Banking Scams in Australia: CommBank, NAB, Westpac & ANZ
Banks removed 600+ fake websites in 2024. Learn how to protect yourself from banking impersonation scams.
Criminals impersonate Commonwealth Bank, NAB, Westpac, and ANZ through sophisticated SMS, email, and phone call scams. While NAB reported a 65% reduction in losses between 2023-2024 through improved security measures, banking scams remain a significant threat. NAB alone identified and assisted with the removal of 600 illegitimate websites impersonating the bank and its products in 2024. This represents just one bank's experience, suggesting thousands of fake banking sites exist across all Australian financial institutions.
A new and particularly alarming threat emerged in 2024: pop-up or "flash" SMS scams targeting Australians.
These messages, legitimately used overseas for emergency warnings, are being hijacked by criminals to impersonate banks. NAB has explicitly warned that it does NOT use pop-up SMS to contact customers. Understanding this and other banking scam tactics is essential because the sophistication of these attacks continues to increase even as banks improve their defences.
Common Banking Scam Types
Pop-Up / Flash SMS Scams (New in 2024)
Pop-up SMS scams, also called "flash" or "class 0 SMS," represent a dangerous new frontier in banking fraud.
These messages appear directly on your phone screen requiring immediate attention, even when your phone is locked. While this technology is legitimately used overseas for emergency warnings like natural disasters or public safety alerts, criminals are exploiting it in Australia to impersonate banks.
How it works: These messages appear to be from your bank, claiming suspicious activity or urgent security issues. The message bypasses your normal SMS inbox and demands immediate action, often including a phone number to call or a link to click. The format creates artificial urgency because the message blocks your screen and feels more official than a regular text.
NAB has explicitly stated it does not use pop-up SMS to contact customers. If you receive a pop-up SMS claiming to be from NAB or any Australian bank, it's a scam. Banks have moved away from unsolicited SMS with links specifically to combat impersonation, and they certainly don't use intrusive pop-up technology that disrupts your phone usage.
Fake Security Alert Messages
Scammers send SMS or emails claiming suspicious activity on your account, asking you to verify transactions or update your security details. These messages include links to fake banking websites designed to steal your login credentials. The fake sites look nearly identical to real banking portals, copying logos, colors, fonts, and layout perfectly. Only close examination of the URL reveals the fraud.
A typical scam message reads:
"CommBank: Suspicious transaction of $1,247 detected. Verify now to prevent account suspension" followed by a link.
The specific dollar amount makes it feel personalised and urgent. The threat of account suspension creates panic. The convenient link seems like the quick way to resolve the problem. Every element is carefully designed to bypass your critical thinking and get you clicking before you question whether the message is legitimate. Real banks send authenticated notifications through their official apps and never include links in unexpected security messages.
Callback Scams
Messages encourage recipients to call a particular number claiming there's a problem with your account or suspicious activity that needs verification. When you call, scammers answer and impersonate representatives from Commonwealth Bank, Westpac, NAB, or ANZ. They use social engineering techniques to extract your personal information, passwords, or convince you to transfer money to "safe" accounts they control.
They might claim your account has been compromised and you need to move money to a secure holding account while they investigate.
This "safe account" belongs to the criminals. The phone number you called might even be spoofed to appear legitimate if you try to verify it later. Real banks never ask you to call a number from an unsolicited message to verify account activity. They want you calling the number on your card, not arbitrary numbers in text messages.
Fake Banking Websites
ASIC reported taking down over 5,000 fake investment websites in 2024, many impersonating bank investment products. Scammers create near-perfect replicas of banking login pages to steal your credentials. The visual design is indistinguishable from legitimate sites. Small URL differences like "commbank-secure.com" instead of "commbank.com.au" or "nab-online.net" instead of "nab.com.au" are the only giveaway.
These fake sites capture your username and password when you try to log in, then often redirect you to the real banking site so you don't immediately realise you've been compromised. By the time you notice unauthorised transactions, criminals have already accessed your account and transferred funds.
Investment Scams Using Bank Names
Commonwealth Bank issued a warning about text messages impersonating CommSec and stockbrokers to offer fake investment opportunities. These scams promise high returns and use the bank's branding to appear legitimate. They might claim to be offering exclusive investment opportunities only available to CommBank customers, or pretend to be from the bank's investment division with urgent opportunities that require immediate action.
The bank's trusted name lends credibility to what would otherwise be obvious fraud. Real banks never send unsolicited investment offers via SMS, and legitimate investment opportunities don't require immediate decisions made through text message links.
