Phishers are using a money-scamming technique that can fool even the most cautious consumer, a message security firm warned Monday.

Scotts Valley, Calif.-based SurfControl said that its researchers have spotted a tactic used to exploit flaws in the Web sites for SunTrust Bank and Citibank Australia that let the scammers replace legitimate content on those sites with their own bogus material, all without monkeying with the authentic URL of the institutions.

In the past, phishers relied on a host of techniques to disguise the address of their phony Web sites from on-alert users, some of which relied on now-patched vulnerabilities in Microsoft's Internet Explorer browser.

"This is definitely one of the most sophisticated phishing techniques we've ever seen," said Susan Larson, SurfControl's vice president of content, in a statement. "Up until now, an informed computer user stood a chance of being able to identify a suspicious URL. This new technique demonstrates how computer criminals are engaged in a constantly evolving series of increasingly sophisticated efforts to defraud the public."

The phishers take advantage of a bug in the search script used on the two banking sites to run a Javascript page that displays their own site instead of a real page from Citibank or SunTrust.

The best way for users to protect themselves against phishing attacks, said SurfControl, is to never divulge confidential information in response to an unsolicited e-mail, even if it appears to come from an institution or business the user deals with. Another defensive tactic is to never click on Web site links embedded within unsolicited messages.