Clients receive what it may look like a genuine email from the financial institution, claiming Kessler Federal had been the target of a fraud attempt and, therefore, it would be better if everyone would check their details by a calling a certain phone number.

As expected, the number is fake. At first, callers are greeted with a an automated voice which assures callers that they will not be asked for any personal information, which might be enough to calm down suspicious minds. Right after, however, callers are asked for their bank card number and the PIN, enough info to enable a fraudster to walk away with a significant sum from the victim’s account.

What makes this campaign really dangerous is the way the email message has been crafted. The scammers use a very similar version of the the text used on Kessler Federal’s website and made sure they included legitimate URLs to official advice pages.

"By using genuine links in the email, the cybercriminals are making it very hard for recipients to realise this is a phish. What’s more, most computer users are now wary of clicking on links and entering their details, so asking customers to call to verify their information further enhances the legitimacy of the email," said Graham Cluley, senior technology consultant at Sophos.

While institutions do much less than needed to warn customers or prevent such attempts, users are advised to use a phone number they know it’s legitimate (usually found on the back of their card) or just make the time and go directly to the bank and sort things out.