Phishers twisted a long-standing scam tactic into their newest technique to fake consumers out of their bank account information -- and the money in those accounts -- a security firm said Friday.
The new scheme starts with an e-mail from a phony bank, claiming that a large amount of money has been placed into a new account opened in the recipient's name. A link to the bogus bank is included, along with an account number and a PIN.
The message goes on to say that the recipient can transfer the money by logging into this account -- which shows a large balance -- and then by providing information about a real bank account to finalize the transfer.
"In some ways, this is similar to the Nigerian 419 scam," said Dan Hubbard, the senior director of security at San Diego-based Websense. "It has some similar characteristics."
In the long-running Nigerian scam, also called the "advanced fee fraud," vast sums are promised in return for either up-front good faith cash or access to the victim's bank account to make the fund transfer.
"We've seen phishers use fake banks before," said Hubbard, "but this is the first time we've seen a scam that says money is waiting to be picked up."
In the example e-mail that Websense captured, the text begins, "We have been directed by the Mega Magic Foundation of France to notify you that the sum of One Million Euros has been deposited in our bank, DBS Bank, in your name, awaiting immediate transfer to your personal bank account."
The message concludes with the kicker: "Once logged in to your account, you can transfer via wire directly to your personal bank account by clicking on the 'click here to transfer' link."
The logo displayed in the message is fake, said Hubbard, but there is a holding company that goes by the name of DBS Bank. However, he didn't know whether the name used by the scam was simply a coincidence or planned. He suspected the former.
"More and more fraudulent-based sites are appearing that don't target a specific brand," said Hubbard in explaining why this tactic doesn't use a real-world institution, as do many other phishing attacks. "Since the bank is probably fake, the phishers don't have to worry about any countermeasures. Who would someone report this to? There's no brand directly affected."
Most phishing attacks aim at a specific bank, such as Citibank or Washington Mutual, and are first discovered when customers report the scam to their bank.
"This is another example of the continued creativity of these people," said Hubbard.