I have a credit card with a limit of just $500 for internet purchases and other risky transactions from the CBA. It is often in arrears and I don’t bother paying it because I’d rather pay the usurious interest rate when the amount outstanding is $100 or whatever. So they sometimes send me rude letters. And they’ve threatened to cancel the card before. And yesterday I was sent an email worrying about a ‘suspicious payment’ from Westpac – to which I replied – see below the fold.
So I nearly fell for this:
Dear Commonwealth Bank customer,
Your card has been suspended.
To activate your card again, please call to the following number: (61) 280144856
NOTE: Do not click any link in the e-mails pretending to be from Commonwealth Bank of Australia.
© Copyright. All rights reserved. Commonwealth Bank of Australia.
Seemed slightly odd that they’d communicate with me in this way, but it wasn’t phishing was it? After all, there’s no link. So I rang the number and a robot asked for my credit card number. I hung up, more pissed off with the non-humanity of it all, and I couldn’t be bothered putting all the information in. Perhaps something else was bothering me. Anyway, the moment I got off the phone I realised that it was almost certainly phishing and that the robot would have asked, not just for my credit card number but also for my expiry date and perhaps the confirmation code. Nasty business.
My reply to Westpac:
Hi Natasha,
The great monster that is Westpac is (again) doing its best to make my life a misery. I made a payment to a friend of around $1,050. This didnt seem particularly suspicious to me, but it earned me an e-mail from Westpacs fraud detection unit. My understanding was that my communications with the bank would come through you – that’s what they always tell me – not the fraud unit, but no matter.
They instructed me to call 132032 immediately. I did not want to do this, because you may even have had this experience before yourself when you ring a 13 number it is often the case that a large business tells you how much they value your call for a long long time before you get to talk to anyone. I am perhaps unusual, but I do try to spend my time on other things and as a result I e-mailed a response to the person who had sent me the e-mail. (This seemed safe in these days of phishing, though I am surprised that, given the amount of phishing going on, Westpac would communicate with me via e-mail. I guess it saved them time and I expect this is the main thing (for them anyway).
I copied this to someone who showed every sign of being a real person Mark Dickson who is also copied into this e-mail.
But alas, responding to my e-mail was not something that anyone at Westpac was prepared to do.
Anyway, I just tried to make another payment but have been told that I do not have access for security reasons.
I would be grateful if you could attend to this problem.
I would even be grateful for an acknowledgement of this e-mail.
Regards,
Nicholas Gruen
Who knows, perhaps the CBA email wasn’t phishing at all. I’ll see next time I want to use my CBA card.
It’s phishing alright. I have been getting 10 of those a day and I am not a Commonwealth Bank customer. Now I am getting the same from the St.George bank, which I am not a customer either. Always worth ringing your bank first.
I’ve been getting half a dozen of these everyday for the last month, and I don’t bank with them at all. You’re luck if you’re not receiving more. The most recent:
I’ve been getting emails purporting to be from Westpac and NAB as well. The domain names of the embedded links are .za (South Africa) and .kr (Kenya). Could be anybody.
South Korea, not Kenya. Doh.
I’ve never had one, I wondered what that warning at the netbank login was! I use gmail for my banking, maybe that is why?
Thanks for the head-up, Nicholas. I never thought anyone would be silly enough to use an Australian land-line to do phishing. One tip-off to the bank and the cops would be at the door. But now I know.
Was that the real number in the post? I tried it out. Unsurprisingly, it’s been disconnected.
Well the CBA are doing something that doesn’t involve email but is definitely phishing.
You get a call from someone who claims to be from the CBA (note, they call you)
They then say “I just have to ask you some identification questions” and proceed to ask your full name, dob and card number.
But you have no way of knowing if they are legitimate.
Ever since I twigged to this I’ve told them what I think of this practice and said that I’d ring them back via the 13 number so I could be reasonably assured it was the bank I was actually talking to.
Not once has the person on the line acknowledged or I suspect even understood what I was objecting to, even when I say “if I answered an email asking questions like this, what would you think of me?”
I keep complaining in the hope that one day my comment will get escalated and the stupidity of this practice will dawn on one of the CBA’s security mavens.
What a fantastic example of stupidity on a grand scale. I get irritated when rung by someone and peremptorily required for ID, but now I know it’s a lot stupider than that!
I’ve done this a couple of times, I don’t think with CBA though, I have asked for a number to call back on and googled it first – I just freaked out when one such caller started asking for I think it was a card number, I just couldn’t overcome a feeling of distrust – it felt so wrong to be asked for this information by someone who had called me.
I forget who it was that time but they were quite understanding.