How to Spot Banking Scams
Pop-up or flash SMS messages
Pop-up or flash SMS messages claiming to be from banks are automatic scam indicators. Australian banks don't use this technology to contact customers. If a message appears on your screen before you even unlock your phone and claims to be from your bank, it's fraudulent. Delete it immediately without calling any numbers or clicking any links.
Urgent threats
Urgent threats like "Account will be suspended," "Immediate action required," or "Suspicious activity detected" are designed to panic you into acting without thinking. Banks don't threaten account suspension via SMS. If there were genuine suspicious activity, you'd receive authenticated notifications through your banking app and could call the number on your card to verify. The urgency itself reveals the scam.
Links in SMS or email
Links in SMS or email claiming to be from banks should never be clicked. Major banks including NAB have removed links from unexpected customer text messages specifically to combat impersonation scams. If you receive a banking message with a link, that link is fraudulent regardless of how legitimate the message appears. Banks now instruct customers to access their accounts by typing the URL directly into a browser or using the official app.
Requests for passwords or PINs
Requests for passwords or PINs are absolute scam indicators. Banks NEVER ask for your full password, PIN, or card security code. They already have this information. If someone claiming to be from your bank asks for these details via phone, SMS, or email, you're talking to a criminal. Real bank representatives can verify your identity through other means and never need your password or PIN.
Callback requests
Callback requests in messages asking you to call a number to verify account activity are scam tactics. Real banks want you calling the number on the back of your physical card, not numbers provided in unsolicited messages. This is because criminals can control any number they provide in a message, but they can't control the official number printed on your card.
Messages appearing in legitimate threads
Messages appearing in legitimate threads exploit a vulnerability in SMS systems where scammers can spoof sender IDs. Just because a message appears in the same conversation thread as real bank messages doesn't mean it's legitimate. Scammers can make their messages appear to come from the same sender ID your bank uses. Verify any unexpected message by accessing your account through official channels rather than trusting the message thread.
Too-good-to-be-true investment offers
Investment offers claiming guaranteed returns or low-risk high-reward opportunities indicate fraud. Legitimate investments carry risk and legitimate financial advisors explain those risks clearly. If an investment opportunity arrives via SMS claiming to be from your bank and promises guaranteed high returns, it's a scam exploiting the bank's trusted name.
Bank-Specific Protection Measures
NAB has made significant progress in combating impersonation scams:
They reduced impersonation scam losses by 65% between 2023-2024, a remarkable achievement that demonstrates effective security measures can make a difference. Bank impersonation scam reports to NAB decreased by 45% in the same period, suggesting criminals are finding NAB customers harder to fool.
The bank worked with telecommunications companies to make it harder for criminals to infiltrate bank phone numbers and SMS threads, addressing the sender ID spoofing problem at a technical level.
NAB no longer uses links in unexpected customer text messages, eliminating the primary attack vector for SMS-based banking scams. This policy means NAB customers can now be certain that any unexpected text with a link claiming to be from NAB is fraudulent. The bank also identified and removed 600 illegitimate websites in 2024, though this represents an ongoing battle as new fake sites appear constantly.
Industry collaboration reached new levels in November 2024
ANZ, Commonwealth Bank, NAB, Suncorp Bank, and Westpac joined BioCatch Trust Australia, the world's first inter-bank, behaviour and device-based fraud and scams intelligence-sharing network. This allows banks to share information about scam tactics, suspicious patterns, and known criminal operations in real-time. Commonwealth Bank also joined the Australian Financial Crimes Exchange (AFCX) anti-scam intelligence loop. This cooperation means scam tactics discovered by one bank can quickly trigger protections across all participating institutions.
How to Protect Yourself
Before clicking any link or calling any number in a banking message, verify it with SafeAus.
Our smart detection identifies bank impersonation scams in under 5ms. Simply paste the suspicious message or URL into SafeAus for instant analysis. This verification takes seconds and could prevent thousands of dollars in losses or the nightmare of recovering from banking fraud.
Use official banking apps
Download your bank's official app from your device's app store and use it exclusively for checking balances, viewing transactions, and managing your account. Real banking apps provide authenticated notifications that can't be spoofed by scammers. If you receive a suspicious message about account activity, open your banking app directly rather than clicking links to verify if there's actually an issue.
Never click links in banking messages
Go directly to your bank's website or app by typing the URL yourself. Type "commbank.com.au" or "nab.com.au" directly into your browser address bar. Bookmark these official URLs so you always have quick access to the legitimate sites. This habit defeats the vast majority of banking phishing attempts.
Call the number on your card
If you receive a suspicious message, call your bank using the number on the back of your card, not the number provided in the message. Real customer service can verify whether they attempted to contact you and can see notes about outbound communications. If the message was a scam, calling the official number confirms that immediately.
