Customers trying to claim deposits from a collapsed Icelandic bank could be at a higher risk over the next few weeks of falling victim to phishing scams, according to security analysts.
Icesave, the British branch of Landsbanki of Reykjavik, Iceland, was declared in default on Oct. 8, leaving more than 200,000 customers without access to upwards of £3 billion (US$4.8 billion) in deposits. The U.K. government has said it will refund consumer and retail customers.
The U.K.’s Financial Services Compensation Scheme (FSCS), which is coordinating the refunds, said Tuesday it would send two e-mails to Icesave customers. The first gives information on how people can claim their money. It does not ask for account details or personal information.
The second, due to go out in three to four weeks, will indicate how customers can complete a “short online process to be paid compensation.” Icesave said that involves an electronic transfer through the Bacs online payment processing systems, which is used by most U.K. banks and building societies.
While e-mail communication from banks to customers in the U.K. is legal, the level of detail on how the claims process works could also alert fraudsters to a prime phishing opportunity, said David Holman, director of First Cyber Security, a vendor that focuses on anti-phishing technology.
“I think my biggest concern is the fact they’ve told the market exactly how they’re going to do it,” Holman said. “I just think it’s a bit crazy to give a description.”
It’s trivial to create a fake Icesave Web site, Holman said. Then, a scammer could send spam with a link to that fake site. Once on the bogus site, the user could be duped into divulging their account details.
The fake Web site could then display an error message telling the person to login later. By that time, the scammer would have the account details and could try to move money to a Swiss bank account, for example, Holman said.
So far, Holman said his company has not yet seen a phishing site spoofing Icesave.
Icesave customers may also be somewhat more vulnerable to scams due to their anxiety over what could happen to their savings, said Graham Cluley, senior technology consultant for security vendor Sophos.
“People will have a real urge to move their money and secure their cash,” Cluley said.
Cluley said people should avoid clicking on any links in suspicious-looking e-mail. Further, customers should type the correct domain name for Icesave into their browser’s address bar, he said.
The FSCS is also letting Icesave clients use a paper form to apply for a claim and receive the money by check. The paper process takes up to six weeks rather than the five days for an electronic transfer but could be a safer option.
A FSCS customer service advisor said Wednesday Icesave customers should be cautious of how they handle their financial details.