All the usual 'this is a scam' signs: odd 'from' address, the HTML bit of the email is a single .gif, called aunt.gif! The non-HTML is 'get me through the spam filters' gibberish: "Animated Graphics Firestone Tires I'd like to see you in 1868". The language used is not that of a native English speaker:
Dear client of the Halifax Internet banking,
[..] We earnestly ask you to visit the following link and to confirm your bank data: [..] This instruction has been sent to all bank customers and is obligatory to follow
Please do not answer to this email [..]
Ok, let's see what the purported link of https://www.halifax-online.co.uk/ etc actually is.
Gosh, it really is https://www.halifax-online.co.uk/ etc, none of this 'genuine-looking-address@dodgy-one' or 'IP-address/genuine-looking-rest' stuff.
OK, let's do a whois.
Domain Name: halifax-online.co.uk
Registrant: Halifax plc
Yeah, yeah, that's what they all say.
Administrative Contact's Address: Inca Research Inc, Victoria Chambers, Fir Vale Road, Bournemouth, BH1 2JN.
Ha! Well, there are some companies that let their suppliers manage their domains, but an Inc (rather than Ltd or plc) in the UK?
Relevant Dates: Registered on: 26-Apr-1999
But gosh. If this were a 'let's register a plausible sounding domain name and see who bites' scam, you'd have expected Halifax to have stomped on them years ago.
A check of Nominet's dispute registration scheme does show that Inca are real but have have been naughty in the past.
OK, let's be brave and look at halifax-online.co.uk – hmm, the certificate is valid, the site looks genuine. The IP address is 212.140.245.11 vs 212.140.245.97 for halifax.co.uk, too.
Gosh. Have I been spammed by a dodgy email that actually points to a genuine site?