The people behind the 'Casino Rewards' scam have been sending a single email that, instead of taking in customers of a single bank, could fool customers of any of 12 major banks.
The email looks as if it has been sent by an online travel website, with photos and write-ups depicting grand Las Vegas hotels.
It offers a $100,000 personal credit card or the chance to win 10 days in a top hotel, plus up to $30,000 spending money. To "enter", recipients must join a new "Casino Rewards" programme, supposedly run by Visa, MasterCard and Amex, and sponsored by 12 large US and international banks, including Citibank and MBNA.
Users are enticed to click on the email and go through to a website offering further information. At this point they are invited to choose their bank from a drop-down list.
Once they select their bank, a faked web page that mimics the log-in page of the bank in question appears and the user is asked to enter their username and password, which the criminals then record and use to empty the victim's account.
David Franklin, general manager at Envisional, said: "Despite all the previous warnings to consumers, a phishing attack on a single bank's customers often leads to losses of up to $100,000. But this attack is unusual, fairly subtle and targeted at 12 banks at once.
"Many more people will be taken in by this two-stage approach, in which the victim is initially reassured by the familiar credit card logos and then goes on to choose for himself from the list of banks.
"With more banks in the frame and more account holders being tricked, we can expect to see many hundreds of victims, mostly in the US, but also among UK and European customers of banks like Capital One, Citibank, MBNA and Wells Fargo. Total losses could easily be over $1 million."
An Envisional spokesman said the scam was not linked to the casino affiliate marketing website .