The introduction of a survey and $75 reward are new to Australian bank scams, impersonating NAB in this instance with the phishing email to steal customer’s credit card credentials.
Here is a sample of the email:
The email purports to be from the National Australia Bank and is not addressed personally to the recipient; one of the first signs an email may not be legitimate. The emails appear to originate from third-party Amazon (AWS) web servers, which most likely done to hide the sender's IP reputation from antivirus (AV) security scanners which would otherwise be automatically blocked as known malicious IP addresses. Also, since the scam is from AWS, the emails pass SPF (Sender Policy Framework) requirements, another criteria of AV vendors, and are less likely to be flagged as malicious.
The email itself is very basic, the header FROM appears to be from NAB, and contains a single link. The email and landing page also contain several grammatical errors which are early warning signs that the survey is actually a scam.
The email asks the recipient to participate in the survey by clicking the link ‘Click here to claim Your Rewards’.
Clicking the link directs the recipient to the following landing page:
The landing page URL is not the legitimate NAB URL however the scammers have included ‘nab.com.au’ within the URL to make it more familiar to their targets. The survey questions appear to be legitimate survey questions in an attempt to make the email recipient feel more at ease before continuing to the next landing page.
Clicking ‘Start’ takes the user to the next landing page where account information is required to supposedly ‘Credit the account’.
All the information in the form is captured by the cybercriminals and used to access the user’s funds.
A vigilant recipient should understand the importance of hovering over links prior to clicking them to identify any discrepancies in the destination URL. In this instance, the URL of the landing page is not that of the legitimate bank www.nab.com.au.
To reduce the risk of being tricked by one of these scams, you should immediately delete any emails that:
- Appear to be from a well-known organisation, typically a bank or service provider and are not addressed to you by name and may include poor grammar.
- Ask you to click on a link within the email body in order to access their website – your bank will always ask you to go to their website directly by typing their URL into your web browser address field, as a precautionary security measure.
- Ask you to submit personal information that the sender should already have access to.
NAB offers a secure online and telephone banking service – if you are concerned about the legitimacy of any online communication you receive, please call them to confirm.
We recommend that you share these tips with your staff to make them aware of these campaigns. By employing a cloud-based email and web filtering solution, like MailGuard, you’ll also reduce the risk of these new variants of phishing from entering your network in the first place.
Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.