Waterbury-based Webster Bank was forced to spring into action this week to combat an Internet-based scheme to get online banking passwords and Social Security numbers from its customers.

Despite the precautions taken by banks and the attempts to educate customers about fraud, the number of phishing attacks made against financial institutions climbs almost monthly. This week, Waterbury-based Webster Bank was the latest Connecticut institution forced to spring into action to combat an Internet-based scheme to get customers’ online banking passwords and Social Security numbers.

An e-mail that appeared to be from Webster and contained the bank’s logo went out on Sunday. The message indicated that unless the recipient clicked on a link in the e-mail and entered their online banking password or Social Security number, Webster would deactivate their online bill pay accounts.

The link took recipients to a Web site that looked like Webster’s, but had a different address. The e-mail went out to customers and non-customers alike, since phishers typically have no way to tell who banks at what institution. An editor at The Commercial Record, who is not a customer of Webster, was among those who received the e-mail.

“We hope everybody will take it as a fraud,” said Art House, spokesman for Webster.

Webster frequently educates its customers on different types of fraud, from prize checks that circulate and ask the recipient to mail a check to cover fees, to the e-mail scam where a fraudster will claim to be from a foreign country and prey on a person’s honest nature or sense of religious duty to get them to hand over their bank account number.

“It can appeal to anything from a person’s sense of honesty Â… sometimes it’s religion,” House said. “If it sounds too good to be true, it probably is.”

Usually, customers notify a bank of a phishing scam, House said. When the bank was notified on Monday, the process of protecting customers and shutting down the scammers’ Web site began.

After finding out about the potential con, the bank sent notes to all its employees, telling them what happened, so they could educate customers and answer questions. The next step was to capture the Web site. The bank uses a third-party vendor to track it down and shut it off.

“We take this extremely seriously,” House said.

The bank also sent an e-mail marked “alert” to all customers who bank online, telling them of the phishing attempt. In its education, Webster emphasizes that it would never ask for personal information like that via e-mail, and that anyone who receives the e-mail should delete it immediately, without opening it. It was possible that Webster customers who do not bank online also received the phishing e-mail.

‘Back and Forth’

As part of the process in place to react to a phishing attack, Webster also cooperates with any authorities investigating the matter. Phishing can constitute different types of fraud, such as interstate or wire fraud, so agencies like the FBI could get involved.

Despite the precautions and reactions of banks, as phishers get more sophisticated, the process is something like building a higher wall as they build taller ladders, House said.

“It’s an ongoing back and forth,” he said.

At press time, Webster had not heard of any customers taking the bait and giving out their personal information. But of the thousands of people who likely received the phishing e-mail, it only takes a couple of customers to enter their personal information for the scam to be a success.

So the best defense is an educated customer. Because nearly all banks get hit by phishing scams, the true test of preparedness is how savvy the customers are, House said.

Webster is hardly alone in its fight. Bridgeport-based People’s Bank was targeted by a phisher last summer. According to the state Department of Banking, the e-mails targeted People’s clients and indicated that, for security purposes, the profile that the customers were using to access online banking was locked. To unlock their profile, the customers were asked to provide personal information, including ATM or Visa Check Card numbers, PINs and Social Security numbers. The e-mail address and the design and graphics on the Web site seemed genuine, according to the department.

The Department of Banking also has issued warnings and participates in educating bank customers.

There were 7,197 new phishing Web sites reported in December to the Anti-Phishing Working Group, a California-based coalition of companies affected by phishing. That was up from 4,630 in November and 1,707 in December 2004.

“Phishing” attacks are so named because the senders are “fishing” for recipients’ personal information. The substitution of “ph” for “f” is said to be a nod to an early form of hacking known as “phreaking,” according to the Anti-Phishing Working Group.