On 28 January 2010 account holders in a number of European emissions trading registries and elsewhere received fake email requesting them to enter account information on a website. Users of Germany’s Emissions Trading Registry which is operated by the German Emissions Trading Authority (DEHSt) at the Federal Environment Agency in Berlin also received phishing email, which seeks to extract user names and passwords from users.
According to latest reports, seven of nearly 2,000 users of the German Emissions Trading Registry revealed their access data and thus enabled scammers to access their accounts. As a result, there were some 250,000 unauthorised emissions certificate (each worth about 12 euros) transfers. The affected operators and the Federal Environment Agency (UBA) have filed charges. As a protective measure against more scamming, there was a freeze on transactions issuing from the German Emissions Trading Registry on 29 January 2010. Regular activity is scheduled to resume on Thursday, 4 February 2010.
The DEHSt at UBA advised users of Germany’s Emissions Trading Registry immediately about the phishing scam on 28 January 2010 whilst warning against revealing any account data and providing hints on how to protect accounts in the event they had already been compromised. Furthermore, UBA also pointed out the additional security features on the German Emissions Trading Registry site, such as the four-eye principle when making transactions, and the automatic message sent upon logging in to the registry. Obviously, technical measures cannot guarantee absolute protection against fraud if account access data is disclosed voluntarily by the user himself.