Enable multi-factor authentication (MFA)
Even if scammers steal your password through phishing, MFA prevents them from accessing your account. Use authenticator apps rather than SMS-based MFA when possible, as SMS codes can potentially be intercepted through SIM swapping attacks. Most Australian banks now strongly encourage or require MFA because it dramatically reduces successful fraud even when credentials are compromised.
Never share passwords, PINs, or security codes
Banks will never ask for your full password, PIN, or the three-digit security code on the back of your card. These requests always indicate scams. Real bank representatives can verify your identity and assist you without needing these details. If someone claiming to be from your bank asks for this information, hang up immediately and call the official number to report the scam attempt.
Check URLs carefully
Look for the padlock icon indicating a secure connection and verify the exact domain matches your bank's official site. "commbank.com.au" is legitimate while "commbank-secure.com" or "commbank.net.au" are fake. Scammers use domains that look similar but aren't quite right. These small differences are easy to miss if you're not paying attention, which is why typing the URL yourself is safer than clicking links.
Be skeptical of urgency
Banks don't demand immediate action or threaten account closure via SMS. If a message creates artificial urgency claiming you must act within hours to prevent account suspension or stop fraudulent transactions, that urgency itself indicates fraud. Real banking issues can be resolved at your convenience through official channels.
Monitor your accounts regularly
Set up alerts in your banking app for all transactions so you're immediately notified of any activity. Early detection of fraud allows faster response and better chances of recovering funds. Small unauthorised charges often precede larger theft as scammers test whether stolen card details work, so catching these early prevents escalation.
What to Do If You've Been Scammed
If you've clicked a fake banking link, provided information, or transferred money to scammers, immediate action can limit the damage.
Time is absolutely critical in banking fraud cases.
Contact your bank immediately
Call the number on the back of your card. Many banks have fraud teams that can stop transactions, freeze accounts, or reverse transfers if contacted quickly enough. Explain exactly what happened: what information you provided, what links you clicked, what transfers you made. The more detail you provide, the better they can protect your account. Don't worry about embarrassment. Bank fraud teams deal with these situations constantly and are focused on preventing further losses, not judging customers.
Change passwords immediately
Especially if you entered credentials on a fake site. Use a different device if possible in case your original device was infected with malware. Create a strong, unique password that you haven't used anywhere else. If you used the same password on other accounts, change it everywhere as scammers will try stolen credentials across multiple platforms.
Enable multi-factor authentication
If not already active, add this extra security layer to prevent further unauthorised access even if criminals still have your old password. Most banks can help you set this up immediately during your fraud report call.
Monitor your accounts closely
Set up transaction alerts so you're notified immediately of any activity over the next few months. Check your statements daily rather than weekly. Scammers sometimes make small test charges before attempting large theft, and catching these early prevents major losses. Look for any charges you don't recognise, no matter how small.
Report to authorities
File reports with Scamwatch and ReportCyber so authorities can track patterns and potentially shut down fake banking sites. Contact IDCARE at 1800 595 160 for identity theft support if personal information was compromised. They provide free specialist assistance for identity crime victims.
Official Bank Contact Information
Always contact banks through official channels that you find independently, not through numbers or links provided in suspicious messages. When you need to verify a message or report suspicious activity, use these official contact methods.
Commonwealth Bank
commbank.com.au or call 13 2221. This is the official customer service number for general banking inquiries and fraud reports.
NAB
nab.com.au or call 13 22 65. NAB has made significant improvements in fraud prevention and can assist with verifying suspicious messages.
Westpac
westpac.com.au or call 13 20 32 for banking assistance and fraud reporting.
ANZ
anz.com.au or call 13 13 14 for customer service and fraud reporting.
For all banks, the most reliable contact number is the one printed on the back of your physical bank card. Use that number rather than any number provided in suspicious messages, as you know the card number is genuine.
Stay Vigilant
With 600+ fake banking websites removed in 2024 and new tactics like pop-up SMS scams emerging, banking impersonation remains a significant threat despite progress by financial institutions. While banks have made measurable improvements (NAB's 65% reduction in losses demonstrates effective security measures work), scammers continue to evolve their tactics and exploit new technologies.
The golden rule remains: when in doubt, don't click, verify first. Use SafeAus to check suspicious messages, and always contact your bank using official channels listed on your card or their website.
Those few seconds of verification could prevent months of recovering from banking fraud and the stress of unauthorised account access. Your skepticism is your best protection against increasingly sophisticated impersonation attempts targeting Australian banking customers.