Banking Trojan and Infostealer Scams via Email
How malware delivered through email attachments and links harvests banking credentials, card details, and session cookies from infected devices.
Part of: Banking Trojan and Infostealer Malware Scams
Last reviewed: 8 June 2026
Banking trojans and infostealers are malicious programs designed specifically to harvest financial credentials, session tokens, and personal data from infected devices. They are most commonly distributed through email — disguised as invoices, delivery notifications, tax documents, or employment applications — and execute silently once a user opens an attachment or follows a download link.
Unlike ransomware, which announces itself immediately, infostealers are designed to be invisible. The victim continues using their device normally while the malware logs every keystroke on banking and shopping sites, captures screenshots at trigger moments, and exfiltrates captured data to remote servers.
How this scam works on email
An email arrives appearing to be from a courier service, a government tax authority, an employer, or a utility company. The attachment is labelled as an invoice, a delivery label, or a tax form. Opening the attachment or enabling macros in a document launches the malware payload. On some campaigns, the email contains a link to a compromised website that serves a drive-by download.
Once installed, the trojan waits for the victim to visit targeted banking or retail sites, then overlays a fake login form, logs the real credentials, or intercepts the session cookie after login. Data is exfiltrated over encrypted channels, and financial fraud may occur days or weeks later to avoid immediate detection.
Common red flags
- Email attachment from an unexpected sender asks you to enable macros or editing in a document
- Delivery notification or invoice email from a courier or company you did not recently interact with
- Antivirus software flags an attachment before you open it
- Unknown processes appear in task manager after opening a document
- Banking site prompts for additional personal information it never previously requested
How to protect yourself
- Never enable macros in documents from untrusted or unexpected email sources
- Open documents in a sandboxed viewer before downloading to your primary device
- Keep operating system and browser software patched and updated at all times
- Use up-to-date antivirus and endpoint protection software
- If banking credentials may have been compromised, contact your bank immediately and change passwords from a clean device
How to report it
- Report the malicious email to your national cybercrime or CERT authority
- Report to Action Fraud (UK) or IC3 (US) if financial loss occurred
- Forward phishing emails to [email protected] (UK) or [email protected]
Frequently asked questions
How do I know if a banking trojan has infected my device?
Infostealers are designed to be hard to detect. Indicators include unexpected banking activity, antivirus alerts, unknown processes running at startup, or a device running unusually slowly. A full malware scan and, if necessary, a factory reset are the most reliable remedies.