Here's the email
Received: from ppp-67-119-107-10.dialup.snfc21.pacbell.net (ppp-67-119-107-10.dialup.snfc21.pacbell.net [126.96.36.199])
by ***.***.co.uk (8.11.6/8.11.6) with SMTP id h9Q0DGu13645
for <***@****.co.uk>; Sun, 26 Oct 2003 01:13:20 +0100
Received: from derechoshumanos.com [188.8.131.52] by ppp-67-119-107-10.dialup.snfc21.pacbell.net (Postfix) with ESMTP id 071960C0555A for <***@***.co.uk>; Sun, 26 Oct 2003 12:16:42 +0000
Date: Sun, 26 Oct 2003 12:16:42 +0000
From: Verification <email@example.com>
Subject: Nationwide E-mail Verification: ***@***.co.uk
To: *** <***@***.co.uk>
Reply-To: Verification <firstname.lastname@example.org>
Sender: Verification <email@example.com>
Dear Nationwide Bank Member,
This email was sent by the Nationwide server to verify your e-mail
address. You must complete this process by clicking on the link
below and entering in the small window your Nationwide Customer
Number, Passnumber and Memorable Data.
This is done for your protection --- because some of our
members no longer have access to their email addresses and
we must verify it.
To verify your e-mail address and access your bank account,
click on the link below. If nothing happens when you click on the
link (or if you use AOL), copy and paste the link into
the address bar of your web browser.
Thank you for using Nationwide!
This automatic email sent to: ***@***.co.uk
Do not reply to this email.
(The actual recipient address and other private information has been masked with ***'s)
The key part to look at is the web address you're being invited to click:
Although this looks like you would go to the www.nationwide.co.uk site, in fact you wouldn't.
Website addresses or URLs, for certain legitimate uses, may be constructed like this:
... taking advantage of the fact that the Internet protocol allows for a URL to contain username and password credentials necessary to log in to a target website.
The target website is the string that immediately follows the first occurrence of the @ symbol in the URL.
So - if we take a look at the URL in the email we can see that it breaks down like this:
The 'username' portion is wwww.nationwide.co.uk, the 'password' bit is ac=H02qFTcX3X225ClF4JmK and that actual target site is the webserver at ShOrTwAy.To.
(.To is Tonga, by the way, and the username and password bits can be completely random - they don't have to relate to anything other than an attempt to misdirect you - in this case to make you think you're going to www.nationwide.co.uk when you aren't)
So someone at the ShOrTwAy.To website has set up a form that people who fall for this email scam may fill in with their secret account data - thereby giving the owners of that website direct access to their account, all the time assuming they've only sent their details to the building society itself.
If in doubt, always call the organisation purporting to be the originator of any particular email that requests you enter sensitive information into a website - especially if it's financially-related.
Remember, if you see a URL that is in the form:
Then the actual website you will be sending your browser to is the one *after* the first @ symbol.
We've had reports of these with Nationwide Building Society, Halifax Building Society and CitiBank pseudo-identities - there may be others.
Novacaster Community Admin