Another real bank site which confuses people: nwolb.com
posted by John Roberts on November 30th, 2006 in PhishTank, Voting, Verifying phishes, Banks
Four weeks ago, I shared the interesting case of 53.com, a real bank website whose numerical domain name confuses some members of the PhishTank community (not easy… discerning bunch!). The submission cited in that post remains undecided, although it’s (correctly) leaning toward “NOT a phish.”
I want to call attention to another example today.
The submission is 36895. There are nearly 250 votes on this submission, with a slight majority correctly recognizing that this is NOT a phish.
Why the confusion? The website is branded as NatWest, a major bank in the United Kingdom, but the domain name is nwolb.com (go to the submission to see the entire URL submitted).
The registrant for nwolb.com is:
The Royal Bank of Scotland Group plc
Waterhouse Square
138-142 Holborn
London EC1N 2TH
UK
NatWest was purchased by Royal Bank of Scotland Group in 2000, so this is legit.
You can also simply start at NatWest.com. Click the button at the top right titled “Log in.” The link redirects to…you guessed it…https://www.nwolb.com/ (with lots of other session/security stuff on the end of the URL).
I’m sure there are technical reasons, or historical business reasons, why the online bank lives on a different URL than the corporate website, but it’s certainly led to some confusion among an ever-more cautious online crowd.
If you have not yet voted on 36895, please vote “NOT a phish.”
Related note
In the comments about 53.com, some asked why we (the PhishTank administrators) don’t go ahead and decide this submission once and for all. My answer remains the same: as long as this is undecided, we will not step in. PhishTank administrators will step in to overrule false positives, if necessary. It rarely has been: maybe three times in nearly 25,000 submissions as I write this post.
The moderators are instrumental in flagging confusing submissions and drawing attention to possible problems, though they don’t overrule the community.
Leave a response below, or send a trackback from your own site.
funchords
Once in a while, I punch the wrong button and mark something incorrectly. Someday, I hope we get a feature that will allow us to change our incorrect vote.
— posted by funchords on December 1st, 2006 at 2:19 am
Alan
I echo that sentiment — even when saying to myself, this is not a phish, I hit the Phish button out of habit…
— posted by Alan on December 1st, 2006 at 6:13 pm
astrogeek
I’ve wanted to edit my answers by accident as well, but I’ve also found that if people are allowed to edit a poll (and that’s really what this is) after they’ve seen what everyone else does there’s ‘pressure’ to reconsider. First impressions are usually better, IMHO, for aggregate endeavors like this.
If we’re making feature requests I’d really like to have the ‘problems with this submission’ pop-up window become a simple drop-down list on the submission page. It hasn’t made sense to me why it’s a separate window I’ve got to wait on to open (and I do that a lot because I really depend on those screenshots - which are often missing - so I wind up flagging submissions at lot).
— posted by astrogeek on December 1st, 2006 at 6:39 pm
DougieLawson
I’ve hit the wrong button on a few websites. With this one I had a tactical advantage with #36895 - I used to work in NatWest’s IT Dept.
There needs to be an option to change my vote - make it painful, with three confirmation screens (are you sure?, are you really sure? your gun, your bullet, your foot).
If I have semi-consciously hit the wrong button, then I’ll choose the report a problem and flag it as a false positive - so the moderators can work on it.
— posted by DougieLawson on December 2nd, 2006 at 2:24 am
DougieLawson
Can we also change the user interface for the phish tank to highlight any __HTTPS__ url with RED text? That _will_ reduce the number of false positives.
— posted by DougieLawson on December 2nd, 2006 at 8:20 am
phishthis
I happen to agree with funchords as I’ve been guilty of the same a few times, and may I suggest an additional selection that allows the community to note when a site cannot be fetched by them, IOW - is apparently offline.
Secondly, from time to time, a phishing site will override the frame window and this forces me to log back in and time it correctly to place a vote. Any discussion or suggestions?
Thanks,
phishthis
President, Founder, and primary Bottle Warsher of the
London Antiphishing Society, near Arkansas Nuclear One
— posted by phishthis on December 2nd, 2006 at 10:02 am
milky
just misclicked too - it was obviously a phishing site so hopefully it doesn’t hold the verification up much :/
— posted by milky on December 3rd, 2006 at 12:49 am
John Roberts
Reading all the comments, I assure you.
We remain unlikely to offer the ability to change a vote, even with the three-step process suggested by DougieLawson. The bias factor is too strong.
As I’ve said before, one bad vote isn’t enough to (a) end up mis-classifying a submission or (b) ruining your reputation on the site. I’ve done it myself, and I had the same reaction (oh, why can’t I change that?), but I refrained.
The idea to highlight HTTPS URLs is a good one, and simple (we all love simple).
astrogeek, the point of a separate window was to allow comments. Some people take advantage of that, some do not. I’ll discuss your point with others.
phishthis, and others: the ONLINE/Offline challenge remains a difficult one. These sites go up and down, and different people get a different response, as does our software. We’re considering making voting more easily available for those sites still being checked — it’s available now, but they don’t show up in “Next Unverified Phish.”
On a larger point — we will continue to open up PhishTank further over time. It’s been a great two months, and we look forward to continuing to support the growth and action of the community.
Sometime this coming week, I’ll give more of a roadmap about where we hope PhishTank goes. Note: it goes nowhere unless the community remains involved, so all of us will be paying attention to the feedback there.
— posted by John Roberts on December 3rd, 2006 at 10:41 pm
Bota
I’m surprised how good registration data is. I would have thought that phishers would register their fake domains using the real name and address of their targets. What I do look at, though, is the “date of first registration”, figuring that if this is a year old or more, then I can rely on it being legitimate.
— posted by Bota on December 8th, 2006 at 3:04 pm
Dan
[quote]We’re considering making voting more easily available for those sites still being checked — it’s available now, but they don’t show up in “Next Unverified Phish.”[/quote]
What exactly does “Submission […] is being checked (online or offline)” mean ?
— posted by Dan on December 14th, 2006 at 7:13 pm
bestiality
Good info!
Thank.
— posted by bestiality on December 19th, 2006 at 6:52 pm
Gaz
nwolb.com stands for Natwest Online Banking. Natwest (National Westminster) is a subsidiary group of the Royal Bank of Scotland. Hope that clears up something
— posted by Gaz on January 12th, 2007 at 1:17 pm