According to Scotts Valley, Calif., content security vendor SurfControl, the new technique may increase its success rate because victims are used to seeing malicious URLs in Chase phishing attacks, not a number to call.
When victims dial the phone number, they are welcomed with a recorded message asking them for their account number, its expiration date and the last four digits of their Social Security number.
At the end, the message says, "Thank you. Your account has been verified."
The threat originated in Australia, SurfControl said in statement.
Chase said on its website that it normally sends emails to publicize a new banking feature, not to request personal information.
"Looks can be deceiving," the bank said. "As criminals make more credible forgeries of legitimate email and websites, you can no longer rely on seeing familiar graphics like the Chase logo."
"The key to determining the authenticity of email lies in the tone of the message and in the nature of the solicitation," added the bank statement. "Criminals want you to give them information, and they're not very subtle about it. Our goal in marketing via email is to inform you about a product or service we think you might be interested in."