A common phishing scam that targets user account credentials typically tricks users into giving up their login and password details by luring them into implementing a new "security feature." The scam uses a major bank brand or merchant name. It is effective because out of the millions of spam messages sent out, a small percentage will be fooled into thinking they're implementing a new security feature.
Security firm Sophos detected this kind of scam targeting the customers of an Italian prepaid debit card service. Recipients tricked into opening an HTML attachment were prompted for their password. It is then saved and a phishing web page is opened.The presence of the password prompt may actually strengthen the social engineering of the phish, Sophos said.