Minneapolis, Minn. — U.S. Bank officials say the bogus e-mails went out to customers and non-customers alike. The message reminds recipients their account must always be under their control or those they designate. But it says other parties may have access or control of information in the account. The message says the recipient will have no further access to the account until they click on a link in the e-mail to verify their identity. The link connected to an official looking website that requested personal information.
Mary Blegen, U.S. Bank's manager of 24-hour banking and U.S. financial sales says banks would never send an e-mail asking for such information.
The amateurs are starting to get weeded out a bit, but the professional criminals are starting to take over.
"In this one, the first set of data is, 'Please provide us your account number.' 'Gosh, my bank or my Internet provider should know my account number.' So, it's those kinds of things that will tip you off," says Blegen.
U.S. Bank officials say personal bank accounts had not been compromised, nor were U.S. Banks' systems. But it's not clear how many people might have provided personal information as a result of the scam. U.S. Bank says it doesn't disclose such information. Blegen says she doubts many people did divulge personal data.
She says the bank will work with any customers who do give out information to stop accounts, and establish new ones.
Many Internet users are familiar with apparent scam e-mails that raise doubts with their clumsy English. But U.S. Federal Trade Commission attorney Patricia Poss says phishing schemes can be quite deceptive.
"Because the phishing scammers use the logos and the trademark images of companies that people recognize, it's very difficult to see that it's fake. It's a very sophisticated trick, really. So I would say that even the most savvy Internet user can fall for this if they believe it's legitimate," says Poss.
"It's been growing tremendously," says Dan Maier, director of marketing of the Anti-Phishing Working Group. The group was recently formed by a number of banks, Internet service providers and Maier's employer, an Internet security firm called Tumbleweed Communications. The anti-phishing group's website lists more than 20 recent attacks--many are against banks, but the list includes Internet service provider Earthlink, and retailer Amazon.com.
"What we're starting to see is the amateurs are starting to get weeded out a bit, but the professional criminals are starting to take over because what we're seeing is the sophistication level of a lot of the phishing attacks are starting to rise considerably," says Maier.
He says the use of the target company's brand information and images may look authentic, and there may be no suspiciously bad grammar. He says some take advantage of a feature in Microsoft's Internet Explorer that allows them to portray a bogus web address as one that appears to be from the target company. And he says more are using websites based abroad.
"It tends to be pretty easy because of U.S. laws for Citigroup or US Bank to talk to that ISP and get them to shut down that website. It is a much more difficult process to get a website shut down in a country like Korea or Russia," says Maier.
The link in the U.S. Bank e-mail is no longer active.
Maier says the one of the anti-phishing group's goals is to research how much damage attacks cause, but he says there is some anecdotal information.
"One ISP I was talking to said that they estimate that on average, people who respond to these attacks and give out personal information, they lost on average about $300 per person. Not quite clear how many people fall for each attack, although we've seen response rates of up to 5 percent per phishing attack," Maier says.
He and others say people who receive such e-mails should not click on the links they provide, but should call the institution it appears to be from or go to the company's website without using the link provided.