There’s a NatWest phish in circulation which tries to scare recipients with warnings of logins from multiple cities which it claims is forbidden.

Anybody spending a lot of time on the road for work or personal reasons could potentially be panicked into clicking the links in this one.

The URL in the mail leads to a 404 error on a website about different types of paint, so it’s likely been reported and / or pulled by the hosts but here’s the text so you can easily spot it the next time it gets rolled out with a fresh URL:

Dear Customer,

During a recent review of your account we found that you are currently logging in from different cities in a suspicious manner that is not compliant with our bank policies.

NatWest customers are not permitted to log in from different places at same time, or using proxies.

For your safety, we have temporarily deactivated your account, to reactive your account please go to our SSL secure link below and update your account credentials.

However, please note that our squad reserves the right to close your account at any time. As such, we encourage you to become familiar with our program policies and monitor your network accordingly.

The email displays the full URL in the text of the legitimate NatWest website, but uses the old trick of making the clickable link take them to a phish hosted on a compromised website.

That’s why it’s always a good idea to hover over any clickable link in an email so you can check the final destination.

You can see a list of NatWest phishes going back to 2011 on this forum, and the most recent entry is actually a version of the above mail sitting in my mailbox.

The destination phish URL is different, but the scam remains the same – and with so many people traveling as part of their job nowadays this could easily snag a few victims.

Christopher Boyd