Exercise caution if you receive an email supposedly from Commonwealth Bank. MailGuard has detected a phishing email scam spoofing the bank is infiltrating inboxes.
First detected this morning (AEST), 29th November 2019, the emails use various display names, each containing the word ‘CommBank’. They actually originate from multiple senders belonging to different domains that have been created ad-hoc for this scam. The subjects used by the emails also vary.
The body of the email contains a heading titled ‘Activity Confirmation’. It asks you to verify whether you, ‘or other person you trust’ have used your ‘Debit or ATM Card’. A link is provided for you to verify your ‘transaction details’. The email asks whether ‘the transactions listed’ are clear. If the details are clear, users are instructed to call the bank using several telephone numbers. If they are not, users are told to call a separate set of numbers to ‘block’ the ‘compromised card’.
Here is a screenshot of the email:
Unsuspecting recipients who click on the link to view ‘transaction details’ are each led to a different ‘bit.ly’ page which redirects to a page using the domain 'commbonk'. This is a phishing page masquerading as a fake Commonwealth Bank sign-in page.
Here is a screenshot of the phishing page:
Once users have entered their ‘client number’ and ‘password’ to ‘log on’, these are harvested by the cybercriminals behind this phishing scam. The scam terminates by leading users to the legitimate Commonwealth Bank sign-in page, as per the below.
Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not respond to it.
Commonwealth Bank is one of Australia’s best known and most trusted brands, so it is irresistible to phishing scammers as it widens their victim base.
The hallmark of this scam lies in its ability to trick users by ironically using a security alert. Verifying irregular transaction activity is a common trait of well-established banks like Commonwealth and it’s this focus on security that cybercriminals behind this scam leverage on. Here are some of the specific techniques they’ve incorporated to trick recipients:
- use of a major brand name to inspire false trust; the usage of the supposed ‘Commonwealth’ display name boosts the email's credibility,
- inclusion of ‘Helplines’ typically expected of a well-established bank such as bank support numbers for local and overseas locations in the email & support links in the phishing page and,
- false urgency; a subject line such as ‘Action Required’ and a signature supposedly from 'Commonwealth Bank of Australia Fraud Security Support' creates a sense of panic and anxiety.
Despite these techniques to fool users into thinking the email is authentic, eagle-eyed recipients will spot red flags that point to its illegitimacy, with the biggest being the fact that the link doesn't actually point to Commonwealth Bank. Besides this, the email also contains spacing errors and grammatical mistakes like ‘are all transactions listed above clear for you?’.
This is another reminder for those who utilise online banking, to pay close attention to the emails they receive from their banks. To best protect yourself, it is imperative that you do not click any link contained within an email, especially if it does not address you by name (as in the scam above). It is best practice to type the website URL into your browser or use the official banking app in this instance.
As banks have been a major target for scammers, they have also been working hard to distinguish their legitimate correspondence from the ‘fakes’ and educating their customers on best security practices. This is also why any legitimate correspondence from your bank won't have links to their website. Banks will instead ask you to manually enter it into your internet browser. Also, if you are ever unsure if it is your bank genuinely trying to reach you, simply contact them directly to confirm.
Commonwealth Bank offers a comprehensive online resource to help identify and report scams purporting to be from them. You can verify the authenticity of any contact you aren’t sure about, or report phishing, by calling 132 221 or emailing them at firstname.lastname@example.org.
Don't get scammed
If your company’s email accounts aren’t protected, emails like the one above are almost certainly being received by your staff. Cybercriminals know people can be tricked; that’s why they send out millions of scam messages and put so much effort into making them look convincing.
People are not machines; we're all capable of making bad judgement calls. Without email filtering protecting your business, it’s just a matter of time before someone in your organisation has a momentary lapse of judgement and clicks on the wrong thing.
It's time to get the protection your business needs.
Speak to the MailGuard team today to learn more how MailGuard's predictive and advanced email security can help protect your business for a few dollars per staff member per month.
Talk to a solution consultant at MailGuard today about securing your company's network.
Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.