Exercise caution if you receive an email claiming to be from the Commonwealth Bank (CommBank). It is part of a phishing scam designed to trick bank customers into giving up their confidential details.
Having incorporated the logo and branding of the bank, the email uses a display name of “CommBank”. MailGuard discovered the email actually comes from a compromised email address belonging to a Research Institute in Sweden.
The body of the email is relatively simple and short, notifying the recipient that some error(s) have been found on their account details. It encourages users to confirm there is no change in their profile details by clicking on an attached link. They are also advised that “failure to confirm details may lead to access locked out.” (refer to screenshot 1)
Screenshot 1 is a sample of the email MailGuard intercepted. Note the authentic-looking branding in the header. As with many of the more cleverly designed phishing emails MailGuard intercepts, this scam is getting victims to follow a link to a bogus sign-in page. The fake page proceeds through several steps, before redirecting them to the actual CommBank website.(refer to screenshot 2)
As can be seen from screenshot 2, recipients are first directed to enter their account details, including their client number and password. Once they have done this, they are asked to generate and enter a NetCode, as per Screenshot 3.
This fails the first time and the bogus page asks them to enter their NetCode again. Once completing this step a second time, the user is redirected to the CommBank website. (refer to screenshot 4)
CommBank is one of Australia’s best known and most trusted brands, so it is irresistible to phishing scammers. The multi-step nature of the attack makes it all the more convincing to users, who might be expecting the usage of such safety features from their bank before logging in.
This is another reminder for those who utilise online banking, to pay close attention to the emails they receive from their banks. To best protect yourself, it is imperative that you do not click any link contained within an email, especially if it does not address you by name (as in the scam above). It is best practice to type the website URL into your browser or use the official banking app in this instance.
As banks have been a major target for scammers, they have also been working hard to distinguish their legitimate correspondence from the ‘fakes’ and educating their customers on best security practices. This is also why any legitimate correspondence from your bank won’t have links to their website. Banks will instead ask you to manually enter it into your internet browser. Also, if you are ever unsure if it is your bank genuinely trying to reach you, simply contact them directly to confirm.