Phishers Spoof Bank’s Security Guidance Web Page

Contributor: Sandeep Ingale

When it comes to financial organizations, being informed about best security practices is every customer’s right. Many organizations provide this information on their websites to help their customers learn how to take full advantage of the services available to them while staying secure. Interestingly, these Web pages, meant for the guidance and protection of customers, were mimicked by phishers with the intent of tricking people into handing over personal information.

In March, we discovered a phishing site spoofing a popular credit card services company that asked users for confidential information, allegedly for additional security. It should be kept in mind that a legitimate site will never ask for confidential information for this reason.

The phishing site prompts users through a three-step procedure for activating their card and adding higher security. The first step asks users for personal and card-related information. The personal information includes the users’ name, date of birth, residential address, phone number, and email address. The card information includes name of bank, name on card, card number, expiration date, and card verification code.

Phishers spoof banks 1.png

Figure 1. Users asked for personal and card-related information

The second step asks users for their social security number, 3D password, and ATM pin number.

Phishers spoof banks 2.png

Figure 2. Users asked for social security number, 3D password, and ATM pin

Finally, users are asked to choose an online payment service and then submit their email address and password for the chosen service.

Phishers spoof banks 3.png

Figure 3. Users asked for online payment credentials

After the requested information is entered, the phishing site acknowledges the submitted information and states that the card is ready for safe usage.

Phishers spoof banks 4.png

Figure 4. Acknowledgement of submitted information

If users fall victim to this phishing site, the phishers would have successfully stolen their information which, more than likely, will be used for financial gain.

Users are advised to adhere to the following best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages
  • Do not provide any personal information when answering an email
  • Do not enter personal information in a pop-up page or screen
  • Ensure the website is encrypted with an SSL certificate by looking for the padlock, “https”, or the green address bar when entering personal or financial information
  • Update your security software frequently (such as Norton Internet Security which protects you from online phishing)