You’ll need to update your browser so you can continue to log on to your online banking from 28th February. Update now.

Close

Article

Phishing: what we’ve seen in recent months

Phishing: what we’ve seen in recent months

 ‘Brandjacking’ is the term commonly used to describe cyber scams in which criminals fake an email or website that looks like one belonging to a well-known and recognised company.

CBA is constantly monitoring for ‘fake’ or malicious sites which try to trick our customers into giving away their information. In many cases, the branding looks like what you’d expect, the malicious link is hidden and it looks as though it comes from an email similar to what you might anticipate.

The complexity and sophistication of campaigns is evolving, including phishing pages which can be used across multiple devices. This means the campaign can be distributed to a wider audience via emails and SMS, increasing the likelihood of people getting hooked.

At the successful completion of the phish, the most common technique for handling the victim is to redirect them from the phishing site to the legitimate website they thought they were interacting with in order to make them think they have either completed the required task or that it must have been a glitch and they are now logged off in order to avoid raising the alarm.

A recent example we’ve seen is an SMS claiming to observe ‘unusual credit card activity’ and requesting confirmation of personal data alongside the threat of a credit card being blocked. The link provided would then take you to a screen which asked the person to enter their credit card number, expiry date and CVV as well as attempting to get the them to enter their NetBank ID and password before redirecting them to the CommBank website.

The important thing to remember is CommBank will never send messages via email or text that ask you to confirm, update or disclose personal or banking information.  

What to do if you spot a phish?

You can help us stop these scams by sending a sample of any hoax email or SMS you receive to hoax@cba.com.au. If possible, take a screenshot of any hoax SMS and attach it to your email, and send any suspicious emails as an attachment. If you need to use the ‘forward’ feature to report an email, please ensure you refuse any prompts to open attachments or download pictures or files.

Tech brands a target

More broadly, the year to date has seen a number of big tech brands targeted, including Netflix. In April this year the Australian Communications and Media Authority (ACMA) used the Netflix scam to highlight the increasing sophistication of scammers.

The Netflix scam starts with an email, commonly delivered with the subject line ‘Netflix membership on hold’ and tells the recipient that Netflix “failed to validate your payment information”, requesting they undertake a verification process. Upon clicking the link, the target would be taken to a phishing website that looks like the real

Netflix logon and requested to enter their email address, Netflix password and credit card details.

ACMA named the fake site as an example of ‘smart phishing’ – a scam which “dynamically adapts to your online interactions and prompts you for your data in a clever and realistic way.”

“These scams seamlessly replicate the experience of using a company’s legitimate website, whether it is being accessed through a smartphone, tablet or desktop computer,” according to ACMA, which explained how the Netflix scam works:

  1. When you ‘sign in’, the fake website feeds your username and password to the real website and, if the log in details are correct, retrieves your first and last name. If the details are incorrect, you will receive the normal login error message and be prompted to enter your correct details
  2. The next page shows the account verification form where the first and last name fields are pre-populated with data obtained from the real Netflix website
  3. Once you complete the rest of the fields, you are prompted to share your credit card details
  4. At this point the fake site dynamically changes – asking for additional authentication based on the credit card number, for example using ‘Mastercard SecureCode’ or ‘Verified by Visa’ boxes

This report contains general advice for educational purposes only. Please consult your cyber security team and legal counsel for advice specific to your organisation. Opinions expressed by interviewees are their own.