21

I have started receiving unexpected emails from Yorkshire Bank.

I have never been a customer. I don't recall applying for any of their products either, although maybe I did many years ago.

The first of the strange emails reads:

Your partial postcode is 8NX

We've included your postcode at the top so you can be sure this email is from Yorkshire Bank. To see how you can stay safe online, visit the Security Centre

We've sent your Authentication Code Letter

Hi Mr Stewart,

You should have received our letter that contains an authentication code by now.

Once you've got our letter, you can confirm the code by clicking on the button below to get back to your application, and then follow the instructions. This will allow us to progress with your application.

The sender appears to be legitimately email.yorkshirebank.co.uk, but the 8NX is NOT part of my postcode in any way.

There have been 3 following emails, of an advertising nature.

I feel that ignoring would be the wrong thing to do, but I'm not sure what to do.

My main concern is that my identity has been stolen for the purpose of procuring Yorkshire Bank products, such as a loan, which I may be chased for when the identity thief defaults.

Is this likely or even possible?

What other explanation might there be?

Stewart
  • 343
  • 1
  • 3
  • 8
  • 1
    You have probably been part of a data breach, and someone is trying to open an account pretending to be you using as much real info as possible. I get them all the time since the [Anthem](https://duckduckgo.com/?q=anthem+data+breac) and [Equifax](https://duckduckgo.com/?q=equifax+data+breac) data breaches. I also get Facebook, LinkedIn and other emails asking me to confirm my accounts (I don't participate in the social networking experiments; and I don't have the accounts). –  Apr 27 '19 at 21:15
  • 1
    I recommend you reply to the email (note well: using email only), state that you have probably been part of a data breach, and tell them it is not you and you don't authorize the account. Also add `legal@` and `security@` to the reply (like `legal@ybonline.co.uk` and `security@ybonline.co.uk`). If you ever need to go to court, you will have an email record. `security@` is a standard address and part of the Internet RFCs. –  Apr 27 '19 at 21:18
  • 13
    an obvious alternative explanation may be that someone made a typo when supplying their email address or at some data entry stage. If your email address is something like firstname.lastname@gmail.com then presumably a lot of people with the same last or first name will have similar addresses. – Martin Smith Apr 27 '19 at 21:49
  • 21
    @jww IMHO it's better to contact the bank out of band. That ensures that you're contacting the real bank, and not scammers. If you're tech savvy you may check if the e-mail looks legitimate, e.g. by reading the headers, but this is difficult for most normal users. – vidarlo Apr 28 '19 at 08:25
  • 1
    @vidarlo - In both cases you are avoiding the attacker controlled channel (HTTP/HTTPS) and the possible phishing attempt (attacker controlled website). However, when replying via email you have a record of the transaction. You don't get that over the phone or submitting "web email forms". –  Apr 28 '19 at 21:32
  • 4
    What if it's a phishing attempt, and the phishers reply to the e-mail by asking for more information? My assumption is that we can't reasonably expect end users to dischern a phishy mail from a non-phishy, so the recommendation has to be that they do not interact with the mail in any way, but rather contact the sender out of band. This is obviously the case here - the recipient has no clue whetever the mail is phishy or not. – vidarlo Apr 29 '19 at 04:51
  • 1
    While the sender email (presumably you meant in the mail header) may have the correct domain, it is the link address behind the button that will give away a phishing attempt. As others have suggested, contact the bank directly. – Mick Apr 29 '19 at 07:55
  • 1
    @vidarlo That's why jww proposes emailing them *directly* (as in, entering the email address yourself). That way you know you're emailing "security@ybonline.co.uk", and not "applications@ybonline.co.uk-scammers.cn" – Doktor J Apr 29 '19 at 13:29
  • 1
    How have you verified that the mail is legitimately from their address? You can put any address you like on the message as not all mail servers respond to spf, dkim, & dmarc – James Snell Apr 29 '19 at 21:41
  • 1
    @JamesSnell In gmail, if you click on "Show original" you can see all the email headers. They consistently seem from email.yorkshirebank.co.uk – Stewart Apr 30 '19 at 03:08
  • 1
    `We've included your postcode at the top so you can be sure this email is from Yorkshire Bank` is a blatant lie and even if this is the system they use, they should be ashamed of themselves and you should change banks xD Postal Codes are public available imo. – Nomad Apr 30 '19 at 12:14
  • 1
    Try to check the URL the button links to without clicking on it. Some mail readers will allow you to do that by hovering on the button. It's difficult for the non-initiated (and even the initiated) to be sure whether it's safe or not, but in many cases it can be quite obvious. – jcaron Apr 30 '19 at 12:39

7 Answers7

82

I feel that ignoring would be the wrong thing to do, but I'm not sure what to do.

