Create a free account, or log in

Four major Australian banks targeted in tax time scam attempt: How to protect yourself

Email scams impersonating some of Australia’s biggest banks have been hitting inboxes over the past two weeks ahead of tax time.
Dominic Powell
Dominic Powell
software saas

Email scams impersonating some of Australia’s biggest banks have been hitting inboxes over the past two weeks, with fraudsters attempting to take advantage of time-poor Australians ahead of tax time.

Since May 24, just less than two weeks ago, email security software company Mailguard has detected four separate phishing email attempts, each impersonating a major financial services provider.

ANZ, BankWest, NAB and Westpac customers were all targeted in the scams, each one following a similar format.

Customers receive an email with a message purporting to be from one of these banks, usually alerting them to some “unusual activity” on their account, or telling them their account details need updating.

In the case of the ANZ email, users received a fake alert of a BPAY credit of more than $2,000, with a link prompting them to see more details about the transaction.

Screenshot from 2019-05-28 08-58-54
An example of a scam email. Source: Mailguard.

Often prompted by a sense of urgency or curiosity, recipients click the links in the emails and are led to what appears to be a login page for the respective bank, which are usually very well-made copies of the bank’s actual login page.

Users are prompted to enter their login credentials, before being asked to enter additional details such as their date of birth, drivers licence number, verbal passwords and security question answers.

After entering their credentials, users are often notified their login was unsuccessful, and are redirected to the real login page for the bank.

These email scams are intended to harvest the credentials of banking customers, and also provide cyber criminals with enough additional details to access their accounts via additional authorisation methods, or to perform identity theft.

Email scams targeting bank customers are nothing new, however, with end of financial year fast approaching, scammers are upping the ante, with the above four scams being sent out within a two-week period.

westpac 2
A well-crafted fake login page for Westpac. Source: Mailguard.

In the May-June period last year, ScamWatch received 4,335 reports about phishing scams, up from 3,517 in the March-April period. The amount lost to those scams last year was nearly $120,000.

The prevailing advice from experts when it comes to these impersonation scams is to never click the link. Business owners who receive a suspicious looking email such as the one above should check with their bank independently, by either calling them or logging in to your banking service through your phone app or a trusted link in your web browser.

Another giveaway is the email recipient and email content. Scam emails are usually plaintext without any graphics or company logos, and will contain nothing but a text and a link. That text is often also riddled with spelling and grammar mistakes.

SME cyber security awareness expert Mike Ouwerkerk told SmartCompany the scams were standard brandjacking, issued by scammers with the intent of scaring recipients into taking action without thinking.

“If it’s a scare tactic or a free lunch, that’s how you know it’s dodgy. These banks don’t work in that way. Legitimate companies don’t try and scare you,” he says.

“These scams can be pretty easy to handle if you know the rules, but the problem is a lot of people still don’t know the rules, and they see this stuff and make a quick decision.”

Ouwerkerk advises business owners to check and double check the hyperlinks and URLs the emails are directing you to, making sure to identify when the link is not a trusted or regular link for a banking website.

Nicholas Haritos, cyber security expert at Cybersecurity Essentials echoes this advice, and told SmartCompany in 2017 the URL of a web page is a giveaway for malicious activity.

“Always be on the lookout for dummy URLs, it’s one of the key ways of determining fake websites. If it doesn’t match to the original vendor’s website then something’s dodgy,” he said.

If you do come across a scam attempt, each bank often has hotlines to report them, which can be found through Google or through the bank’s official websites.

NOW READ: The tax time scams targeting your business and how to avoid them

NOW READ: Fake Australia Post email puts thousands of inboxes at risk of malware