Imitating leading financial institutions such as banks to gain access to users’ confidential data isn’t exactly a new trick adopted by cybercriminals, but it is still one to be wary of. MailGuard intercepted one such phishing email scam purporting to come from National Australia Bank (NAB).
Using a display name of ‘Nab DEFENCE’, the emails actually come from one of several malicious senders. They inform recipients about a recent funds transfer that is suspected to not have been initiated by the recipient. To cancel the transaction, the email directs recipients to click on a link.
Here is a screenshot of the email:
Recipients who click on the link are led to a fake NAB website, designed to trick users into entering in their bank login details.
This message contains several typical elements of a phishing email:
- use of a major brand name to inspire false trust; the ‘from’ field shows ‘Nab’ as the sender,
- false urgency; telling the recipient that a suspicious transfer has been made in their name to create a sense of anxiety,
- and the startling subject line; ‘CRITICAL: Transfer Dispute’ also urges the recipient to take immediate notice and action
The elements above are meant to convince the phishing victim they are taking appropriate action by clicking on the links.
Although it claims to be a bank notification, this is not an exceptionally well-made phishing email; it displays several errors in the text formatting and sentence construction. Grammatical errors, such as ‘If you don’t have initiated this transfer’, should be a big red flag alerting recipients to the inauthenticity of the email.
This phishing campaign is very similar to other recent online banking scams, which have also targeted customers of Westpac bank and ANZ. With an increase in customers now managing their finances online, cybercriminals are employing a wide range of techniques to trick users into surrendering their account details, and funds.
What is "phishing?"
Phishing is the practice of tricking email recipients into revealing personal information that criminals can exploit for gain.
Phishing emails go to a wide group of random people; it’s like a fisherman casting a wide net to see what he can catch. The attackers know that not everyone will respond, but they know that if they send enough emails out somebody will probably take the bait.
A phishing attack message will typically include a link that will send the unwary victim to a fake login website. Once there, the user will be asked to enter username and password data which will be automatically captured by the phishing page.
Scammers use phishing pages to collect login credentials for email accounts, bank accounts, and a wide range of other online services.