Trouble in Europe – SEPA-Phishing-Alert

PhishingSecurity Research & Analysis

European internet mailboxes are being flooded by fake emails. The reason is a change in the European money transfer system. National bank transaction rules will soon be replaced by unified rules for all European citizens. The new system is called SEPA – Single Euro Payments Area. In the future it will be more difficult to see who is transferring money to your bank account and vice versa, who received money from you because the details of the person or bank that did the transfer will be converted to a number. Implementing the new system has been delayed many times and will affect a large number of account owners. All in all, it is a pretty big mess and an ideal situation for phishing attacks.

CYREN’s GlobalView™ Security Lab (GSL) has discovered several emails sent in the name of different European bank institutes asking for personal and secure data like TAN number. The spammers copy parts of the bank’s original HTML page and add a form for the phished data

  Fake website with an original part a phishing form

 Fake website with an original part a phishing form

 

CYREN found samples from the Austrian Alpe Adria bank, the German Sparkasse and Netherlands ING Bank. In many cases the recipient is asked to check the IBAN number (International Bank Account Number) and give some other private details, like his phone number. An employee of the bank will call back and finish the change. A big national German newspaper published a story of a 63 year old business man who gave his credentials to the fraudsters and lost 25,000 Euros.

 

Munich based business man lost 25.000 Euros in SEPA phishing

 Munich based business man lost 25.000 Euros in SEPA phishing

 

After some investigation CYREN has confirmed that a lot of the fraud websites are already offline. The fake websites are easy to recognize. In the address bar you will see a domain name different from the bank name (see picture one, top left). Furthermore we have the usual suspect signs like no personal address in the email and wrong encoding in the text so it lacks special characters.

And as a last advice: Nobody (including bank employees) should ask for your private credentials like PIN or TAN numbers or, in the case of credit cards, for your secure code.

Go back