Email purporting to be from Merrill Lynch claims that customers must urgently login to their accounts and provide five personalized security questions.
Subject:Urgently! MERRILL LYNCH BUSINESS CENTER customers pay attention
Merrill Lynch Enhanced Security Authentication
We have enhanced the Merrill Lynch Business Center security access to further safeguard access to your account information. Click on the hyperlink below and follow the prompts to answer and record answers to five personalized security questions. We may, in the future, ask you for answers to these questions when you log into the Business Center to ensure that only you are accessing your account information.
By clicking the link below and/or by using the Merrill Lynch Business Center website (“site”), you: Login by clicking here: [LINK TO BOGUS WEBSITE REMOVED]
I. Represent and warrant that you are authorized to accept the Merrill Lynch Business Center Terms & Conditions and use the site on behalf of yourself and your employer and in doing so you are acting within the scope of your duties and II. Accept the Merrill Lynch Business Center Terms & Conditions on behalf of yourself, agree to be bound by them.
Recently, phishing scammers have again targeted financial institution, Merrill Lynch. An “Urgent” email message claims that Merrill Lynch customers must click a link and “follow the prompts to answer and record answers to five personalized security questions”.
However, the message does not originate from Merrill Lynch. Following the link in the message opens a bogus web page designed to resemble the genuine Merrill Lynch website. Victims who fall for this ruse may be tricked into providing their username and password as well as other private information. This information can then be collected by scammers and used for identity theft and fraud.
In order to make the message appear more legitimate, the scammers have added a seemingly official terms and conditions acceptance clause to the bottom of the email.
Merrill Lynch has published a statement on its website warning customers about such phishing attacks. The statement notes:
Recently some Merrill Lynch clients have reported receiving fraudulent e-mails that appear to be from Merrill Lynch but which have, in fact, been sent by imposters. How can you tell the difference? Fraudulent e-mails typically include website links, and or request you to provide personal information.
Merrill Lynch has not and will not initiate a request for sensitive information via e-mail.
In fact, no legitimate financial entity is likely to request sensitive personal information via an unsolicited email. Be very wary of any requests for personal information that arrive via email and claim to be from a bank or other financial institution. Do not click on any links in such emails or open any attachments they contain. These fraudulent emails and websites may appear virtually identical to genuine company messages and websites.
Last updated: 24th October 2007
First published: 24th October 2007
By Brett M. Christensen