It’s not unusual for banks to send emails which are confusingly similar to phishing, but this recent one I received from Virgin Money is exceptionally bad. It tells customers that the bank (Northern Rock) is changing domain names from their usual one (northernrock.co.uk
) to virginmoney.com
and customers should use their usual security credentials to log into the new domain name. Mail clients will often be helpful and change the virginmoney.com
into a link.
This message is exactly what phishers would like customers to fall for. While this email was legitimate (albeit very unwise), a criminal could follow up with an email saying that savings customers should access their account at virginsavings.net
(which is currently available for registration). Virgin Money have trained their customers to accept such emails as legitimate, which is a very dangerous lesson to teach.
It would have been safer to not do the rebranding, but if that’s considered essential for commercial reasons, then customers should have been told to continue accessing the site at their usual domain name, and redirected them (via HTTPS) to the new site. It would mean keeping hold of the Northern Rock domain names for the foreseeable future, but that is almost certainly what Virgin Money are planning anyway.
I have a VIrgin Money savings account but I don’t seem to have had that email (yet?). They are, in fact, redirecting https requests from online.northernrock.co.uk to online.virginmoney.com as you recommend. Which makes it all the more bizarre that they feel the need to send this email.