A phishing email encouraging NAB users to log in to a fake bank website fooled nearly half its recipients according to a survey by Avast.
Cybersecurity company Avast surveyed 1045 Australian users asking them to spot the fake bank website. In this case a choice of a fake and real NAB website. A staggering 46.4% chose the fake. And it is not just NAB – ANZ, Westpac et al., have fake bank website issues.
It is scary how easy it is for cybercriminals to create a seemingly kosher (genuine and legitimate) fake bank website that fools nearly half its users. Then it is so easy to send a socially engineered email to urge unsuspecting bank users to log in and have their banking login and password stolen.
It gets worse – fake bank websites have caused 15.3% to reveal their personal details. Of those
61.3% had been a victim of email phishing
21.3% had fallen for smishing (SMS phishing)
32.5% had fallen for ppishing (phone phishing)
31.3% had clicked through to a phishing website
Michal Salat, Director of Threat Intelligence at Avast said,
“Phishing continues to be one of the leading attack methods because it allows cybercriminals to target people at scale. They use social engineering – it is easier to trick a person than to hack into a system. In October 2019, we blocked 370,338 phishing attempts targeting 63,577 of our Australian users”.
“Phishing can come in many forms, including over the phone, via messages such as SMS, and even in person. However, the most common form of phishing is online, via phishing links. Phishing links leading to malicious websites come in emails that appear to come from legitimate sources. They can also be attached to messages sent on social networking sites and apps, like Facebook and WhatsApp, and they can even misleadingly appear in search engine results.”
How to avoid phishing
Most AV solutions (including Avast) have good
phishing detection capabilities so install it on any device you read email on
Never click a link without checking it first. In
the case of NAB look for the root domain name NAB.COM.AU – not an obfuscated super
domain name like NationalAustraliaBank.login.customer…XYZ.ca or a Bit.Ly or
TinyURL name that completely hides the real URL
HTTPS sites are no guarantee of security. It is
far better to go to the bank’s website and log in from there.