Most people are careful about e-mails requesting a large amount of personal data. People are less guarded when requests originate from a genuine bank Web site. Man-in-the-browser malware waits for the PC user to login to an employee VPN site or online banking site and then injects an HTML page that asks for additional credential information for "security reasons." Once the fraudsters have this information, they're free to impersonate the victim.