Today a colleague gleefully forwarded me a Westpac Phishing Scam via email, advising them that their bank account had been compromised. Funny though, this person has never banked with Westpac. This was a blatant, though near convincing Westpac Phishing scam.
Phishing is simply an attempt made by an attacker to try and get you to divulge sensitive information such as usernames and passwords. An attacker will make contact through email, SMS, phone call or any other form of communication. These can vary from unsophisticated random attacks to more dangerous sophisticated targeted attempts.
Unsophisticated phishing attempts will likely not know anything about you at all (like if you even bank with Westpac) and use a “shotgun” approach at getting their victims. That is, they’ll send thousands or even millions of messages in the hope that just one or two will successfully scam someone. These attempts are generally poorly put together and will often contain glaringly obvious spelling and grammatical errors.
Sophisticated attacks (spear Phishers) are generally more targeted and usually contain a few tidbits of facts about you. For starters, they’ll know that you are a Westpac customer and not simply be guessing. For example, an email warning you of an account breach may contain details such as your name; your user ID or account number; your address; or even something personal like your mother’s maiden name. By divulging this information, that attacker is attempting to build your trust, so that you’ll click on their link.
What does the attacker want? Usually, they want your username and password for an online service, be that your online banking details or even your email account. Once they have these details, they’ll hijack your account and use it for their own nefarious activities. If it’s a bank or Pay Pal account, they’ll attempt to bleed your account dry. They could also hijack your account, use your account to scam others thus making you out to be the bad guy (e.g. PayPal scams). Lastly, they could simply want you to click on a link so they can infect your device with a virus, worm or trojan to steal more information from you, or to recruit your device to their BotNet (discussion for another day).
How Do You Identify a Westpac Phishing Scam?
For starters, a reputable service will NEVER contact you asking you to divulge personal information. Some other things to look out for include:
- You have never had business dealings with the service that the attacker claims to be from.
- Obvious spelling and grammatical errors in the communication.
- Similar, but not quite right URLs (web addresses). e.g. http://westpacsecurity.com/ instead of the usualhttps://westpac.com.au
- Lack of an encrypted SSL connection. Usually indicated by “https://” in lieu of the insecure “http://”. Most web browsers will also represent a trusted and encrypted SSL connection with green icons of padlocks etc.
Have you been paying attention? If so, you should be able to easily identify the genuine and the Westpac Phishing Scam website below.
Have you come across any Phishing scams in the wild? Get in touch and let us know.