A new wave of phishing emails are impersonating CommSec, attempting to steal customer login credentials through a fake W-8BEN information review notice. The emails claim that the recipient’s W-8BEN information associated with an international account requires a review and updating.
It warns that failure to complete the update may affect the recipient’s ability to continue using certain international account features, with services potentially restricted or placed on hold. The message includes a link labelled “Submit materials”, which directs recipients to a fraudulent CommSec login page.
The email uses the subject line:
Important Notice: W-8BEN Information Review
It purports to come from CommSec using sender names including:
Commsec-Bank
Commsec
Commsec-Message
Commsec-Reply
Commsec-Support
However, the sending domains observed by MailGuard are not legitimate CommSec domains. Examples include:
cn-zh-jjbdianjing(dot)com
ch-home-oubo(dot)com
zh-zone-yuyantv(dot)com
ch-speed-esports(dot)com
cnzh-yuyanlive(dot)com
The campaign also uses unique sending addresses for each message, a tactic commonly used to increase deliverability and make detection more difficult.
Recipients who click the link are taken to a fake CommSec login page. The page asks for a Client ID and password and includes design elements that imitate CommSec’s branding and login experience.
MailGuard observed that after fake credentials were entered, the page took several seconds before returning an error message stating that the Client ID or password was incorrect. This may indicate that the attackers are attempting to use submitted credentials in real time.
This campaign is concerning because it uses a realistic account maintenance theme that may appear familiar to investors and account holders. W-8BEN forms are used by non-US persons to certify foreign status for US tax withholding purposes. Many investment platform customers may recognise the term, which gives the email a degree of credibility.
The email also uses administrative and compliance-related language rather than obvious urgency or exaggerated claims. It refers to tax documentation, account classification, reporting, and withholding treatment, all of which may appear plausible in the context of an international trading or investment account.
That's what makes this type of phishing campaign effective. It does not need to be dramatic. It simply needs to appear routine enough for the recipient to act.
There are several warning signs in this campaign:
Customers should never access financial services accounts through links in unexpected emails. Instead, they should navigate directly to the official website or use the verified mobile application.
Financial services phishing remains a major risk because stolen credentials can provide attackers with access to sensitive personal, financial, and investment information. Once a Client ID and password are compromised, cybercriminals may attempt account takeover, identity theft, additional credential harvesting, or further social engineering.
For businesses, the risks can extend beyond the individual recipient. Compromised credentials can expose email accounts, finance systems, investment platforms, personal records, and broader organisational data.
This campaign is another reminder that modern phishing often relies on trust in familiar brands, ordinary business processes, and legitimate-sounding account notices.
Stay Safe, Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist AI-powered, zero-day email security. Special Ops for when speed matters! Our real-time zero-day, email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.