The Australian Communications and Media Authority (ACMA) is warning all mobile phone users of a persistent and sophisticated SMS phishing campaign currently underway that is targeting mobile banking customers in both Australia and New Zealand.
The SMS messages are short and to the point, containing URLs that direct the recipient to a fake mobile banking website, which is almost indistinguishable from the real thing.
The sophistication and scope of the campaign is indicated by the extensive use of internet domains that closely resemble the legitimate domains of Australian and New Zealand banks.
Often these domains will be active for only a very short time, replaced shortly thereafter with another ‘plausible’ bank domain. For example, the ACMA has received reports of SMS targeting ANZ bank customers as follows:
- Account notification: hXXp://m.anzmobilebank. com/
- Account notification: Verify your identity hXXp://m.anzmobilebank. com/
- Account Notification: hXXp://anz-notification. Com
- Account Notification: hXXp://mobile-anz. Info
- Dear ANZ Customer, Notification: hXXp://anz-mobile. Center
- Internal message received: hXXp:/anzmobilebank. com
- Notification: hXXp://anz-mobile. Center
- Verify your identity: hXXp:/anzmobilebank. com
If the URL is followed, the customer will be presented with a fake website presenting a series of webpages.
Many Australian and New Zealand banks are being targeted by this constantly evolving campaign. It appears that the criminals behind this campaign are constantly refining their messages and the associated fake imitation banking websites to increase their chance of success.
To help minimise your chances of being duped by these and other phishing campaigns, ACMA and Stay Smart Online recommend that you:
- do not open SMS or emails from unknown or suspicious sources
- never follow hyperlinks contained in these messages
- always carefully check the authenticity of a website that requests your user credentials
- never use the same or similarly constructed login credentials on different online accounts (social media, bank accounts etc)
- where available, use two-factor authentication on your accounts.
The full ACMA blog post is available here.
New Zealanders can report phishing to Netsafe via the Online Reporting Button website
Netsafe have an excellent article on their website including contact email addresses for a number of NZ banks and sites. For more information please see https://www.netsafe.org.nz/how-do-i-report-bank-phishing-emails/
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.