Chinese Fingered in Japan's Bank Portal Phishing Scams
By wchung | 04 May, 2025

Japanese police have traced money stolen through a fake bank portal phishing scam to three accounts held under Chinese names.

Two million yen stolen from the account of a customer of Sumitomo Mitsui Bank was eventually transferred to three different accounts held under what appear to be Chinese names, said the National Police Agency (NPA).

The digital theft was accomplished using a classic fake banking portal phishing scam that has been spreading recently in Japan.

On Monday the victim was induced — possibly through an email made to look like it had originated from Sumitomo — to open a web page masquerading as the Sumitomo portal. The unsuspecting victim entered a username and password. Later the same day, that login information was used by the phisher to access the victim’s account. Two million yen was transferred from there to another account under a Japanese name. From there the money was again transferred to three other accounts under what appeared to be Chinese names, according to NPA.

The three receiving accounts have been frozen.

The incident is among a number of “phishing” scams that have emerged recently, said NPA.

Phishing is the term used to describe scams in which victims are tricked into surrendering login data and other personal information online. That information is then used to steal funds from the victim’s bank accounts, stock trading accounts or credit card accounts.

Phony online banking portals have been uncovered masquerading as three financial institutions: Japan Post Bank Co., Sumitomo Mitsui Banking Co. and The Bank of Tokyo-Mitsubishi UFJ. The number of victims who have reported providing login information to these fake portals has risen to 156. On Oct. 29 a Mizuho Bank customer suffered the loss of several hundred thousand yen after being tricked into logging into a fake portal.

Earlier police in Tokyo and four prefectures have arrested 14 Chinese nationals on suspicion of using online scams to steal from bank accounts. They are working to bust the Chinese organized crime ring suspected of operating the scams.

Typically phishing victims are sent emails designed to look like those from well-known banks, credit card companies, internal revenue service, ecommerce sites or other businesses with which they may have transacted online business. The message of the email induce them to click links to web pages masquerading as belonging to those businesses but which, in fact, are operated by the scammers.

To foil to such phishing scams, most banks now display pre-agreed confidential visual and word keys on their login pages to assure customers that they are in fact about to log into legitimate pages.