Bank of Queensland customers have been targeted by a clever phishing scam masquerading as a ‘payment alert’ notification delivered to unsuspecting victims by email. This is the second phishing attempt that MailGuard has intercepted involving a financial institution this week, following an email fraud spoofing ANZ.
The email purporting to be from BOQ arrives in the recipient's inbox with the subject ‘Dear BOQ Customer – You have 1 New Payment Waiting’ from a forged email address, customer service(at)boq(dot)com(dot)au.
Here's the email below:
Cybercriminals often use trusted names to prevent victims from checking twice, especially if a customer happens to be waiting for a payment. This creates the perfect scenario for scammers to lure users into providing credentials for use in criminal activity such as fraudulent payments, or simply to capture the credentials to be re-sold on the dark web.
If a recipient of this email clicks on the ‘Log On to View Your Account’ link provided in the email, they are then taken to this next phishing page, that requests them to enter their online banking credentials.
After these credentials are entered, users are taken to the legitimate BOQ home page.
Techniques used by scammers (as exemplified in this BOQ scam), such as copying the branding and colouring of a trusted company and redirection to an actual homepage, are used to purposefully confuse and mislead recipients into providing details to criminals which are later used to access your bank accounts, steal funds, or execute other fraudulent payments, along with credential harvesting for use in various illegal activities.
“BOQ offers their customers the following advice:
If you receive such an email, do not click any links and do not provide your CAN or password. BOQ will never provide you with a link to log into your Internet Banking. Only access Internet Banking by typing www.boq.com.au into your internet browser.
If in doubt, contact BOQ urgently on 1300 55 72 72 (24 hours a day, 7 days a week).
Find more information here: https://www.boq.com.au/help-and-support/fraud-and-scams/report"
MailGuard urges all recipients of this email to delete it immediately without clicking on any links. Providing your personal details can result in your sensitive information being used for criminal activity and may have a severe negative impact on your financial well-being.
MailGuard urges users not to click links or open attachments within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from, and/or
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
One email is all that it takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's network.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.