CYFOR Blog

Cyber attackers have bombarded Lloyds Bank customers with a sophisticated phishing scam

Lloyds Bank customers are being targeted by a sophisticated phishing scam according to an investigation by the litigation practice Griffin Law. Approximately 100 Lloyds Bank customers have reported receiving fake communication purporting to be from Lloyds, which is one of the largest banks in England and Wales. These malicious communications have been sent by the cyber attackers to the customers in the guise of SMS messages or emails and use the bank’s official logo and branding warning them that their bank account had been compromised.

The email scam is seemingly legitimate and uses Lloyds branding with the subject header:

“Alert: Document Report – We noted about security maintenance.”

The message, which has spelling errors and some Chinese characters, claims that the recipient’s bank account has been compromised, stating:

“Your Account Banking has been disabled, due to recent activities on your account, we placed a temporary suspension until you verify your account.”

Users are then redirected to a fraudulent site called Lloyds[Dot]bank[Dot]unusual-login[Dot]com, which attempts to trick visitors into believing it is legitimate through the use of official branding. The site then requests customers’ log-in details including passwords, account information, security codes and other personal data.

In the SMS version of the scam, people received a text attempting to entice them into visiting the same fraudulent site. It says:

“ALERT FROM LLOYDS: New device attempted to set up a payee to XXX. If this was NOT you, visit: Lloyds[Dot]bank[Dot]unusual-login[Dot]com.”

Lloyds Bank has confirmed the existence of the scam in an official online statement:

“This isn’t a genuine message from us; it’s a scam. If possible, could you please forward this email or text message to us at: emailscams@lloydsbank.co.uk?”

Hackers often imitate the branding of a company to steal confidential data from unsuspecting victims. The scams can be very convincing, making use of official branding, logos, wording, and personalised details to trick an individual into a false sense of security. In most cases, the victim will be directed to a realistic-looking fraudulent website, where they are urged to enter account details, passwords, security codes and PIN numbers.

Sophisticated phishing scams such as this pose a huge risk both to individuals and the companies they work for, especially if hackers gain access to a business bank account. Tackling this problem requires robust policies and procedures, as well as the latest email security systems in place to identify and block these scams before they reach an inbox.