In one example of the work of this cybercriminal, official-looking emails were routed through a computer in Macedonia. These fake emails instructed users to visit a web page to confirm details about their bank accounts. The web page that looked like the official bank's page was being hosted on a Kenyon College computer that had been hacked into. Once users submitted their information, the page would email the information to the thief.
In the sidebar of the article, several tips are provided to avoid these kinds of scams. I've mentioned several of these at this previous post.
What Happens If They Get You?
Many banks with online banking will not hold you liable if you're a victim of online bank fraud if you take due diligence. For example, here's Bank of America's Online Banking Guarantee. It guarantees $0 liability for any unauthorized activity. However, they list several responsibilities of the customer including notifying the bank within 60 days for unauthorized transactions.
Bank of America also is developing a method called SiteKey to reduce the risk of phishing scams. This method uses secret pictures or questions known as SiteKeys that are only known by the bank and the user. These SiteKeys are presented to the user after the user enters his ID but before he enters his password. If the user doesn't see the SiteKey after he enters his ID, he knows not to give his password.
ING Direct does a very simple version of this SiteKey method by including a user-specific question with the account number and password submission. This question will vary from zip code, to pieces of the user's social security number, to date of birth. The problem with this is that a thief could have access to all of this information. The birthdays and zip codes are easily available.