This Twitter tweet caught my attention and I decided to look into it a bit deeper.
Wake up to find that Barclays Bank Plc (.org) will be paying me £1m after winning Coca-Cola’s annual email draw!
Anybody reading this would immediately think, ” it cannot be real, it must be a scam”. Yes ! of course it is. BUT looking a little bit closer at the scam, which only works if you reply to the email address listed. What normally happens with this sort of scam is one of 2 things:-
- You reply and the scammer asks for an advanced fee of somewhere between about £50 – £200 or equivalent in USD $ or Euro € to expedite & deal with all the paperwork
- The scammer asks for your bank/credit card or PayPal log in details, including all account numbers, passwords so they can transfer the winnings directly to your account, where they will proceed to empty your accounts and /or take them over and use them in a Money Laundering network, where you get held responsible and potentially end up both bankrupt and charged with money laundering offenses and even drug dealing or Terrorism.
What can fool or persuade an unwise or inexperienced user to reply to the email is
If you type: barclaysbankplc.org into your browser, you will get sent to the genuine, legitimate, “safe” Barclays bank site via an immediate http 302 redirection. BUT not to a SSL secure site but a plain http site. ( Barclays really should automatically redirect all HTTP connections to the secure HTTPS sites, not just log in pages, but that discussion is for another time)
barclaysbankplc.org has been registered by an anonymous person using a privacy service, on Google Domains on 2015-11-26 ( about 9 months ago), so has been potentially live and scamming victims since then. The domain is also hosted by Google who are allowing the scammer to use Google mail services and hosting to perform this scam.
The entire domain registration system is broken worldwide and there needs to be an immediate drastic rethink about immediate registrations and using privacy options. All registrars should perform some degree of checking, before issuing the domain and allowing scammers to run riot.
When you try to register a new domain, the backend does a quick look up to make sure that domain name is not already taken. Some registrars also select some domains & variants of common domains as “premium domains” where they charge a lot more for registration services.
All registrars should have a list of EVERY Bank, Email provider, Major tech company, Browser provider and other commonly phished entity like income Tax offices and Government departments etc and when the name of the entity is detected in a request to register a domain containing that entity, it will be automatically put into a holding area and need manual inspection and approval.
That would stop a domain like barclaysbankplc.org being registered and used for phishing, scamming or malicious purposes but still allow somebody to register a domain like ” ihatebarclaysbank.org ” and use that to complain about poor services