YouTube fined $170m for covertly tracking kids online
10+ ways to get the most out of Outlook categories
Show all

Commonwealth Bank spoofed in phishing email containing fake ‘security message’


Commonwealth Bank (CommBank) customers – be on the lookout for an email claiming to be from the bank. Cybercriminals has spoofed the bank in a phishing email scam that is currently infiltrating inboxes.

MailGuard intercepted the first of these fraudulent emails on Thursday, 5th of September in the morning (AEST). Sent via a single compromised email address, the email uses a display name of ‘Commonwealth Bank of Australia’. The body of the email is addressed to a ‘Valued Customer’, and informs recipients that they have ‘1 IMPORTANT-security message(s) from NetBank Security team’.

A link is provided to log into NetBank and view the message.

Here is a screenshot of the email:

commonwealth edited


Unsuspecting recipients who click on the link are led to web page that’s nearly identical to the authentic Commonwealth NetBank log in page. This is a phishing page with fake CommBank branding. The user is requested to insert their login credentials that are harvested once they provide information on all required fields. The user is then redirected to the actual Commonwealth web portal.

Here is a screenshot of the page:

commonwealth url


CommBank is one of Australia’s best known and most trusted brands, so it is irresistible to phishing scammers.

Despite the fact that cybercriminals went to great lengths to ensure this phishing page looks legitimate, this scam was not as cleverly designed as some of the ones we see here at MailGuard.

One reason is that the phishing email in itself contains formatting and grammatical errors, such as ‘To read the message Click here to logon to NetBank’. This is an obvious red flag for anyone who is vigilant enough to spot fake email scams.

This is another reminder for those who utilise online banking, to pay close attention to the emails they receive from their banks. To best protect yourself, it is imperative that you do not click any link contained within an email, especially if it does not address you by name (as in the scam above). It is best practice to type the website URL into your browser or use the official banking app in this instance.

As banks have been a major target for scammers, they have also been working hard to distinguish their legitimate correspondence from the ‘fakes’ and educating their customers on best security practices. This is also why any legitimate correspondence from your bank won’t have links to their website. Banks will instead ask you to manually enter it into your internet browser. Also, if you are ever unsure if it is your bank genuinely trying to reach you, simply contact them directly to confirm.

As a precaution, we urge you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from.
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. The Commonwealth Bank login page is: https://www.my.commbank.com.au/netbank/Logon/Logon.aspx 

Commonwealth Bank offers a comprehensive online resource to help identify and report scams purporting to be from them. You can verify the authenticity of any contact you aren’t sure about, or report phishing, by calling 132 221 or emailing them at hoax@cba.com.au.