If you’re one of the 15.9 million customers with the Commonwealth Bank, you should be careful of any emails from the bank – even if they look authentic.
A new email scam that parades as the Commonwealth Bank seeks to scrape victims’ card details and hack into their bank account, but it’s extremely hard to spot the signs it’s a scam.
- Related story: Aussies warned of very realistic Telstra scam
- Related story: Major bank app glitch left customers making multiple payments
- Related story: SCAM: CommBank customers targeted by $500 cardless cash hoax
Cyber-security group, MailGuard, issued a warning on the scam this week.
“Exercise caution if you receive an email supposedly from Commonwealth Bank – the bank has been spoofed via a new multi-staged phishing email scam,” MailGuard said.
“The hallmark of this scam lies in not only how well-crafted it is, but how it ironically utilises multiple safety features to steal confidential data of users.”
Targets will receive an email with the display name of ‘Commonwealth Bank of Australia’, but which is actually from a scammer.
The body of the email then tells users that irregular activity has been detected on their account and their account has been restricted, with a link provided to “restore access.”
But, spoiler alert: that link doesn’t restore access to the targets’ supposedly compromised account.
Rather, it directs them to another Commonwealth Bank-branded page requesting users supply their NetBank credentials.
Once targets have done this, they’re directed to another page where they need to “verify their identity” by supplying their card number, expiry date and security code.
If alarm bells haven’t been ringing by this stage, they should definitely be going off at this request.
“To reduce the risk of being tricked by one of these scams, you should immediately delete any emails that ask you to submit personal information that the sender should already have access to,” MailGuard said.
After entering their sensitive card details, card details are led to another fake page which asks users to go through two-factor authentication by sending a ‘NetCode’ to their mobile phone.
Once this is done, they’re sent to an ‘error message’ page, telling the victims that the code has expired.