When bank impersonators go phishing

Australians lost more than $20 million to bank impersonation scams in 2022, according to Scamwatch, run by the Australian Competition and Consumer Commission (ACCC).¹  Last year the watchdog website received 14,603 reports of scammers impersonating bank communications with legitimate-looking text messages and phone calls.

It was part of a bumper year for scammers, with $169 million reported lost in Australia to all text and phone scams, up $59 million from 2021 (a 54% increase), according to the ACCC.²

Scammers use sophisticated social engineering techniques to succeed in stealing hundreds of thousands of dollars from busy workers. They invest a significant amount of time in research and reconnaissance so they can be as convincing as possible– down to making sure they have the right hold music for your bank.

A scammer is likely to know your bank’s procedure, the questions they will ask, and how to sound like your bank. They are good at what they do.

How do bank impersonators do it?

In a bank impersonation scam, you receive a phone call or SMS that appears to be from your bank, often the security team.

Some common scenarios scammers use include:

• you’ve been pre-approved for a loan (that you never applied for)
• your online account has been compromised 
• an irregular payment has been detected.

When you click on the link or call the number, the scammer outlines a situation that requires immediate action – often it’s that your account has been hacked, and you need to shift your money to a ‘safe’ account or PayID the scammer supplies. Or they’ll try to coax access details for your account from you. You’ll be told they’re ‘here to help.’ But they’re not.

Think you’re too smart for a scam? Think again

CommBank has received a number of calls from business customers who have realised they have been scammed too late. Although customers may alert the bank straight away, the money is often already moved into cryptocurrency and beyond recovery. 

For example, a sole trader customer of CommBank received a call from a man with a British accent claiming to be from the security team.

He advised her that a suspicious payment had been made from her account, and that he needed her to help him access her facility so he could help. As she couldn’t log in when she tried, the customer believed the caller. The victim had provided the caller with enough information for him to already reset the password and when she tried to log in, her password no longer worked.

The customer provided the scammer with the answers to her security questions and generated three e-tokens over the course of the call. As the scammer was able to access the CommBiz facility the client lost $700,000 from their business account.

No business is immune to scams and fraud

The average cost per cybercrime report rose to over $39,000 for small business, $88,000 for medium business, and over $62,000 for large business, according to the ACSC.³  The reported losses from phone scams in 2022 totalled $141 million.⁴

Scammers succeed because we lead busy lives, and many of us multi-task throughout the day. And they don’t just target owners – they target employees too. All a scammer needs is for the target’s mind to not be 100% focussed on the present. They don’t want you or your employees to have time to think, which is why phones are the second-most popular (29%) way scammers contact their targets.⁵  A scammer wants their target off-balance. They don’t need them to be high up in the business to use them to steal.

No business is safe from fraud. Any business, regardless of size or industry, can be successfully targeted. Key to thwarting these attempts is noticing if there is an unusual, unexpected sense of urgency, or something else doesn’t feel right. Remember: stop, check, and reject.

You are the first and last line of defence

Businesses should investigate potential vulnerabilities and implement best practice procedures, such as not having just one person responsible for creating and approving a payment. It’s vital that every employee knows to never give out e-tokens, passwords or answers to secret questions. 

Staff need to understand that tokens and e-tokens are as big a safeguard to a business’s finances as passwords or two-factor authentication and should never be given to another person. 

A bank will never ask you for this information. Your bank might ask for identifying information, like your name or date of birth, but they will never ask you what your PIN is, what your token is, or what your passwords are.

Whenever you have any doubt, hang up the phone and contact your bank directly on a number that you know – one that’s in your phone or on Google.

To learn more about how you can protect your business from scams and fraud, visit commbank.com.au/business-security