If you feel that ignoring this is wrong, look up the bank's phone number from a reputable source, e.g. yellow pages or the banks actual website. Call them, and ask. Or submit a contact form on their website, or similar - in short, contact them through a channel not related to the e-mail and ask them to verify the content.

Do not use the links in the e-mail.

If it's identity fraud, they will be very interested to clear it up. If it's phishing, banks tends to like to be made aware of ongoing phishing attempts, so they will not be angry with you for calling.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
15

I have a very generic e-mail address on which I receive similar e-mails from a Finnish and a French bank (I am not Finnish nor French and don't have any bank contacts in either country).

However, I have found on Facebook two people with this rather unusual name in Finland and France respectively and both seem to fit the information I can distil from the mails I receive (The Finn has a mortgage plan that is paid of a bit every month, on Facebook he wrote about how he bought a new house at the time. The French lives in a village with less than a hundred inhabitants and has a small shop. I'm pretty sure I found the right people. Facebook is "amazing".).

The conclusion is obvious, the banks have for some reason registered the wrong e-mail address when these persons became customers. I think you have an (almost) namesake in the zip code they include in your message. Simple as that.

d-b
  • 449
  • 2
  • 8
  • 1
    In this case, it sounds like it is still worth the trouble to cleanup the mix-up – Stewart Apr 29 '19 at 06:44
  • 13
    @Stewart you'd be surprised how unproductive that can be. I have at least three other namesakes (one in OH, one in AR/TN or maybe they're two separate people, and one in CA) who have given my gmail address to various businesses. One business did address my complaint, but the others generally ignored me. I eventually got tired of the OH person's vehicle maintenance appointment reminders (and the dealership's refusal to honor my repeated requests) that I started using the link in the emails to cancel the appointments. After 2-3 canceled appointments, I miraculously stopped getting those emails! – Doktor J Apr 29 '19 at 13:35
  • @DoktorJ Top Tip! – Stewart Apr 29 '19 at 13:41
14

The other answer addresses the rest of your question so I will focus on this part:

My main concern is that my identity has been stolen for the purpose of procuring Yorkshire Bank products, such as a loan, which I may be chased for when the identity thief defaults.

Any bank in the UK that opens an account with an element of credit (e.g. a loan) will perform a credit search on you. This search (and any subsequent records of payment history) will appear on your credit history with at least one of the three main credit agencies (Equifax, Experian, Callcredit). I would suggest that you apply for a copy of your credit report from each of these, using the statutory procedure which costs £2 each:

https://www.experian.co.uk/consumer/statutory-report.html

https://www.equifax.co.uk/Products/credit/statutory-report.html

https://www.callcreditstatreport.co.uk/

If, after receiving them, you notice any entries relating to Yorkshire Bank then you will know you should be concerned. I would do this in addition to the advice offered in the other answer, to call the bank.

Note that the credit agencies also allow you to view your credit report online. Last time I used those services, two out of three of them were subscription based and much more expensive than the statutory report, albeit easier to use, faster, and both came with a 1 month free trial that you can cancel. You may prefer to use that option as it will normally allow you to view your credit history instantly vs. the staturory reports which can take a couple of weeks to arrive. Just don't forget to cancel the subscription when you no longer need it.

Jon Bentley
  • 2,001
  • 2
  • 14
  • 16
  • The two services that I use are free of charge (they monetize in other ways, like selling you credit cards or alerts regarding changes on your file). The first one is called Noddle and the other one is Clearscore. I am not associated with either of them. – oleksii Apr 29 '19 at 16:51
  • @oleksii Noddle used to be owned by Callcredit and is still strongly associated with it (it provides online access to Callcredit's credit reports). It's the one that was free out of the three of them per my answer. I've never used Clearscore but [according to Wikipedia](https://en.wikipedia.org/wiki/ClearScore) it provides access to Equafax. So I would guess that if you use those two, the only one you would need to pay for would be Experian. Note that you *do* need to use all three to get a complete credit report, as different banks report to different [combinations of] agencies. – Jon Bentley Apr 29 '19 at 23:34
3

I'd expect that several million people would have received the same email, (with different names, postcode, etc). Some of them are likely to be Yorkshire Bank customers. The scammers only need a few people to click the button to make money. I suggest that they aren't interested in you; the fact that you're suspicious means that you're the wrong person for them.

