Businesses warned of a malicious NAB email scam: Expert warns “unsophisticated” attacks can still hit you


A simple email phishing attack impersonating big four bank NAB was reportedly sent to thousands of Australians yesterday, notifying them their account was disabled in an attempt to steal users’ banking details.

Mailguard reports the email was sent around on Thursday afternoon, stemming from a legitimate looking email address,””.

Read more: Businesses lost over $3 million to scams in 2016

The subject line included just the word “Notification” with the email itself being nothing more than a four line message telling customers their account had been “disabled”.

The malicious email then directed users to a website with a realistic-looking NAB login screen, inviting users to enter their NAB ID and password. The website included links to register for a NAB account and “forgotten password” prompts to boost the appearance of legitimacy.

The purpose of a phishing scam is to steal an unsuspecting users’ login details or personal data by posing as a legitimate company. Examples in the past have included emails appearing to be from Australia Post, Amazon, and Twitter.

In response, Fairfax reports NAB had successfully issued a takedown notice for the fake website, with a spokesperson saying “we remind customers, NAB will never ask you to confirm, update or disclose personal or banking information via email or text”.

On the bank’s website, it advises customers to forward any malicious emails to spoof[at] and then delete the email.

Source: Mailguard

Many recent phishing emails have relied on well-crafted and apparently legitimate websites to fool customers, and founder of IT services company Combo David Markus told SmartCompany this morning that setting one of these fake sites up is a matter of “a few hours work” for a cyber criminal.

“Once it’s created, a cyber criminal can create multiple copies of multiple different web servers and run the phishing attack over and over again,” he says.

“Phishing attacks have become a numbers game, with hackers looking for the cheapest and most efficient way to get dollars out of our bank accounts, and it’s all about the number of people they catch.

“If they make $100, that’s a good day.”

Markus says the scammers have chosen to pose as a big bank like NAB in hopes of increasing the number of users duped by the attack, saying people are more likely to click on something they’re familiar with. However, on the spectrum of cyber attacks, Markus call this one “relatively unsophisticated”.

“I would say these days it’s a relatively unsophisticated attack, but unfortunately there are enough unsophisticated recipients they’re going to keep catching enough people out to make it worthwhile,” he says.

Markus’ advice is to avoid clicking on any links in emails like these ones and instead using traditional channels to check the status of your bank account.

“If someone sends you something that you click on and it wants you to enter your password, don’t,” he says.

“Go via the company’s homepage or however you would usually check your account. Never follow any links in emails that ask for your username or password.”

SmartCompany contacted NAB but was not provided with a statement prior to publication.

Never miss a story: sign up to SmartCompany’s free daily newsletter and find our best stories on TwitterFacebookLinkedIn and Instagram.


Notify of
Inline Feedbacks
View all comments
SmartCompany Plus

Sign in

To connect a sign in method the email must match the one on your SmartCompany Plus account.
Or use your email
Forgot your password?

Want some assistance?

Contact us on: or call the hotline: +61 (03) 8623 9900.