I often hear and read people mentioning that phishing emails are getting steadily more credible and it’s true. Criminals are investing more resources in making sure their phishing lures look as graphically and orthographically correct as possible in order to maximise their success rate.

Financial institutions suffer considerable losses year on year to this criminal endeavour and are increasingly deploying technology to help combat this fraud. One technique that is becoming more widespread (at last) is two-factor authentication. Banks provide their customers with hardware or software tokens that generate one-time codes to be used whenever money is being transferred. One of the oldest forms of this is a “code card” or “code sheet” this kind of technology has been in use in some European companies such as France and Germany (for Minitel and BTX banking ) even before the Internet and is still in use today.

Allied Irish Bank (AIB) started providing one time code cards to their customers back in 2005, making them early adopters in English speaking European terms. So it’s no surprise that phishing mails are also evolving to try to overcome these obstacles.

This afternoon I received an email supposedly from AIB informing me that my code card was about to expire

AIB phishing email

This piqued my curiosity so I took a quick look at the attachment, only to be amazed at the bare-faced cheek (as my mum would say) of the phishers. Not only are they asking for my registration code, Personal Access Code and home phone number, but also all 100 of my code card digits!

Phishing mail input form

Source code from phishing form