallum

        Re: OT: NatWest again

        I suggest that you listen to the Programme You and Yours on the Radio Four web site to here it all.

        1. Anonymous Coward
          Anonymous Coward

          Re: OT: NatWest again

          Here's the link, the banks have rapidly changed their procedures so clearly there was a risk:

      3. Random Handle

        Re: OT: NatWest again

        >Get your facts right.

        >The BBC report DOES NOT say money was paid away - only that someone accessed an account of a colleague.

        Your facts are wrong I heard this go out - she added new payee and made a payment to her account (she just needed to click 'I've lost my card reader' and the new payee process was reset by SMS). The other journo checked her account and the payment was received a few seconds later.

        Natwest have made changes in response but there have already been several other cases with much larger sums being lost - the piece was a response to this as Natwest had told other victims that they were at fault since the system was secure.

  7. Thomas Martin

    They are hitting Yahoo mail in the US as well.

    1. 080

      What, both of them?

  8. Yet Another Anonymous coward Silver badge

    Easy to spot a fake message from the bank

    Unless they charged you 20quid for the text message - it isn't really from the bank

  9. Camilla Smythe

    Action Fraud... Shite.

    That is all.

  10. VinceH

    "NatWest’s own advice"

    I regularly have to log-in to NatWest Bankline.

    On logging out, there is currently a warning about 'vishing' - to see which, you need to have Flash installed.

    I commented about it on Twitter, asking if NatWest were trying to be ironic.

  11. Anonymous Coward
    Anonymous Coward

    Seriously? Using SMS for banking purposes?

    1. This post has been deleted by its author

  12. Cynic_999

    Quite a few VOIP providers allow you to specify whatever caller ID you want, including invalid numbers. Having a different caller ID to the number you are calling from has legitimate uses, the most common being the display of your company switchboard number in place of the number of the line you are actually calling from.

  13. Anonymous Coward
    Anonymous Coward

    Need online-banking controls! But how, using online-banking??? (now that branches are closing)

    Look at the JPMorgan hacks, deep system intrusion is coming to a bank near you soon! So, I'd like a means to place limits on external transfers, and cap payouts (even to utilities). But if this can only be done using online banking itself and / or 2FA, or spoofable telephone banking, then we're screwed! In bank haste to close branches they didn't restrict online-banking features, only support. WTF???

  14. Really Anonymous Coward

    They've not spoofed a number, just using the caller ID string "NatWest" which is the same as the bank uses for official texts, and means the message comes up in existing threads on most phones.

    The message is

    "We have identified some unusual activity on your Online Banking. Log In via the secure link to avoid account suspension."

    Of course anyone with sense then logs in using the normal website not a non-secure link.

    Page looks like a reasonable copy of the normal login page, asks for the normal subset of password/number. On entering a customer number of 11111111, then comes the switch - to avoid suspension please enter all your bank account numbers to unlock access.

    So all in all it's quite sophisticated.

  15. Anonymous Coward
    Anonymous Coward

    Sender names

    A text message sender name can be set to anything, it's a trivial thing to do, particularly fun is to set the sender name as someone's legitimate number. Other countries have more stringent rules on this, the UK not so much.

  16. Anonymous Coward
    Anonymous Coward

    Spoofed Email

    Maybe I'm missing something, but how does a spoofed message lead to a phone handset being cloned and then dropped off the telco network - this was what happened to the guy who initially reported the NatWest Banking App vulnerability in the You and Yours piece.

    Isn't this advice just smoke and mirrors to mask the more fundamental issue - ie that customer phone numbers were being used as trusted digital signatures.

  17. F0rdPrefect

    Click a link in a text?

    Surely a text message is just that.


    Don't think I've ever seen a link in a text.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like