JPMorgan customers were targeted with a phishing scam earlier this week aimed at obtaining online banking credentials.
Security researchers from the email provider Proofpoint said the "Smash and Grab" phishing campaign tries to lure individuals to click on a malicious link in an email that looks like an authentic message from JPMorgan.
Even if customers do not proceed to sign into their JPMorgan bank account, the fraudsters try to automatically install the Dyre banking Trojan on their computers to steal passwords from other institutions, Proofpoint said.
A few dozen JPMorgan customers contacted the bank on Tuesday to report the suspicious emails, said spokeswoman Trish Wexler. The bank immediately contacted its Internet service providers to stop more emails from being distributed.
"This is a very small incident," Wexler said in a phone interview. "We are not aware of any fraud occurring."
JPMorgan Chase, which is the top U.S. bank with $2.5 trillion in total assets, has more than 50 million customers. The bank believes most of the spam was eliminated by fraud filters.
Proofpoint reported that about 150,000 emails were sent on Tuesday.
This story was first reported by Reuters. Mike Horn, the vice president of threat research at Proofpoint, told Reuters that it is unusual for spammers to infect PCs with malware while trying to make customers access their bank accounts because the scam can be detected more easily.
"Usually when they do credential phishing, that is all they do. In this case, they are throwing in the kitchen sink," Horn told Reuters.