Akankasha Dewan 08 October 2019 16:27:39 AEDT 4 MIN READ

Phishing email spoofing Commonwealth Bank uses multi-factor authentication to trick users

Exercise caution if you receive an email supposedly from Commonwealth Bank – the bank has been spoofed via a new multi-staged phishing email scam. The hallmark of this scam lies in not only how well-crafted it is, but how it ironically utilises multiple safety features to steal confidential data of users.

MailGuard first detected this scam earlier this morning (AEST), 8th October 2019. Using a display name of ‘Commonwealth Bank of Australia’, the email actually originates from a large number of email addresses all belonging to the same compromised domain. Interestingly, the ‘name’ portion of the sender address is partially randomly generated. This allows the scammers to use a different email address for each sent message.

The body of the email informs recipients that some irregular activity has been detected and the user's account has been restricted. A link has been provided for the user to restore access.

Here is a screenshot of the email:

CBA scam 2

Unsuspecting recipients who click on the link are led to a fake Commonwealth Bank branded phishing page which requests users for their NetBank credentials, as per the below:

CBA zoom 1

Upon submitting their credentials and ‘logging on’, users are led to another page titled ‘Verify Your Identity’. Here, the page asks users for their credit card and banking details:

CBA zoom 2

Upon entering their details, users are led to a third fake page which also utilises the bank’s logo and branding. Designed to provide added credibility, the scammers simulate a 2-factor authentication process at this point and request the user to insert a NetCode via his or her mobile phone.

Here’s a screenshot of the page:

Netcode zoom 1

Once users have submitted their NetCode, they are finally led to the last page of the scam. This page displays an ‘error message’ on top, informing users that their NetCode ‘has expired’:

netcode zoom 2

This sole purpose of this elaborate phishing scam is to harvest the login credentials of Commonwealth Bank customers so the criminals behind this scam can break into their bank accounts.

As you can see from all the screenshots above, cybercriminals have attempted to replicate official landing pages from Commonwealth Bank – including incorporating the bank’s branding and logo. All this is done in an attempt to trick the users into thinking the scam is legitimate. 

It is also interesting to note that the email and the phishing pages are, ironically, use security features such as multi-factor authentication. This is a common trait expected of such a well-established bank. All this serves to elicit a more confident response from recipients who think they are, in fact, making their accounts more secure by clicking on the provided link and entering their confidential login details.    

On top of this, this message contains several typical elements of a phishing email:

  • use of a major brand name to inspire false trust; the usage of the supposed ‘Commonwealth’ display name boosts the credibility of the email,
  • repeated usage of ‘safety features’ typically expected of a well-established bank such as links to avoid hoaxes and bank support numbers,
  • false urgency; a subject line such as ‘Our Security team has restricted your account’ creates a sense of panic and anxiety

To reduce the risk of being tricked by one of these scams, you should immediately delete any emails that:

  • Appear to be from a well-known organisation, typically a bank or service provider and are not addressed to you by name and may include poor grammar.
  • Ask you to click on a link within the email body in order to access their website – your bank will always ask you to go to their website directly by typing their URL into your web browser address field, as a precautionary security measure.
  • Ask you to submit personal information that the sender should already have access to.

Banks commonly hold a well-established and trusting relationship with customers, so when cybercriminals are looking for good trademarks to use in their email attacks they often brandjack banks.

Commonwealth Bank offers a comprehensive online resource to help identify and report scams purporting to be from them. You can verify the authenticity of any contact you aren’t sure about, or report phishing, by calling 132 221 or emailing them at hoax@cba.com.au.

Don't get scammed

If your company’s email accounts aren’t protected, emails like the one above are almost certainly being received by your staff. Cybercriminals know people can be tricked; that’s why they send out millions of scam messages and put so much effort into making them look convincing.

People are not machines; we're all capable of making bad judgement calls. Without email filtering protecting your business, it’s just a matter of time before someone in your organisation has a momentary lapse of judgement and clicks on the wrong thing.

One email

Cybercriminals use email scams to infiltrate organisations with malware and attack them from the inside. All criminals need to break into your business is a cleverly-worded message. If they can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network. 


Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates