When bank impersonators go phishing

(Source: Supplied.)

Are you sure that person contacting you is really from the bank? Scammers have found a lucrative phishing spot impersonating bank staff and bank communications.

Australians lost more than $20 million to bank impersonation scams in 2022, according to Scamwatch, run by the Australian Competition and Consumer Commission (ACCC). Last year the watchdog website received 14,603 reports of scammers impersonating bank communications with legitimate-looking text messages and phone calls.

It was part of a bumper year for scammers, with $169 million reported lost in Australia to all text and phone scams, up $59 million from 2021 (a 54 per cent increase), according to the ACCC.

Scammers use sophisticated social engineering techniques to succeed in stealing hundreds of thousands of dollars from busy workers. They invest a significant amount of time in research and reconnaissance so they can be as convincing as possible – down to making sure they have the right hold music for your bank.

A scammer is likely to know your bank’s procedure, the questions they will ask, and how to sound like your bank. They are good at what they do.

How do bank impersonators do it?

In a bank impersonation scam, you receive a phone call or SMS that appears to be from your bank, often the security team.

Some common scenarios scammers use include:

  • You’ve been pre-approved for a loan (that you never applied for).
  • Your online account has been compromised. 
  • An irregular payment has been detected.

When you click on the link or call the number, the scammer outlines a situation that requires immediate action – often it’s that your account has been hacked, and you need to shift your money to a ‘safe’ account or PayID the scammer supplies. Or they’ll try to coax access details for your account from you. You’ll be told they’re ‘here to help.’ But they’re not.

Think you’re too smart for a scam? Think again

CommBank has received a number of calls from business customers who have realised they have been scammed too late. Although customers may alert the bank straight away, the money is often already moved into cryptocurrency and beyond recovery. 

For example, a sole trader customer of CommBank received a call from a man with a British accent claiming to be from the security team.

He advised her that a suspicious payment had been made from her account, and that he needed her to help him access her facility so he could help. As she couldn’t log in when she tried, the customer believed the caller. The victim had provided the caller with enough information for him to already reset the password and when she tried to log in, her password no longer worked.

The customer provided the scammer with the answers to her security questions and generated three e-tokens over the course of the call. As the scammer was able to access the CommBiz facility the client lost $700,000 from their business account.

No business is immune to scams and fraud

The average cost per cybercrime report rose to over $39,000 for small businesses, $88,000 for medium businesses, and over $62,000 for large businesses, according to the ACSC. The reported losses from phone scams in 2022 totalled $141 million.

Scammers succeed because we lead busy lives, and many of us multi-task throughout the day. And they don’t just target owners – they target employees too. All a scammer needs is for the target’s mind to not be 100 per cent focused on the present. They don’t want you or your employees to have time to think, which is why phones are the second-most popular (29 per cent) way scammers contact their targets. A scammer wants their target off-balance. They don’t need them to be high up in the business to use them to steal.

No business is safe from fraud. Any business, regardless of size or industry, can be successfully targeted. Key to thwarting these attempts is noticing if there is an unusual, unexpected sense of urgency, or if something else doesn’t feel right. Remember: stop, check, and reject.

You are the first and last line of defence

Businesses should investigate potential vulnerabilities and implement best practice procedures, such as not having just one person responsible for creating and approving a payment. It’s vital that every employee knows to never give out e-tokens, passwords or answers to secret questions. 

Staff need to understand that tokens and e-tokens are as big a safeguard to a business’s finances as passwords or two-factor authentication and should never be given to another person. 

A bank will never ask you for this information. Your bank might ask for identifying information, like your name or date of birth, but they will never ask you what your PIN is, what your token is, or what your passwords are.

Whenever you have any doubt, hang up the phone and contact your bank directly on a number that you know – one that’s in your phone or on Google.

Things you should know:

This article is intended to provide general information of an educational nature only. It does not have regard to the financial situation or needs of any reader and must not be relied upon as financial product advice. You should consider seeking independent financial advice before making any decision based on this information. The information in this article and any opinions, conclusions or recommendations are reasonably held or made, based on the information available at the time of its publication but no representation or warranty, either expressed or implied, is made or provided as to the accuracy, reliability or completeness of any statement made in this article.

Commonwealth Bank of Australia ABN 48 123 123 124. AFSL 234945.