Malware seen today – BT Digital File

A customer asked me about an email they received today, and I wanted to pass on a warning to anyone who receives anything like the following…

Subject: Important – BT Digital File

Dear Customer,

This email contains your BT Digital File. Please scan attached file and reply to this email.

To download your BT Digital File please follow the link below : <LINK REMOVED FOR SAFETY>

If you have any questions or forgotten your password, please visit the “Frequently Asked Questions” at or call the helpdesk on 0870 240 5356* between 8am and midnight.

Thank you for choosing BT Digital Vault.

Kind regards,

BT Digital Vault Team

*Calls charged up to 8 pence per minute on the BT network (minimum fee 5.5p). Mobile and other network costs may vary. See for details.

Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a “Reply” to this address.

This electronic message contains information from British Telecommunications plc, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please delete this email immediately.

Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 1800000

The link in this email seems to be variable but will be designed to lull the user into a false sense of security. For example the one in my customer’s email was a school organisation, “”


Other subjects seen while researching this problem are:

  • We have received your secure message (from Santander)
  • Customer Account Correspondence (from Lloyds)
  • (AR01) Annual Return Received

As a general rule, never open attachments on emails that look like they may be generic, even if they are from people you know. Viruses and malware will spread through an infected users address book, making the recipients think that the mail has been sent to them by a trusted source. If in any doubt whether you should open an attachment, ask the sender whether they knowingly sent it. If you don’t know the sender, and the email is unsolicited, don’t open the attachment.

Phishing Virus affecting Tesco Banking website

I was recently called out to a customer who was having trouble logging in to her bank account (credit card) online. She was using Chrome to login to Tesco bank, and the symptoms she described to me immediately made me suspect there was something amiss with her computer.

She would go to the website and put in her username on the first page and click login. This would immediately take her to the “You have logged out” page.

She had contacted Tesco about this and been talked through trying the same thing with Internet Explorer, but with very different results. The amazing thing was that the support advisor made her do things that would compromise her account and then didn’t help her change her security details afterwards.

This is an account of what she saw, and what I subsequently reproduced later.

Screen One – Tesco Bank login screen – As expected


Username was entered into this screen and the Login button was pressed.

Next page – Where things get more suspicious…