A new scam targeting Commonwealth Bank customers asks users to confirm credit card ‘activity’, but actually steals victims’ personal details.
Related story: CommBank’s grave warning after $50 bonus
Security software group, Mailguard, sounded the alarm on Friday, calling on Australians to “exercise caution” if they receive the fake email.
The Commonwealth Bank of Australia has around 15.9 million customers, with the scam easy to fall for due to a number of similarities to genuine Commonwealth Bank security practices.
Under the scam, victims receive an email asking users to confirm their activity, and verify whether the target or ‘other person you trust’ may have used their ‘Debit or ATM card’.
The email then provides a link to ‘verify’ the ‘transaction details’.
Unsuspecting victims who click on the ‘transaction details’ link are then led to a different page using the domain ‘commbonk’ - a phishing page pretending to be the Commonwealth Bank sign-in page.
Then, victims enter their client number and password to log on, before being transported to the legitimate Commonwealth Bank sign-in page, but by this stage the scammers have already harvested the victims’ client number and password.
“Commonwealth Bank is one of Australia’s best known and most trusted brands, so it is irresistible to phishing scammers as it widens their victim base,” MailGuard said.
“The hallmark of this scam lies in its ability to trick users by ironically using a security alert. Verifying irregular transaction activity is a common trait of well-established banks like Commonwealth and it’s this focus on security that cybercriminals behind this scam leverage on.”
However, there are some major indicators that this scam is just that - a scam.
These include the poor grammar like: ‘are all transactions listed above clear for you?’, and the ‘commbonk’ domain name.
“This is another reminder for those who utilise online banking, to pay close attention to the emails they receive from their banks. To best protect yourself, it is imperative that you do not click any link contained within an email, especially if it does not address you by name (as in the scam above).”
Instead, navigate to the official website by typing in the official URL in your browser, using the official banking app or calling the number on the back of your debit card.
“As banks have been a major target for scammers, they have also been working hard to distinguish their legitimate correspondence from the ‘fakes’ and educating their customers on best security practices,” MailGuard said.
“This is also why any legitimate correspondence from your bank won't have links to their website.”
If you’ve received this email, you can report the scam by calling 132 221 or emailing them at firstname.lastname@example.org.
Make your money work with Yahoo Finance’s daily newsletter. Sign up here and stay on top of the latest money, news and tech news.