Banks urged to warn customers about fake e-mails

Banks should be doing more to educate their customers on the dangers of hoax e-mails, according to experts.

At least 200 customers of Westpac Bank in New Zealand were tricked in November into giving up their online banking passwords and, at press time, the bank was expecting more victims of the international e-mail scam to emerge. Many New Zealanders found waiting in their e-mail inboxes a message pretending to be from Westpac, saying the bank wants to check e-mail addresses are valid and asking customers to confirm their address by providing their banking ID and password at the Westpac Web site. The e-mail included a link that appears to point at Westpac’s Web site, but actually directed browsers to a Web site in Russia. The bank posted a note on its banking login page, warning customers about the scam, and was planning to contact online customers directly. The police e-crime unit was investigating.

Over the past few months a raft of spoof e-mails have been circulated to e-mail users purporting to be from Canadian or UK banks. The e-mails provide a fake uniform resource locator (URL). The recipient is advised to click on this link to verify his or her e-mail address, and the site then asks for the user’s customer number, password and memorable data – all the information needed to access that person’s bank account.

In September, customers of BMO and Mouvement des Caisse Desjardins were hit with a variation of the same e-mail scam.

Spokespeople for the two Canadian banks said that hackers sent out mass e-mails hoping to target legitimate bank customers. The e-mails told consumers to click on a URL that would take them to the banks’ Web sites – where they could enter to win US$500. However, those links actually took viewers to a cloned Web site, where they were asked to enter bank account numbers and passwords.

BMO spokesperson Ian Blair and Desjardins spokesperson Andre Chapleau said those e-mails also contained a Trojan horse, which was activated when consumers clicked on the link. It enabled the hackers to take control of users’ computers and steal information.

BMO, which learned of the scam from customers, contacted the Internet service provider hosting the spoof site, which immediately shut it down, Blair said. However, that didn’t deter the hackers. “Shortly after [the spoofed site was shut down], the hackers sent out another e-mail to customers saying the hackers had been caught but in the process their personal information might have been deleted, and asked them to resubmit their information,” he said. Royal Canadian Mounted Police are investigating the hoax, Blair said, noting that BMO quickly changed the passwords and other personal information of the 100 or so customers taken in by the scam. As for the Mouvement des Caisse Desjardins, Chapleau said his organization tracked down an ISP in Pennsylvania and had it close down the other spoofed site. He said the hosting company tracked the cybercriminals to Russia.

According to Pete Simpson, ThreatLab Manager at e-mail filtering specialist Clearswift Ltd., banks simply aren’t doing enough to alert users to the existence of fake e-mails.

“There should be a prominent URL on bank home pages alerting users to the hoax mails and a dedicated helpline where users can go for advice,” he said.

With files from Matthew Cooney, Computerworld New Zealand Online