Australia markets closed

    -23.90 (-0.30%)
  • ASX 200

    -25.50 (-0.33%)

    -0.0073 (-1.11%)
  • OIL

    +0.43 (+0.51%)
  • GOLD

    -12.50 (-0.53%)
  • Bitcoin AUD

    -2,629.30 (-2.49%)
  • CMC Crypto 200

    0.00 (0.00%)

    -0.0017 (-0.29%)

    -0.0012 (-0.11%)
  • NZX 50

    -2.99 (-0.03%)

    -304.50 (-1.66%)
  • FTSE

    +71.78 (+0.91%)
  • Dow Jones

    -475.84 (-1.24%)
  • DAX

    -24.16 (-0.13%)
  • Hang Seng

    -373.34 (-2.18%)
  • NIKKEI 225

    +80.92 (+0.21%)

16 million Australians targeted by fake CBA ‘security alert’

Image of Commonwealth branch logo and small screenshot of scam email in corner
Customers of Australia's biggest bank should be on alert. (Source: Getty, MailGuard)

If you’re with the Commonwealth Bank, you should tread very carefully.

That’s because scammers appear to be targeting customers of Australia’s biggest bank in particular, with warnings of yet another email scam attempting to steal CBA customers’ personal and banking details.

The latest email scam, intercepted by email security software platform MailGuard, claims the recipient’s account has been disabled due to a sign-in attempt from an “unrecognised device in Australia”.

“We require you to complete our account verification to restore access please click the link below [sic],” the email reads.

Also read:


A button in the email compels the user to click on ‘More details’, with MailGuard warning the bank’s 16 million customers not to fall for the phishing attempt.

“Commonwealth Bank customers must remain vigilant when receiving emails about problems with their account,” MailGuard said in a recent online alert.

Screenshot of fake security alert email spoofing Commonwealth Bank
(Source: MailGuard)

Upon clicking the button, the user will then be asked to fulfil an identity verification that the scam claims will “restore access” to the customer’s account.

But the giveaway is that the customer is then directed to a Linktree page with Commonwealth Bank branding that asks the customer to ‘Log on to NetBank’, followed by a request for a client number and password.

Screenshot of fake Commonwealth Bank login page
(Source: MailGuard)

“As you can see, the above screenshot is a replica of the actual Commonwealth Bank online banking page,” MailGuard said.

Additional links added for extra authenticity are designed to fool victims. “Unsuspecting users may easily be tricked into entering their details without a second take.”

If the user keys in their client number and password (which will subsequently be harvested by the scammer), the user is then taken to a page asking for a one-time password sent to the user’s mobile number.

MailGuard screenshots of security alert scam
The scam has very convincing-looking webpages that look just like CBA's actual platform – but these are fake and designed to harvest your details. (Source: MailGuard)

Then the victim is asked for their full name, date of birth, zip code, and phone number. This is then followed by a request for their banking card details.

“After the attacker has harvested these credentials, victims are provided with the following OTP verification message, before being redirected to a legitimate CommBank login page,” MailGuard said.

The scam warning is the latest from MailGuard, which last week issued a similar warning about a different scam spoofing the same big bank.

How to keep an eye out for this scam

Scam attempts can be incredibly convincing, but there are usually a few dead giveaways.

WATCH BELOW: 4 Tips for Spotting and Avoiding Common Scams

In this instance, your first clue should be that you aren’t addressed by name: the email begins very impersonally, with “Dear user”.

There are also grammatical errors, not to mention the suspicious Linktree page.

“MailGuard urges all recipients of this email to delete it immediately without clicking on any links,” the security platform said.

“Providing your personal details can result in your sensitive information being used for criminal activity and can have a severe impact on your financial well-being.”

Furthermore, if you wish to use a particular banking platform, you can always access it through their legitimate website rather than clicking through a link in an email.

What to do if you’ve received this email

Report the email to CBA, the big bank advised.

“Report suspicious emails to then delete them straight after. Do not reply or engage with them.”

Bear in mind that the bank will never ask you for banking information through email or text.

Australians can also report scams to Scamwatch.

Follow Yahoo Finance on Facebook, LinkedIn, Instagram and Twitter, and subscribe to the free Fully Briefed daily newsletter.