Tax Residency Email Scam Targets CMC Markets Clients

With more than 1,000,000+ clients globally, CMC Markets is one of Australia's leading share investing and CFD trading platforms. The company's success makes it a prime target for cybercriminals seeking to trade on it's good name, targeting it's high net worth customer base that are being blocked by MailGuard. The campaign is designed to steal user credentials by impersonating CMC Markets and TD Direct Investing with legitimate-looking tax and account migration emails to lure recipients into clicking a link that leads to a fake login page.

What to watch for

The phishing email arrives with the subject line:
“Federal Tax Residency Verification Notice — Required Renewal of W-8BEN Certification”.

It uses branding consistent with CMC Invest, references real financial concepts such as U.S. IRS Form W-8BEN compliance, and includes a detailed legal disclaimer to enhance credibility.

📌 Screenshot of phishing email:

The email includes a link titled “Complete Your W-8BEN Renewal” which redirects recipients to a phishing site, not hosted on cmcmarkets.com.au, but on a lookalike domain such as mqdywctq.com/login.

The spoofed website asks for login credentials, including usernames and passwords. 

📌 Screenshot of phishing login page:

The phishing site mimics the actual CMC Invest interface, complete with ANZ Share Investing transition messaging and a polished layout that could easily deceive unsuspecting users.

Technical profile of the attack

This phishing campaign appears to leverage a mass template injection tactic. The attacker has:

• Cloned legitimate mailouts from previous customer communications
• Replaced key call-to-action elements with malicious links, and
• Left original legal footers, support contacts, and branding intact to bypass suspicion

The scam is not limited to a single sender or domain. It uses rotating combinations of:

• Display names like TD Direct Investing or CMC Markets Invest
• Mailboxes such as login(at)vgejgg.com, auth(at)pfsoah.com, service(at)mokews.com, and
• Suspicious or recently registered domains like hqnyjs.com, xwydsac.com, zjtltj.com

Why it’s dangerous

This is a classic example of trust-based social engineering. The attackers:

• Use familiar financial terms like IRS compliance and W-8BEN forms
• Introduce urgency through tax penalties or account migration deadlines
• Pair it with brand impersonation, using logos, disclaimers, and footers to disarm users

If credentials are entered, attackers can:

• Take over brokerage or financial accounts
• Conduct unauthorised trades or withdrawals
• Harvest user data for resale or future identity fraud

Stay Safe, Know the Signs

MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.

Avoid emails that:

• Aren’t addressed to you personally.
• Are unexpected and urge immediate action.
• Contain poor grammar or miss crucial identifying details.
• Direct you to a suspicious URL that isn’t associated with the genuine company.

Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.

One Email Is All That It Takes   

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.     

For a few dollars per staff member per month, you can protect your business with MailGuard's specialist AI-powered, zero-day email security. Special Ops for when speed matters!  Our real-time zero-day, email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.  

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.