Several other folks have suggested that you contact the bank directly using verifiable details, which is great advice.

Simon Crase
  • 31
  • 1
1

You need to tell us if there is any other information in the email identifying you. They have not included your physical address, and indeed the partial postcode is wrong.

It is very likely these are intended for another (genuine) customer and their recorded contact information incorrectly lists your email address.

Unless you own the domain name this can happen by typographical/transposition error or a mis-read or mis-scanned hand written form.

By chance does your email address happen to be based upon your name? It may sound surprising but someone else may have the same or a similar name.

Contact the Bank immediately, and do not share the email. Physically attend if you can.

I have 25 years experience in Banking IT, and I have seen a lot of mangled addresses, including those entered online with "extra" characters that a human then needs to remove in an attempt to render them unusable for questionable marketing mailouts.

e.g.

somename.deletethisbit@somehost.com
mckenzm
  • 469
  • 2
  • 6
0

As we don't know how your real name and your email address correlate, (and Stewart being not too uncommon a name), it might simply be that someone with the same or similar name as you has opened an account at this bank and mistyped their email address on the sign-up form. As a first step, you could contact the Yorkshire Bank at ybonline.co.uk (they only seem to have a webmail form, no real email address) and ask them to take your email address off the records as you don't have any business with them. If there is an active customer account associated with that email address, they would most likely then contact that customer via a different method (e.g. snail mail) to correct the details.

WooShell
  • 145
  • 3
-1

Ignore it

Email is not considered 'lawful delivery' unless you have previously agreed to accept email in lieu of paper mail. Therefore any communication received via email can safely be ignored if you do not do business with the sender.

Spoofing the originating address of an email is trivial, so appearing to originate from the 'correct' address is irrelevant. Spammers do it all the time to elicit just the kind of uncertainty you are expressing.

Do not "confirm the code by clicking on the button below". If there was a confirmation email sent, it is almost certain that it would have contained the link to click to confirm receipt.
Do not confirm receipt by replying in any way, as it will only solidify your email address as one that is reaching a live human. Spammers prefer to hit live email addresses.

If someone was attempting to steal your identity, they most likely would have gotten their own email address correct or their entire plan would appear invalid.

If you are still curious, you should contact the bank directly, at a publicly available number, to express your concern and seek advice.

If you are really curious, you may wish to setup a fresh virtual machine on your system and follow the link from inside the VM. Only then could you be certain what would happen. The reason you would do this is so that any malware you subsequently find yourself infected with would be isolated to the VM, which could be safely deleted once you are finished playing with the suspicious link(s).

Community
  • 1
MrWonderful
  • 115
  • 2
  • 1
    Someone got at least part of OP's personal information correct, and is either spear phishing them or trying to steal their identity. "Ignore it" is terrible advice (especially since OP said they feel ignoring it is wrong). About the only thing you got right is to not click anything in the email. You can improve your answer by saying the exact opposite of the first two words, and following up by how they can check to see whether they're being spear fished or their identity is being stolen. – Ghedipunk Apr 29 '19 at 16:09
  • 1
    And also, creating a VM to poke at links is also something that I wish I could downvote this twice for... as the VM won't keep a spear phisher from verifying that your email address is accurate, and while it _might_ protect against some types of malware that could be delivered through such a link, it's really bad advice to tell anyone to intentionally expose themselves to malware even with a VM. – Ghedipunk Apr 29 '19 at 16:13
  • @Ghedipunk - Those are reasonable points. I agree that not clicking on anything in the email nor replying is the best course of action, and said as much in my answer. However, I find myself morbidly curious about some things and started collecting 'malware' back before Windows was introduced. So I find it helpful to occasionally use a VM to see what system changes are being introduced during 'infection' to be able to mitigate similar attacks in the future. One must, of course, not allow VM -> host network connectivity... – MrWonderful Apr 29 '19 at 17:05
  • @Ghedipunk - Also, unless I missed something, the only PII in the example was the name matched to an email address. This is not uncommonly available to anyone procuring an email list from any semi-reputable vendor. This information can be culled from any number of online requests made any time since the inception of the inter-web(s). – MrWonderful Apr 29 '19 at 17:08
  • If you could be absolutely certain that this is just a generic phishing email, then ignoring it may be fine. However, if the email contains personal information that a spammer couldn't reasonably know, or the email is actually from the bank, then this should not be ignored. It could mean someone is actively attempting to create a bank account in the OP's name, and that is potentially very serious. – user1751825 Oct 07 '20 at 14:45