ALERT: Bank phishing scam in Australia and NZ

Date
Author:
Stay Smart Online

The Australian Communications and Media Authority (ACMA) is warning all mobile phone users of a persistent and sophisticated SMS phishing campaign currently underway that is targeting mobile banking customers in both Australia and New Zealand.

The SMS messages are short and to the point, containing URLs that direct the recipient to a fake mobile banking website, which is almost indistinguishable from the real thing.

The sophistication and scope of the campaign is indicated by the extensive use of internet domains that closely resemble the legitimate domains of Australian and New Zealand banks.

Often these domains will be active for only a very short time, replaced shortly thereafter with another ‘plausible’ bank domain. For example, the ACMA has received reports of SMS targeting ANZ bank customers as follows:

  • Account notification: hXXp://m.anzmobilebank. com/
  • Account notification: Verify your identity hXXp://m.anzmobilebank. com/
  • Account Notification: hXXp://anz-notification. Com
  • Account Notification: hXXp://mobile-anz. Info
  • Dear ANZ Customer, Notification: hXXp://anz-mobile. Center
  • Internal message received: hXXp:/anzmobilebank. com
  • Notification: hXXp://anz-mobile. Center
  • Verify your identity: hXXp:/anzmobilebank. com

If the URL is followed, the customer will be presented with a fake website presenting a series of webpages.

Many Australian and New Zealand banks are being targeted by this constantly evolving campaign. It appears that the criminals behind this campaign are constantly refining their messages and the associated fake imitation banking websites to increase their chance of success.

 

Staying safe

To help minimise your chances of being duped by these and other phishing campaigns, ACMA and Stay Smart Online recommend that you:    

  • do not open SMS or emails from unknown or suspicious sources
  • never follow hyperlinks contained in these messages
  • always carefully check the authenticity of a website that requests your user credentials
  • never use the same or similarly constructed login credentials on different online accounts (social media, bank accounts etc)
  • where available, use two-factor authentication on your accounts.

The full ACMA blog post is available here.

 

More information

New Zealanders can report phishing to Netsafe via the Online Reporting Button website

Netsafe have an excellent article on their website including contact email addresses for a number of NZ banks and sites. For more information please see https://www.netsafe.org.nz/how-do-i-report-bank-phishing-emails/ 

The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.