A fresh phishing campaign impersonating CommSec is urging recipients to “Complete Your Tax Information” to avoid account limitations. The lure is neat, on-brand and designed to rush investors into entering their Client ID and password on a counterfeit site.
MailGuard’s AI-powered filters are blocking this campaign at scale, and we’re publishing key indicators and screenshots below so you can brief staff and customers quickly.
What the scam looks like
Here's what it looks like:
- Subject line (example): Final Notice: Complete Your Tax Information
- Display name: `Commsec` (note the casing)
- CTA in the email: Complete Now → opens a fake login page
The phishing site presents as a standard CommSec sign-in page, starting with an email lure prompting with a “Final Notice” message, and blue ‘Complete Now’ button.
On first load it asks for a username and password via a fake login page, with CommSec branding the portal requests your Client ID and Password.
Our analyst was unable to progress past the next step, which suggests a credential-harvesting front end that either blocks non-targeted traffic or that varies flows by IP/device. The processing screen shows a spinner after the victim’s credentials are entered.
Why it works
- Urgency + consequence: “Final notice” and potential account limitations pressure quick action.
- Brand familiarity: Clean templates imitate CommSec’s layout and footer.
- Minimal friction: Only a single link leads to a login page, no obviously malicious attachments.
- Infrastructure churn: The operation rotates a large set of sender domains to evade simple blocklists.
Sender pattern observed
Attackers are using a common “address section”, for example `support@`, `security@`, `billing@`, `onlinebank@`, `noreply@`, `helpdesk@`, and so on, across dozens of randomised six-letter domains.
Examples of 'from' addresses:
`onlinebank@uifgih.com`, `support@wvjskt.com`, `finance@xgswul.com`, `notification@uifgih.com`, `onlinebank@irxisp.com`, `reset@klgzpe.com`, `update@xyjmrk.com`, `security@xgswul.com`, `service@xgswul.com`, `it-support@xgswul.com`, `billing@uifgih.com`
Known 'sending' domains (sample of 49):
`rwftqk.com, juffuh.com, xyjmrk.com, irxisp.com, xgswul.com, wvjskt.com, tbujpg.com, odszni.com, wwjjxt.com, rtassy.com, jchpyl.com, orihww.com, mdpxvf.com, lssesg.com, qqnrzl.com, ytruog.com, tiqdnz.com, rdezzw.com, xxfbco.com, tawsog.com, jowqib.com, klgzpe.com, aygjpw.com, rrapfa.com, mxhrhf.com, tvpnuq.com, uyihnq.com, taeuri.com, ytzppb.com, sxpwrb.com, locpez.com, ysyjls.com, aaebhf.com, uzdrog.com, vfalzc.com, qsrdn.com, lqdsxw.com, nijqdk.com, ieiwsa.com, edwulc.com, wdtvmb.com, sxnjtw.com, cxdlvj.com, sxhxjr.com, vcxthg.com, pqlwfc.com, uifgih.com, odsrez.com, mmduuz.com`
What to watch for
- Misspelt display names (e.g., Commsec vs CommSec).
- Messages that reference tax information or temporary limitations.
- Links that open a non-CommSec domain (e.g., lookalikes or hyphenated domains).
- Requests for Client ID and password outside the known official app or bookmarked URL.
Risk to organisations and investors
Credential theft enables account takeover, trading manipulation, and privacy breaches. Follow-on fraud is a further risk with reused passwords often unlocking email and banking services. With low signal noise, the clean HTML and familiar branding can bypass legacy controls and user intuition.
MailGuard’s proprietary AI/ML threat engine correlates behavioural signals (credential-capture flows, brand-mimic structure, sender anomalies) and infrastructure fingerprints (domain age/entropy patterns, rotation clusters) to block first-encounter phishing, before users see it. Once blocked, our network suppresses variants that recycle templates across the domain set above.
Immediate actions for security teams
Brief users:
- Refunds, tax updates and account limitations are high-risk lures.
- Navigate directly to services via bookmarks, not email links.
Harden controls:
- Alert on newly registered or high-entropy domains in email links.
- Add warning banners for external senders using finance-related keywords.
- Prefer FIDO/WebAuthn or app-based MFA for brokerage logins; monitor impossible travel and session reuse.
If credentials were entered:
- Reset passwords, terminate active sessions, rotate MFA secrets.
- Review trade history and funding movements; engage the provider’s fraud team immediately.
- Report to CommSec at the ACSC and your internal security function.
CommSec urge, if you receive a suspicious email, phone call, or SMS from someone claiming to be from CommSec or the Commonwealth Bank, please do not disclose your account details. Contact CommSec on 13 15 19 or CBA customer service on 13 22 21.
Stay Safe, Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
- Aren’t addressed to you personally.
- Are unexpected and urge immediate action.
- Contain poor grammar or miss crucial identifying details.
- Direct you to a suspicious URL that isn’t associated with the genuine company.
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One Email Is All That It Takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters! Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
