NAB and Amex banking customers targeted in slew of “well-designed” phishing scams

phishing scam

Aussie customers of banking and finance institutions American Express and NAB have been targeted in a slew of “well-designed” malicious phishing email attacks.

These attacks were picked up by local cybersecurity firm Mailguard, and targeted everyday customers of the two banks in an attempt to harvest their online banking login credentials and drain their funds.

The biggest of the two cyber attack attempts were targeted at NAB banking customers, with recipients receiving an email that their banking card was “locked”, and invited the user to follow a link to verify their account details and unlock their card.

While numerous errors are evident in the email, such as shoddy formatting and incorrect grammar, the email uses sentences such as “protection from fraud” to try and lull viewers into a false sense of security.

On clicking the link, recipients are taken to a fake NAB online banking login page, which — unlike the email — Mailguard says is “well-designed”, and could easily trick an unsuspecting SME owner.


The fake NAB webpage. Source: Mailguard.

The fake login page then asks users for their identity credentials and banking details, which would easily allow them to steal funds or impersonate users.

The NAB scam was detected just yesterday, however, a similar scam targeted at Amex customers was sent out by cybercriminals towards the end of last week. This email is better designed than the NAB scam and looks like a genuine Amex statement notification.

The email invites users to view their online statement by clicking on a link, which takes recipients to a similar phishing page with a similar goal of harvesting credentials.

The Amex email. Source: Mailguard.

In the case of both phishing scams, both can easily be spotted as fakes by the emails they were sent from. The NAB email was sent from, and the Amex one from, neither of which are official NAB or Amex email addresses.

Both NAB and Amex are the subject of numerous phishing scams per month, with the former company issuing five notifications about scam emails on their website in August alone.

Both companies advise their users to be wary of phishing scams and to never release sensitive details to an unknown person or organisation. If customers believe they have received a phishing scam email, they can forward it to either or

Phishing emails costing businesses millions

Phishing emails have long been a blight on businesses big and small, and in recent years numerous examples have popped up of businesses who have inadvertently lost thousands thanks to accidentally handing over financial account access to hackers.

In May, the ACCC reported that over $4.7 million was stolen from Australian businesses in 2017 by hackers, up 23% from the previous year. Businesses with fewer than 20 employees were most likely to be targeted, the ACCC found.

“Scammers don’t discriminate and businesses have what scammers want: money. They’ll use a variety of cons to swindle busy workers and it can be very devastating to a business’s bottom line,” ACCC deputy chair Michael Schaper said at the time.

According to the Scamwatch Twitter account, over $56,000 was reported to be lost to phishing scams in the week from July 30 to August 5 alone.

From time to time, the malicious payloads located in emails can be even worse, turning out to be malware that locks down your system or ransomware that forces you to cough up for your data.

Cybersecurity experts have often told SmartCompany readers to be careful when it comes to unknown emails in your inbox, with founder of IT services firm Combo David Markus warning businesses to never click, ever.

“If someone sends you something that you click on and it wants you to enter your password, don’t,” he said at the time.

“Go via the company’s homepage or however you would usually check your account. Never follow any links in emails that ask for your username or password.”

NOW READ: Federal court targeted in cyber attacks: Five tips to protect your business

Passionate about the state of Australian small business? Join the Smarts Collective and be a part of the conversation.


Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
3 years ago

Reporting these types of scams to government departments including ACORN and the police is a total waste of time. They do absolutely nothing and appear to be totally disinterested. It’s as if reporting the matter will be ‘the fix’.
If the Government was really concerned about these types of attack, it would actually do something about them by having one entity being able to block the websites they use and taking down the phone numbers contained in emails.

SmartCompany Plus

Sign in

To connect a sign in method the email must match the one on your SmartCompany Plus account.
Or use your email
Forgot your password?

Want some assistance?

Contact us on: or call the hotline: +61 (03) 8623 9900.