Last month marked the start of the coarse phishing season and it shows no sign of ending. The term applies to the practice of duping consumers into disclosing personal financial information online, usually by directing them to fake websites. More than 100m emails have been sent out globally in the past two months, purportedly from the likes of Visa, Halifax, Lloyds/TSB and Citibank. Although a dozen countries were targeted, UK institutions and customers were high on the list, with immediate results.

"For a lot of people, online banking is a new thing," explains Jason Clarke, of the Halifax, which has been hit twice since December. "They're not sophisticated when dealing with IT security the way they are with cash. Banks have invested a lot in the look and feel of their websites and communications - so if it doesn't look right, then it probably isn't."

Indeed, some of the attacks are laughably crude. The Citibank email contained dozens of grammatical errors, and a recent scam on the Bank of England failed to realise it had no consumer accounts. Others, however, are more convincing. Last week, the Federal Deposit Insurance Corp (FDIC), which insures US bank accounts, warned Americans of an email citing 9/11 anti-terror legislation as the reason for harvesting account information from an equally convincing spoof website. The site was shut down within days. However, in the words of an FDIC spokesman: "Someone did their homework."

Phishing attacks have been around since the mid-90s and seemed to be getting easier to spot. However, many blame Microsoft for the size and effectiveness of the current wave, thanks to a loophole in Internet Explorer discovered by an 18-year-old graphic designer. Posted on the Bugtraq website on December 9, the hole allows spammers to refine a technique known as "address obfuscation" to create false hyperlinks that are nearly impossible to tell from the real thing.

Obfuscation has been around for some time, and was designed to make email addresses harder for spam-bots to harvest, though camouflaged hyperlinks were still relatively easy to spot. Thanks to the Explorer loophole, anyone knowing the right Javascript code can turn the telltale www.bigname.com%01@2xx.2xx./login.login.htm into the far more convincing www.bigname.com. Microsoft acknowledged the problem quickly but has been silent on when a fix could be expected.

In the meantime, the loophole has been exploited with estimates of between 5% and 20% of recipients clicking on the re-engineered links - dwarfing spam's typical success rate of one in a million. The banks, however, backed by the National High Tech Crime Unit (NHTCU), dispute this figure.

"Although the Explorer bug has not helped," said a spokesperson for APacs, "neither is it wholly responsible for the increasing number of scams. The bug has exposed something that had been happening for some time - it has just allowed it to become more sophisticated".

In fairness to Microsoft, recent history suggests that when it comes to security, there is no such thing as a quick fix. Last summer's W32/Blaster bug rode in on the back of a security update to Windows, emphasising that the speed at which patches are hacked, reverse-engineered and then exploited invites new danger every time Microsoft confirms the contents of one. Hardly surprising, then, that it refuses to say whether this problem will be fixed on February 10, when the next Explorer update is due, preferring to attack the forums that publicised it in the first place.

"Microsoft is concerned that these new reports of vulnerabilities in Internet Explorer were not disclosed responsibly, potentially putting computer users at risk," said a spokesman, adding that the fix would only be released "when warranted - that is, as well engineered and thoroughly tested as possible".

Authorities are privately talking of surviving rather than reversing the current trend. UK banks and the NHTCU have closed down around 15 sites since September, but with at least two new ones appearing daily, no one is predicting whether a security patch would make a difference.

One (desirable) side effect might be that Britain's 11m online banking customers finally realise that clicking on unsolicited hyperlinks can be even more dangerous than email attachments.

"Internet banking on its own is very safe and secure, as long as you stick by the golden rules," says Clarke. "Don't divulge passwords or logon IDs to anyone, always communicate with your bank by typing in the normal URL, not clicking on a link, and keep all your essential applications fully patched and up to date."