Millions of Westpac online banking customers are being targeted in a phishing scam that aims to steal crucial details, including login and credit card information. With the holidays in sight, and many Australians’ relying on their online banking for purchases, paying bills, and checking their bank accounts, scammers have used emotive messaging to trick even the savviest user into thinking this may be a legitimate communication from Westpac.
Scammers have copied the Westpac logo and other brand assets in creating the email which has been sent from ‘Westpac Online Banking’ via a compromised email address. The body of the email advises the client that there has been an attempt to sign-in to their account from an unrecognised device. Customers are then asked to complete an account verification in order to restore access to their online banking account.
Here’s what the email looks like:
Upon closer inspection of the email, although there are no obvious grammatical errors to pick up, aside from the unusual inclusion of ‘Australia First Bank’, the formatting of the email is quite simplistic and not representative of a professional alert that would normally be sent from Westpac. The email is also addressed generically to ‘Dear client’ whereas a customer would reasonably expect communications from the bank to be personalised.
When a user clicks on the red ‘Update account’ button, they are taken to the following login page below. Again, use of the catchy red colouring that Westpac is known for is used to feign authenticity, as well as legitimate links provided at the bottom of the page, added to confuse victims.
After entering a Customer ID and Password, victims are taken to the next page which requests verification of the account by providing Full Name, Date of Birth, Zip Code and Phone Number credentials. Sensitive information, that can be used for wide criminal use, such as identity theft, by scammers.
Once ‘Verified’ customers are taken to an OTP (one-time-password) page whereby they are required to enter a security code that has been sent to them.
The next step in the scam is particularly detrimental, resulting in severe financial loss if in the hands of cybercriminals. In order to continue with the false verification process, customers are asked to enter their credit card details, before being asked for OTP verification for a second time.
The last page, depicted below, thanks the customer and advises them that their ‘account will be confirmed in 48 hours’ accompanied with a puzzling message about all transactions being refunded to the victim in 48 hours.
The sole purpose of this elaborate phishing scam is to harvest the login credentials of Westpac customers so the criminals behind the scam can break into their bank accounts, and possibly sell the victims information on the dark web. Therefore, it is crucial that customers remain vigilant. By typing in your customer ID and password, personal ID, and credit card information, you’re handing sensitive account information to cybercriminals
Furthermore, the cybercriminals behind this scam have incorporated several techniques within the email itself to boost its credibility. These include:
- Westpac’s support links and helpline in the footer of the phishing pages – this is a common feature expected of a well-established bank like Westpac, and
- An alarming subject line, informing recipients that ‘Your Westpac Online Banking Account is Temporarily Locked’, creating a sense of urgency and anxiety. This motivates users to act immediately without checking out the authenticity of the email.
Combined, these techniques can easily motivate time-poor and trusting users to proceed to verify their account.
As a precaution, we urge you not to click links within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English or omits personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from.
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. The URL for Westpac’s internet banking login page is: https://online.westpac.com.au
Westpac offers a comprehensive online resource to help identify and report scams purporting to be from them. You can verify the authenticity of any contact you aren’t sure about, or report a scam, by calling 132 032 or emailing them at hoax@westpac.com.au.
One email is all that it takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
