Commonwealth Bank spoofed in phishing email containing fake ‘security message’

by chebbi abir

Commonwealth Bank (CommBank) customers – be on the lookout for an email claiming to be from the bank. Cybercriminals has spoofed the bank in a phishing email scam that is currently infiltrating inboxes.

MailGuard intercepted the first of these fraudulent emails on Thursday, 5th of September in the morning (AEST). Sent via a single compromised email address, the email uses a display name of ‘Commonwealth Bank of Australia’. The body of the email is addressed to a ‘Valued Customer’, and informs recipients that they have ‘1 IMPORTANT-security message(s) from NetBank Security team’.

A link is provided to log into NetBank and view the message.

Here is a screenshot of the email:

commonwealth edited


Unsuspecting recipients who click on the link are led to web page that’s nearly identical to the authentic Commonwealth NetBank log in page. This is a phishing page with fake CommBank branding. The user is requested to insert their login credentials that are harvested once they provide information on all required fields. The user is then redirected to the actual Commonwealth web portal.

Here is a screenshot of the page:

commonwealth url

CommBank is one of Australia’s best known and most trusted brands, so it is irresistible to phishing scammers.

Despite the fact that cybercriminals went to great lengths to ensure this phishing page looks legitimate, this scam was not as cleverly designed as some of the ones we see here at MailGuard.

One reason is that the phishing email in itself contains formatting and grammatical errors, such as ‘To read the message Click here to logon to NetBank’. This is an obvious red flag for anyone who is vigilant enough to spot fake email scams.

This is another reminder for those who utilise online banking, to pay close attention to the emails they receive from their banks. To best protect yourself, it is imperative that you do not click any link contained within an email, especially if it does not address you by name (as in the scam above). It is best practice to type the website URL into your browser or use the official banking app in this instance.

As banks have been a major target for scammers, they have also been working hard to distinguish their legitimate correspondence from the ‘fakes’ and educating their customers on best security practices. This is also why any legitimate correspondence from your bank won’t have links to their website. Banks will instead ask you to manually enter it into your internet browser. Also, if you are ever unsure if it is your bank genuinely trying to reach you, simply contact them directly to confirm.

As a precaution, we urge you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from.
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. The Commonwealth Bank login page is:

Commonwealth Bank offers a comprehensive online resource to help identify and report scams purporting to be from them. You can verify the authenticity of any contact you aren’t sure about, or report phishing, by calling 132 221 or emailing them at

Don’t get scammed

If your company’s email accounts aren’t protected, emails like the one above are almost certainly being received by your staff.  Cybercriminals know people can be tricked; that’s why they send out millions of scam messages and put so much effort into making them look convincing.

People are not machines; we’re all capable of making bad judgement calls. Without email filtering protecting your business, it’s just a matter of time before someone in your organisation has a momentary lapse of judgement and clicks on the wrong thing.


To read the original article:


Interdit de copier  ce contenu