Customers of Lloyds Banking Group should steer clear of the following phishing email, which plays on the “We noticed you’re logged in from different locations, and now you have to do something about it” trick to entice potential victims into logging in on a site they should avoid.

Phishing mail

The email reads as follows:

You Have One New Message

Your account has been accessed in multiple locations
Click below to update your Lloyds Bank account
Sign In

Clicking the link will take them to

mok-tr(dot)com/why/new/index(dot)html

phishing page

Despite showing a copy of a Lloyds login page and displaying numerous clickable links, none of them work save for the part asking for credentials – what you’re looking at is essentially one large .png file with a login box jammed in the middle. The page asks for User ID, Password and Memorable Word before redirecting them to the real Lloyds website.

Interestingly, they don’t go down the route of so many other similar phishes and ask for bank details or other personal information. Perhaps the people behind this one think it might be a little too much and give the game away, and are instead going down the “faintly discreet” route.

One other potentially related thing to note: a common piece of advice to ensure you’re on the correct banking website is to look for the green padlock, which will let you know if the connection to the site is encrypted (and often give additional information about site ownership).

In this case, the Lloyds Banking Group website – lloydsbankinggroup(dot)com – has no HTTPs, because there’s nowhere on the site where you’d need to do any logging in / sending of personal information. It’s pretty much there to give general information about the financial services group, their brands and other relevant information.

Not encrypted

However, the LLoyds Bank website (where you’d actually login and do bank related activities) located at lloydsbank(dot)com does:

Encrypted

Given that the phishing mail specifically mentions “Lloyds Banking Group” instead of simply “Lloyds Bank”, perhaps they’re thinking someone aware of the “Look for the padlock” security tip might visit the Lloyds Banking Group page, see that there’s no padlock and think its absence on the phish page is something normal as a result.

Having your bank details phished at this time of year would be quite the hammer blow, so please ensure that you navigate to your banking portal of choice directly and always treat a supposed bank login page missing a HTTPs padlock with suspicion – it’s fairly common for organisations to have non HTTPs pages where no personal data is being submitted, but an unsecured login page to enter your banking credentials is unheard of.

One hopes…

Christopher Boyd