The cybercriminals responsible for the recent spate of phishing scams pretending to be from Australian banks are back again, with another email purporting to be from the Commonwealth Bank.
This email has the subject heading ‘New statement and important message’ and as you can see in the screenshot below, it informs the recipient that they have a new bank statement to review.
When the recipient clicks either the 'View statement now' or 'now available' links, they are then taken to a fake ‘NetBank’ login page. As you can see, the email recipient is asked to enter their internet banking credentials.
If the email recipient enters their login details, they are furthermore redirected to a page asking for their credit card details. This is a standard phishing email with no payload attached. This page is designed to collect credit card information, and it should be noted that as your bank already has your credit card details, they would never ask you to enter them in online.
By filling in the details and clicking 'View statement now', the recipient will then be taken to an error page stating "You have already read this statement," and finally redirected back to the real Commonwealth Bank website.
As you will also note circled in blue, both website URLs are incorrect and not the same as the legitimate Commonwealth bank website and Netbank login page which is https://www.my.commbank.com.au/netbank/Logon/Logon.aspx
This is another reminder for those who utilise online banking, to pay close attention to the emails they receive from their banks. To best protect yourself, it is imperative that you do not click any link contained within an email, especially if you are not sure of its authenticity. It is best practice to type the website URL into your browser or use the official banking app in this instance.
As banks have been a major target for scammers, they have also been working hard to distinguish their legitimate correspondence from the ‘fakes’ and educating their customers on best security practices. This is also why any legitimate correspondence from your bank won't have links to their website. Banks will instead ask you to manually enter it into your internet browser. Also, if you are ever unsure if it is your bank genuinely trying to reach you, simply contact them directly to confirm.
Phishing scams usually only affect the email recipient as they ask for personal banking information only. Businesses are affected when these phishing scams trick users into downloading executable files which may lock, encrypt or steal business data. You can also protect your business from such email scams by ensuring you backup your data each day, educating your staff on being scam-wise, and utilising multilayered defences such as desktop anti-virus and cloud-based email and web filtering services.