A simple email phishing attack impersonating big four bank NAB was reportedly sent to thousands of Australians yesterday, notifying them their account was disabled in an attempt to steal users’ banking details.
The subject line included just the word “Notification” with the email itself being nothing more than a four line message telling customers their account had been “disabled”.
The malicious email then directed users to a website with a realistic-looking NAB login screen, inviting users to enter their NAB ID and password. The website included links to register for a NAB account and “forgotten password” prompts to boost the appearance of legitimacy.
The purpose of a phishing scam is to steal an unsuspecting users’ login details or personal data by posing as a legitimate company. Examples in the past have included emails appearing to be from Australia Post, Amazon, and Twitter.
In response, Fairfax reports NAB had successfully issued a takedown notice for the fake website, with a spokesperson saying “we remind customers, NAB will never ask you to confirm, update or disclose personal or banking information via email or text”.
On the bank’s website, it advises customers to forward any malicious emails to spoof[at]nab.com.au and then delete the email.
Many recent phishing emails have relied on well-crafted and apparently legitimate websites to fool customers, and founder of IT services company Combo David Markus told SmartCompany this morning that setting one of these fake sites up is a matter of “a few hours work” for a cyber criminal.
“Once it’s created, a cyber criminal can create multiple copies of multiple different web servers and run the phishing attack over and over again,” he says.
“Phishing attacks have become a numbers game, with hackers looking for the cheapest and most efficient way to get dollars out of our bank accounts, and it’s all about the number of people they catch.
“If they make $100, that’s a good day.”
Markus says the scammers have chosen to pose as a big bank like NAB in hopes of increasing the number of users duped by the attack, saying people are more likely to click on something they’re familiar with. However, on the spectrum of cyber attacks, Markus call this one “relatively unsophisticated”.
“I would say these days it’s a relatively unsophisticated attack, but unfortunately there are enough unsophisticated recipients they’re going to keep catching enough people out to make it worthwhile,” he says.
Markus’ advice is to avoid clicking on any links in emails like these ones and instead using traditional channels to check the status of your bank account.
“If someone sends you something that you click on and it wants you to enter your password, don’t,” he says.
“Go via the company’s homepage or however you would usually check your account. Never follow any links in emails that ask for your username or password.”
SmartCompany contacted NAB but was not provided with a statement prior to publication.