The scam begins with users being sent an email inviting them to join the scheme, but clicking on the link takes them to a fake site (see screenshot below).
Andrew Brandt, a malware researcher at Webroot, explained in a blog post that the site then requests "all the information you gave the card-issuing bank at the time you first signed up for the credit card".
"That's Red Flag number one, but it's worth repeating. In a real sign-up form for Verified by Visa, you won't be asked to provide your mother's maiden name, social security number, birth date, or any other sensitive details that you wouldn't otherwise enter into a web-based order form while shopping online," he said.
"The page created by the phishing gang responsible for this scam is clearly more professional, slick and clean than most phishing pages. The form's businesslike appearance serves to reassure the victim that the page really belongs to Visa."
Nigel Hawthorn, European vice president of marketing at network security vendor Blue Coat Systems, added that users need URL filtering technologies as standard, because regular anti-virus tools will not protect against visiting phishing sites such as this.
![]()
"The initial lure is sent out by email but the real threat is via the web, so you need to make sure you have web defences and not just email and spam defences," he said.
Hawthorn added that Verified by Visa has been held up as such a "paragon of virtue" in protecting users against online threats that it is a natural place for the criminals to strike.