Australia Markets closed

Convincing new Commonwealth Bank scam scrapes victims’ card details

Have you gotten this email? Source: Mailguard, Getty

If you’re one of the 15.9 million customers with the Commonwealth Bank, you should be careful of any emails from the bank – even if they look authentic.

A new email scam that parades as the Commonwealth Bank seeks to scrape victims’ card details and hack into their bank account, but it’s extremely hard to spot the signs it’s a scam.

Cyber-security group, MailGuard, issued a warning on the scam this week.

“Exercise caution if you receive an email supposedly from Commonwealth Bank – the bank has been spoofed via a new multi-staged phishing email scam,” MailGuard said.

“The hallmark of this scam lies in not only how well-crafted it is, but how it ironically utilises multiple safety features to steal confidential data of users.”

Targets will receive an email with the display name of ‘Commonwealth Bank of Australia’, but which is actually from a scammer.

The body of the email then tells users that irregular activity has been detected on their account and their account has been restricted, with a link provided to “restore access.”

But, spoiler alert: that link doesn’t restore access to the targets’ supposedly compromised account.

Rather, it directs them to another Commonwealth Bank-branded page requesting users supply their NetBank credentials.

Source: Mailguard

Once targets have done this, they’re directed to another page where they need to “verify their identity” by supplying their card number, expiry date and security code.

If alarm bells haven’t been ringing by this stage, they should definitely be going off at this request.

Source: Mailguard

“To reduce the risk of being tricked by one of these scams, you should immediately delete any emails that ask you to submit personal information that the sender should already have access to,” MailGuard said.

After entering their sensitive card details, card details are led to another fake page which asks users to go through two-factor authentication by sending a ‘NetCode’ to their mobile phone.

Once this is done, they’re sent to an ‘error message’ page, telling the victims that the code has expired.

Source: Mailguard

“This sole purpose of this elaborate phishing scam is to harvest the login credentials of Commonwealth Bank customers so the criminals behind this scam can break into their bank accounts,” MailGuard said.

“It is also interesting to note that the email and the phishing pages are, ironically, use security features such as multi-factor authentication. This is a common trait expected of such a well-established bank.

“All this serves to elicit a more confident response from recipients who think they are, in fact, making their accounts more secure by clicking on the provided link and entering their confidential login details.”

What do I do if I get this scam email?

If you receive this email, don’t click on any links.

“Your bank will always ask you to go to their website directly by typing their URL into your web browser address field, as a precautionary security measure,” MailGuard said.

Instead, you should just delete this email immediately.

You can report CBA email scams to hoax@cba.com.au. Other scams can be reported to Scamwatch’s website.

Make your money work with Yahoo Finance’s daily newsletter. Sign up here and stay on top of the latest money, property and tech news.