At least 200 people in New Zealand were tricked yesterday into giving up their online banking passwords.
The e-mail pretended to be from Westpac Bank, saying the bank wanted to check that e-mail addresses were valid and asked customers to confirm their address by providing their banking ID and password at the Westpac website.
The e-mail included a link that appeared to point at Westpac's website, but actually directed browsers to a website in Russia.
Westpac spokesman Paul Gregory said so far the bank has not yet found any suspicious transactions leading on from the e-mails, but will have a better idea when the transactions summary is available.
"Obviously we'll be taking a pretty close look at their accounts over the next few days," he said.
Gregory urged Westpac customers who provided their login details to the bogus website to change their passwords as soon as possible, contact the bank, and keep a close eye on their online accounts.
"All we can do is let people know it's around. We would never, ever send out an e-mail of that sort."
Many recipients of the e-mail are not Westpac customers. The hoaxers apparently used one of the lists of e-mail addresses available for purchase on the internet, and sent the messages indiscriminately to New Zealand e-mail users.
The bank has posted a note on its banking login page, warning customers about the scam and will contact online customers directly.
Matthew Cooney writes for Computerworld