Executives at Waterbury-based Webster Bank met last week to discuss the bank’s response plan if it is victimized by a so-called phishing scam, in which fraudsters send out seemingly legitimate e-mails to customers of financial institutions or Internet companies asking for account information.

Despite all the vaults, alarms, firewalls and other security measures that banks have put in place over the years, scofflaws continue to find ways of getting other people’s money. And those measures can’t do a thing to stop the latest gimmick fraudsters are using to steal personal information like account numbers and, ultimately, money.

Phishing scams, in which fraudsters send out seemingly legitimate e-mails to customers of financial institutions or Internet companies asking for account information, reached an all-time high in April. Some Connecticut customers of companies like eBay have fallen victim to the scam and the state’s bigger banks are preparing themselves for attacks against their customers.

So-called phishers typically target customers of large institutions. Citibank customers were the most targeted in April, according to the Anti-Phishing Working Group, a California-based coalition of companies affected by phishing. Phishers send out large numbers of e-mails to random people and hope to hit customers of the target company. The e-mails usually look official and include the company’s logo. They ask the customer to either fill in a form included in the e-mail or to go to a different Web site to fill out a form asking for information like account numbers and Social Security numbers.

“By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5 percent of recipients to respond to them,” according to the APWG. The group also has noted that “phishing” attacks are so named because the senders are “fishing” for recipients’ personal information; the substitution of “ph” for “f” is said to be a nod to an early form of hacking known as “phreaking.”

There were 1,125 reported phishing attacks in April, according to the group, up from about 425 in March.

Detective Bill Warner of the Middletown Police has worked on several cases where Internet con artists have succeeded in obtaining people’s credit card numbers. In one case, a Middletown woman got an e-mail purporting to be from eBay and asking her to resubmit her account information, Warner said.

“It looked totally legitimate; it appeared to be their logo,” he said.

The woman responded and within a few days noticed almost $2,000 in charges on her credit card, Warner said. She contacted eBay, who responded with a letter saying it was a spoof e-mail and that they would never request account information in an e-mail. The con artist hasn’t been caught and Warner isn’t sure they ever will be.

“They’re nearly impossible to track down,” he said.

Phishers normally use a variety of servers to make it difficult, or even impossible, to trace their whereabouts, Warner said. Usually, their credit card company or bank compensates the victim.

“In a lot of cases, the credit card companies will credit the account,” Warner said. “In a lot of cases, the bank ends up taking a loss.”

Taking It Seriously

Banks in Connecticut, however, don’t want to deal such losses and have been preparing for any phishing scams that could come their way. Although phishing scams primarily have hit big, national banks – Citibank was the most frequently targeted, according to the APWG, and Fleet Bank also saw some attacks in April – Waterbury-based Webster Bank, Middletown-based Liberty Bank and Bridgeport-based People’s Bank all have created programs to educate their customers about phishing. The three banks haven’t been the victims of phishing scams, but are preparing for the possibility.

“We are aware of the problem,” said Megan Thompson, spokeswoman for Webster. “We’re taking the problem seriously.”

Webster executives met last week to discuss the bank’s response plan if it is attacked. The bank has a group of experts working on solutions and there has been a lot of internal communication about phishing, Thompson said. The bank plans to alert and educate customers about phishing and how to avoid falling victim to a con with e-mails and with fliers in their bank statements, Thompson said. Webster already used those media to alert customers to past potential frauds, but has decided to update customers to the new dangers on the Web.

Bank executives have been working toward solutions for phishing for the past couple of months and continue to work on it, Thompson said.

“It’s going to be a huge focus for the next few months,” she said.

People’s also will let its customers know about phishing scams, said spokesman Brent DiGiorgio, and has information about phishing on its Web site.

One of the biggest hurdles to stamping out phishing scams is that the responsibility falls not on the bank, but on the customer.

“There will always be someone out there who will fall for it,” said Ron Catrone, chief information officer at Liberty Bank. “It’s difficult to prevent.”

Liberty also has been concentrating on educating its customers about phishing scams, Catrone said. The bank’s Web site has information on how to avoid the scams. The site warns Liberty’s customers to be suspicious of e-mails with “urgent requests for personal financial information … Phishers often use upsetting or exciting [but false] statements in their e-mails to get people to react immediately.”

Additionally, the site cautions that phishers usually ask for passwords, usernames, credit card and Social Security numbers.

Liberty also plans to put out a statement stuffer later this year that will tell customers how to avoid being phished, Catrone said, and the bank already has provided its staff with the necessary education.

“We do have a response plan,” Catrone said. “Obviously our staff is alert.”

Liberty has public relations personnel in place to deal with any customers who might be hit. The bank also has circulated a fraudulent e-mail that one of their employees received as an example of a fraudulent e-mail, Catrone said.

But even as banks and bank customers become more educated, phishers find new ways to scam them. One tool they began using in March is the fake browser bar, according to the APWG. As customers begin to be more wary of e-mails asking for personal information, they have been taking more notice of the Web sites to which such e-mails link. Phishers, as a result, came up with a way to use JavaScript to place a fake browser bar over the browser’s real bar, according to the APWG. The fake bar shows a legitimate-looking URL in a functioning window.

“This is one of the most sophisticated phishing attacks that we have yet detected, and has serious security implications for consumers,” according to the group’s Web site. “Because the fake address bar remains installed even after you leave the phisher’s site, there is a possibility that a phisher could use this technique to secretly track every Web site that you visit. Or even worse, a phisher could potentially employ a ‘man-in-the-middle’ attack to see everything that you send or receive through your Web browser until you close it.”

To avoid that, the group recommends that consumers not click on links within e-mails that are potentially from phishers.

It’s hard to say how big of an effect phishing could have on the banking industry, Catrone said.

“Because of the ease with which it’s done, it can spread very easily,” he said.