« Brand Name Survey Scams | Main | The Randomizer Ate My Homework »

June 15, 2005

Here's something in a phishing site that I had not seen before. The institution is a primarily midwest U.S. bank, so the odds of reaching an actual customer of the institution must be pretty low. But that didn't deter the phisher from concocting an elaborate charade at the phishing site, should someone visit there.

In place of the usual login screen or form is an official-looking "new enrollment" page that simply reels off a bunch of legalese. This, the header tells me, is Step 1 of 3. Clicking "Continue" brings me to another, much longer page consisting of a "consumer services agreement." The wording is taken from the real agreement of the institution.

Continuing on, I reach Step 3 of 3: a form requesting my Social Security Number, debit card number, and PIN. AHA!

Not only might the official-looking legal pages make someone believe it's the real thing, but the domain of this scam is very real-looking, containing the name of the institution and the word "online." The real site for the institution has a different domain name.

In fact, this whole scam is so official-looking, I fear that my report to the hosting company won't be taken seriously, and they'll be fooled into thinking it's the real bank's site (notwithstanding the 2004 copyright date on the bogus pages). They closed down the last phishing site I reported yesterday, so here's hoping they're equally responsive today.