If you use email, chances are you are aware on how to spot phishing emails. It turns out that is not enough to be safe from phishing online, with bad actors increasingly getting creative with their techniques to steal sensitive user data. We spotted a very recent Twitter account that got active barely 16 hours prior to the time of this post. It infringes on Natwest bank’s brand and has been tweeting replies to unsuspecting users with links to fake Natwest bank websites. Here is a screenshot of recent most activity from the account.

Fake Customer Support handle

Image 1. Fake Natwest customer supper twitter handle tweeting phishing links

The way this phish works is the scammer replies to a tweet sent from a user to the real customer support handle. In this case, the real handle for Natwest customer support is Natwest_Help. If the user falls for the fake customer support’s tweet as seen above, they will end up entering credentials on the phishing website.

We went further to check the phishing links above and they indeed are fake Natwest webpages with forms for stealing user credentials. The website goes step-by-step asking for user information. On one page it asks for specific characters from password (e.g. 2nd, 3rd and 8th), presumably trying to mimic the real Natwest UI, but then in the next page it asks for full password and pin. The forms in these “verification” pages are quite elaborate asking for information ranging from customer number, password, pin, user address and credit card info.

Fake Customer Support handle

Image 2. Example of one of the “verification” steps

Once a user goes through the process and hits submit, the website sends the user information to the scammers and then redirects the user to https://personal.natwest.com – the legitimate version of Natwest’s online website. The redirection happens through Google’s URL redirection which is another popular technique among scammers to redirect users to bad websites. In this case however, it is merely being used for redirecting users to the bank’s website, so the user doesn’t suspect the malicious activity.

Fake Customer Support handle

Image 3. Redirection to natwest.com through google.ru

Phishing on Twitter looks extremely genuine because the communication is user initiated and the reply looks just like the reply you’d expect from the customer support handle. Therefore, it becomes even more difficult for unsuspecting users to spot fake handles and links.

In this case, we reported the account to Twitter Support but at the time of the post, the handle was still alive. Thankfully, the phish sites (see below) were down.

Quick shoutout to Techhelplistcom for bringing attention to the fake Twitter handle.

Spare a moment and send us a note using Twitter or reply on this post. We’re happy to talk!