Phishing mail asks for TAN list photo
A new phishing email circulating in Germany is asking customers of the country's largest banking establishment, Deutsche Bank, to upload photographs or scans of their bank-issued TAN (Transaction Authentication Number) list to a maliciously fabricated web site. TANs are used by many banks in Germany to authenticate transactions during online banking sessions. The customer receives a printed list of TANs, essentially one-time passwords, via mail and has to use a randomly selected number from the list each time they want to send money or approve other transactions. The phishing email directs users to a deceptive web page where the scammers claim that the upload of the TAN list is needed as Deutsche Bank supposedly changes their iTAN technology for a mobile TAN (mTAN) system on 1 January 2013.
The short time frame is apparently designed to increase the pressure on the victims of the phishing emails. The H's associates at heise online received copies of similar emails that were apparently asking for the information to be uploaded by the next day or the customer's account would be disabled, incurring administrative charges. The text in the emails and on the faked web site claims customers have to upload a photo or scan of their TAN list so that it can be reviewed by employees of the bank to switch the account to the new mTAN system. The scammers also ask for the login details for the account and the user's mobile phone number.
The web sites are a professional reproduction of Deutsche Bank's actual online banking interface and, like the phishing mails themselves, include relatively few spelling mistakes and grammatical errors. Add to this the fact that customers in Germany are now well used to having banks switch from iTAN to mTAN systems, and the phishing emails are fairly convincing. Banking customers are reminded to always contact their bank if they receive emails such as these. However, customers should never contact their bank through phone numbers or email addresses listed in phishing emails as those numbers and addresses could also lead to fake bank employees.