A phishing email encouraging NAB users to log in to a fake bank website fooled nearly half its recipients according to a survey by Avast.

Cybersecurity company Avast surveyed 1045 Australian users asking them to spot the fake bank website. In this case a choice of a fake and real NAB website. A staggering 46.4% chose the fake. And it is not just NAB – ANZ, Westpac et al., have fake bank website issues.

It is scary how easy it is for cybercriminals to create a seemingly kosher (genuine and legitimate) fake bank website that fools nearly half its users. Then it is so easy to send a socially engineered email to urge unsuspecting bank users to log in and have their banking login and password stolen.

Fake Bank Websites - fake
Fake or real? The one above is a convincing fake
Fake Bank Websites real
Fake or real – the one above is real

It gets worse – fake bank websites have caused 15.3% to reveal their personal details. Of those

  • 61.3% had been a victim of email phishing
  • 21.3% had fallen for smishing (SMS phishing)
  • 32.5% had fallen for ppishing (phone phishing)
  • 31.3% had clicked through to a phishing website

Michal Salat, Director of Threat Intelligence at Avast said,

“Phishing continues to be one of the leading attack methods because it allows cybercriminals to target people at scale. They use social engineering –  it is easier to trick a person than to hack into a system. In October 2019, we blocked 370,338 phishing attempts targeting 63,577 of our Australian users”.

“Phishing can come in many forms, including over the phone, via messages such as SMS, and even in person. However, the most common form of phishing is online, via phishing links. Phishing links leading to malicious websites come in emails that appear to come from legitimate sources. They can also be attached to messages sent on social networking sites and apps, like Facebook and WhatsApp, and they can even misleadingly appear in search engine results.”

How to avoid phishing

  • Most AV solutions (including Avast) have good phishing detection capabilities so install it on any device you read email on
  • Never click a link without checking it first. In the case of NAB look for the root domain name NAB.COM.AU – not an obfuscated super domain name like NationalAustraliaBank.login.customer…XYZ.ca or a Bit.Ly or TinyURL name that completely hides the real URL
  • HTTPS sites are no guarantee of security. It is far better to go to the bank’s website and log in from there.

If you intend to shop online, please read our guide to Staying Safe during cyber sales and our guide to avoiding ID theft

GadgetGuy presents any news from cybersecurity companies that helps readers stay safe. Fake websites and phishing emails abound – we get dozens a day.