This is another representative of the latest and most dangerous phishing scheme. It also introduces a couple of new tricks. The first one is that the URL you see is not only spoofed, but the phishers have used a different font to display some of the letters in it. This way they can change the 'l' to a 'I' without the victim noticing. It is also used to try to counter the anti-spam filters.

The email itself looks very decent. It is simple and well designed - exactly what you expect from a financial institution. It's motivation is somewhat dubious, but everything else is fine - the sender, the logo and the link look exactly Westpac.

And here is another new trick - even if you check the source code of the HTML message for the real link, you will see a URL that starts with 'olb.westpac.au'. The rest of the URL is encoded. This alone is enough to fool most of the internet users. But even if you decode the rest of the URL (there is a free, web-based decoder at http://www.wight.info/iwindex/hexform.htm) the resulting link looks pretty nice.

When the victim clicks the link, a pop-up window opens - an exact replica of the Westpac sign in page. However, no URL is displayed. The victim would never realize that this is not the real Westpac sign in.

At the same time, another site opens. This is the official Westpac "Terms and conditions" page.

Notice that this time the page is opened in a normal window, not a pop-up. This is done to make you see the original URL and page, and make an association between it and the pop-up with the fake sign in. And it works - the victim sees two pages with the same design and no fake URL. This makes this phish a very, very dangerous one.

The only clue of phishing you can instantly have, is that the link in the message points to a secure site (it starts with 'https'), and no secure site opens.