Millions of Westpac online banking customers are being targeted in a phishing scam that aims to steal crucial details, including login and credit card information.
The scammers copied the Westpac logo and other brand assets to create an email which was sent from “Westpac Online Banking” but was from a compromised email address.
“With the holidays in sight, and many Australians relying on their online banking for purchases, paying bills, and checking their bank accounts, scammers have used emotive messaging to trick even the savviest user into thinking this may be a legitimate communication from Westpac,” email security service MailGuard said.
Also read: Major warning for 10 million Optus customers
The body of the email tells victims there has been an attempt to sign in to their account from an unrecognised device.
Customers are then asked to complete an account verification in order to restore access to their online banking account.
“Upon closer inspection of the email, although there are no obvious grammatical errors to pick up, aside from the unusual inclusion of ‘Australia First Bank’, the formatting of the email is quite simplistic and not representative of a professional alert that would normally be sent from Westpac,” MailGuard said.
Another warning sign is the fact that the email is addressed generically to “Dear client”, whereas a customer would expect communications from the bank to be personalised.
When a user clicks on the red “Update account” button, they are taken to a login page.
Again, the scammers have used the same red colouring that Westpac is known for as well as legitimate links provided at the bottom of the page, added to confuse victims.
After entering a Customer ID and Password, victims are taken to the next page, which requests verification of the account by providing full name, date of birth, postcode and phone number credentials.
Once ‘verified’, customers are taken to an OTP (one-time-password) page where they are required to enter a security code that has been sent to them.
The next step in the scam is particularly detrimental, resulting in severe financial loss if in the hands of cybercriminals, MailGuard warned.
“In order to continue with the false verification process, customers are asked to enter their credit card details, before being asked for OTP verification for a second time,” it said.
The last page thanks the customer and advises them their “account will be confirmed in 48 hours”, accompanied by a strange message about all transactions being refunded to the victim in 48 hours.
“The sole purpose of this elaborate phishing scam is to harvest the login credentials of Westpac customers so the criminals behind the scam can break into their bank accounts, and possibly sell the victims’ information on the dark web,” MailGuard said.
“Therefore, it is crucial that customers remain vigilant. By typing in your customer ID and password, personal ID, and credit card information, you’re handing sensitive account information to cybercriminals.”