As scams go, the email was hardly sophisticated. "Hello dear client Barclays Bank," it warned recipients. "Today our system of safety at night has been cracked!!! It not a joke!!! It is the truth!!! We ask you, in order to prevent problems, to repeat registration of your data. Make it very quickly! Administration Barclays Bank."

But new research reveals the scale of a fraud which has already cost British banks hundreds of thousand of pounds after customers have been fooled by these apparently crude messages into divulging their online banking passwords to organised criminals.

The survey by the email security consultants MessageLabs will make grim reading for the online banking industry, which now boasts 11 million users. The scams, which first hit Britain last August, may range from the inept to the highly complex but they are starting to hurt.

"Phishing scams are pretty sophisticated, it's high level social engineering," said Mark Sunner, chief technical officer at MessageLabs. "They must be working because we are seeing so much of it. All the major banks are saying it's a problem. Initially they were worried about loss of reputation, now it's loss of money."

Rogue programmers

Because the criminals cannot obtain lists of customers, they speculatively target the most popular banks on the assumption their strike rate will be higher. Those who responded and logged on to the address in the Barclays email found a website that looked virtually identical to the bank's site.

Even a glance at the site's web address would have failed to alert users to the fact it was bogus. Rogue programmers in eastern Europe have learnt how to disguise an address by hiding additional letters or characters that would expose its true location. The scam emails often link to websites that differ by only one character from the genuine site.

If a bank customer, as prompted, typed in security codes they would have been exploited swiftly by the gangs, who would log in to the victim's online account and transfer money out.

But that is only the first stage of what has now been uncovered as a far more complex scam than first appreciated.

The problem for the fraudsters is getting the money out of the United Kingdom and back to eastern Europe.

A second level of deception is therefore necessary. Other willing British account holders are being recruited, usually for a 5% cut of the gains, to send the cash abroad via money transfer firms such as Western Union.

The police's national hi-tech crime unit (NHTCU) and the banks' association for payment clearing services (Apacs), which are coordinating the drive against phishing, call these recruits mules. They have been enticed into taking part in the belief that by making their accounts available they are helping out small Russian or east European businesses.

The criminals place adverts on websites, magazines and newspapers luring those seeking jobs or business opportunities. Their confidence trick is a variation on the well-documented Nigerian bank scam, though in this case it does pay out some money. One recent advert read: "We are looking for honest and smart people for business offer ... We are engaged in the sales of TVs and accessories."

The work, it added, would involve accepting "internal bank transfers from our clients with the subsequent sending to one of our legal representatives via Western Union Money Transfer or Money Gram". It goes on: "We shall notify in what bank you should open new account for work with us."

Sandra Quinn, of Apacs, said: "If people see adverts for earning money that appear to be too good to be true, then they probably are. What the mules are doing is illegal. The phishing emails seem to come in waves. They come from organised gangs generally based in eastern Europe and Russia. Mainly English-speaking countries have been hit, but there have been similar scams in France and Spain."

"The mules who are passing the money on are involved in money-laundering, though they may not think what they are doing is criminal. Phishing could be around for a long time," said a police spokeswomen.

In one attempt to elicit a sympathetic response, the criminals even pretended to be operating a charity. The British-registered Russian Orphan Opportunity Fund (Roof) has discovered that fraudsters copied its website and set up rival versions overseas on which they placed adverts to recruit mules.

"We have chased them off about five domain sites," said Georgia Williams, the founder of Roof. "But they keep reappearing. They are using our name in order to get people to apply for jobs. They also appear to be encouraging people who sign up to ship stolen electronics items, like TVs and CD players, to Russia. The way they have set up this scam is very clever."

Phishing scams first appeared about three years ago, according to the NHTCU, on the payment system used by the online auctioneers eBay.

They began targeting banks in Australia and South Africa first before hitting Britain last summer. One mass email last December targeted the Bank of England but failed to realise it had no customer accounts.

A spokeswoman for Barclays said the bank had, for a period, limited the amount of money that could be transferred electronically to limit the impact of phishing attacks.

"There's nothing wrong with online bank security," she said. "It has not been compromised. We have warned our customers not to reply to these emails. We are reimbursing our customers. Most of the main financial service providers have been hit."