Customers were prompted to enter their personal details, such as passwords and personal identification numbers, which could be used to withdraw cash or transfer funds to other accounts.
The bank, which has 3.5 million online customers, said it had nothing to do with the e-mail or website.
“Barclays is taking the necessary action against the fraudulent websites and closing these down as we become aware of them,” a company spokeswoman said.
“As a precaution, we have decided to protect further our customers' interests by temporarily reducing the daily payment limit to £500.”
Of the 400 users that were sent the spoof e-mails, eight said they had given out their personal details. These accounts have been locked down, and the bank will cover any losses caused by the scam, the spokeswoman said.
The National Hi-Tech Crime Unit, which tackles cybercrime in the UK, has been called in to investigate the Barclays scam, which is the latest in a series of e-mail spoofing attacks.
A number of other high-profile companies have been hit in recent months, including Amazon.com, eBay and Citibank.
Last month, Amazon announced that it had filed 11 lawsuits against online marketers in the US and Canada, alleging they had used the Amazon name when sending e-mail advertisements.
“Spoofing harms brands, aids consumer fraud and provides a conduit for viruses,” said Arabella Hallawell, an analyst at Gartner.
Hallawell said companies with a strong presence or brand, especially in the retail and finance sectors, should evaluate their protection measures, such as encryption for signing e-mails and web pages, which contain personal data.