Security Breach at US Banks Offers Opportunity for Phishers

Subject: Urgent Security Information.
Subject: Account Incident.
Subject: Your Account Has Been Compromised.

Is it real, or is it a phishing scam? This week's headlines give unintended credibility to one of the phisher's most effective social engineering tactics - the urgent warning that a customer's account has been compromised. The phishers' fiction has become a grim reality for hundreds of thousands of customers of America's biggest banks, which are now notifying customers that their information may be at risk. But the banks aren't specifying how they are notifying customers - a critical detail for anxious account holders, who may be ripe to succumb to bogus email "security alerts" from phishing fraudsters.

New Jersey authorities say a bank fraud scam compromised the accounts of at least 676,000 customers of Bank of America, Wachovia Bank, PNC Bank and Commerce Bancorp. Police in Hackensack, N.J. say the customer records were stolen by bank employees and sold to Orazio Lembo, who paid $10 per account for the records and then sold them to law firms and collection agencies. Nine people have been arrested, and the investigation continues. At least 60,000 Bank of America and 48,000 Wachovia customers in seven states have already been notified that their accounts might be at risk, the banks said.

Even as details of the fraud were emerging this weekend, phishing emails warning Bank of America customers of a security breach were inundating inboxes. "We have reasons to believe that your account was hijacked by a third party without your authorization," the email reads, directing the reader to click a link that mimics "onlineid.bankofamerica.com" but instead sends victims to a spoofed page at a server in Korea.

Notifications of compromised accounts are generally delivered via postal mail, as in the recent Lexis-Nexis security breach that exposed 310,000 customers to potential identity theft. A review of dozens of news stories about the New Jersey breach all mentioned customer notifications, but didn't stipulate the method of contact. Most banks have ceased sending important customer information via email due to the huge rise of phishing scams.

Most, but not all. The Internet Storm Center this week relayed an incident in which a reader received an unsolicited but legitimate e-mail from PayPal directing him to reset his password. After confirming the request by phone, the user returned to his computer to find an almost identical phishing email in his Inbox.

Bank of America carries a prominent warning about phishing emails on its account login page. "Never disclose ANY personally identifying information if requested via an unsolicited email or phone call," the bank warned, specifically naming a list of details that should never be shared (including your mother's maiden name, a common data point for security checks).

Not so at Wachovia, whose home page includes no reference to phishing emails, instead offering general cautions to "guard yourself against fraud and identity theft. Wachovia provides the highest levels of protection and stands ready to assist you should you become a victim."

Officials say there is no sign that any breached data has been used in identity theft incidents, but police are still analyzing data found on a computer seized from Lambo.