Imitating leading financial institutions such as banks is a common trick adopted by cybercriminals to again access to users’ confidential data. MailGuard intercepted multiple variations of a large-scale phishing email scam purporting to come from National Australia Bank (NAB).
The first variation of the email comes from a large number of compromised accounts and uses the display name “NAB Support”. The message body is formatted and uses a heading, "a message from NAB Internet Banking’
The email then goes on to advise the ‘customer’ that their password was entered incorrectly more than 3 times. Their security team had to suspend their accounts and all funds inside. To release the hold on the account, they are advised to either visit one of their branches or follow the activation link provided.
Here is a screenshot of the email:
Unsuspecting recipients who click on to the link are led to a NAB phishing page as per the below:
The layout of the site appears to be in a format for mobile. Once the user logs in with their NAB ID and password, they are then asked to enter some additional personal information:
Once they complete this second form, users are redirected to the actual NAB website.
Similar to the first variation of emails, the second variation also comes from a number of compromised accounts. They contain a plain text message body and advise the recipient that they have received an Osko deposit, with the amount shown. For more information about the payment, they are asked to follow the link "View transaction history". These emails use the display name “NAB”. Here is a screenshot of the email:
Unlike the first email body, this email isn’t well-formatted. However, when the user opens the link, they are taken to a convincing copy of the NAB internet banking login page. This page contains high-quality graphical elements to boost the legitimacy of the email scam:
Once the user enters their NAB ID and password here, they are redirected to the actual NAB internet banking login page.
While this email scam incorporates the logo, branding and name of the bank at several instances, it raises several red flags that directly point to the email being a scam. For example, the email of the second variation is poorly worded and contains grammatical mistakes such as ‘you have received Osko deposit’.
To reduce the risk of being tricked by one of these scams, you should immediately delete any emails that:
- Appear to be from a well-known organisation, typically a bank or service provider and are not addressed to you by name and may include poor grammar.
- Ask you to click on a link within the email body in order to access their website – your bank will always ask you to go to their website directly by typing their URL into your web browser address field, as a precautionary security measure.
- Ask you to submit personal information that the sender should already have access to.
NAB offers a secure online and telephone banking service – if you are concerned about the legitimacy of any online communication you receive, please call them to confirm.
Banks commonly hold a well-established and trusting relationship with customers, so when cybercriminals are looking for good trademarks to use in their email attacks they often brandjack banks.
MailGuard intercepted several other instances of cybercriminals brandjacking well-known banks such as BankWest just last week.