Please be advised that there are several new phishing schemes that are using the dual authentication signup process to lure banking and credit union customers to bogus phishing websites.
The phishers are scamming their victims by directing them to sign up for their bank or credit union's new dual authentication solution intended to help protect their online banking activities from fraud. The phishing scam directs the institution's customers to enter their account number and pin so that they can register for their new "dual authentication code and phrase." The phishing email lets them know that a dual authentication code and phrase is now required to do their online banking, as directed by the FFIEC.
In October 2005, the FFIEC issued a guidance requiring banks and credit unions to strengthen how Internet banking users authenticate who they are, to help combat "new or changing risks such as phishing, pharming, malware, and the evolving sophistication of compromise techniques." The guidance requires financial institutions to have this in place by December 31, 2006.
A phisher can simply browse a website, grab screenshots of the customer login page and mount a copy of that page on another server. From there he or she can begin targeting customers by sending them e-mails which appear to be from a legitimate source, leading the customer to the spoofed log-in page where they are tricked into revealing confidential account information. Once entered, the customer is immediately directed back to the legitimate website. Therefore, there is little evidence to alert the customer that they have been phished.
Customers should never access the Legacy Bank website from a link provided in an email, but only by typing in the actual URL. Legacy Bank will NEVER ask for personal banking information via an email, and customers should ignore any emails that are requesting that type of information.