Need to know
- Fraudsters are impersonating banks over SMS and phone calls, creating elaborate scams that are difficult to spot
- Vulnerabilities in SMS and phone networks currently allow the scams to flourish, but experts say a new registry will help close these loopholes
- In the meantime, consumers are urged to watch out for messages and calls from their bank urgently asking them to transfer money
The moment Lauren* heard the voice on the other end of the phone, she knew exactly who it was.
"My heart was racing, I could barely breathe. I just couldn't believe it was him. I was like: 'Oh, my God, he's still doing it. Not only does he have my money, he's trying again'."
It was March 2023 and Lauren had just realised she was speaking to the same man who she says defrauded her of almost $5000 the previous year.
It had been a textbook case of bank impersonation fraud and now the scammer was back for more.
A convincing con
Lauren was wary when the man first called her in December, posing as a member of the fraud team at Bendigo Bank – the parent company of her bank, Up.
"I was definitely a little bit suspicious, but he spent 90 minutes on the phone with me, establishing rapport… it was a very long manipulation," the 38-year-old Victorian recalls.
He seemed to know everything about my account. He knew what the total amount was in my savingsScam victim Lauren
The man, who spoke with a "sophisticated English accent", told Lauren suspicious transactions on her card – an issue she had resolved with her bank two days previously – were actually part of a wider problem and that all her savings were now at risk.
Lauren says the scammer's ability to dispatch SMS messages that seemed to come from Bendigo Bank convinced her to follow his directions. Source: supplied.
"He seemed to know everything about my account. He knew what the total amount was in my savings," she explains, saying this helped break down her initial scepticism.
But it was the man's ability to send her text messages with authentication codes from a "Bendigo" account that played a major role in convincing her the call was genuine.
"I think the fact it had Bendigo at the top was the main [factor]. And then [it matched] the code he gave… He drew a lot of importance to that. [He said] the bank had spent millions of dollars on being able to send messages like that," she recalls.
Swayed by the text messages and under pressure from the voice on the phone to save her money by sending it to a new account, Lauren transferred just under $5000 out of her account, which was never seen again.
Part of an 'alarming' trend
Bank impersonation scams, where fraudsters hijack the caller and SMS sender IDs of banks, are the latest scam to wreak havoc on a fraud-weary public.
The con usually begins with text messages appearing to come from a victim's bank which, to add extra confusion, often appear in the same thread and underneath legitimate texts from that financial institution.
The text messages are often alerts about suspicious activity in a target's account and are followed by phone calls on numbers impersonating bank fraud lines, demanding victims transfer money to a new account (controlled by the scammer) to save it from the supposed breach.
The method, which the ACCC has described as "alarming", "elaborate" and "hard to detect", takes a heavier financial toll than most scams, often draining people of their life savings.
With losses averaging $22,000 in each instance and ranging as high as $800,000, this type of fraud fleeced Australians of over $20 million in 2022
With losses averaging $22,000 in each instance and ranging as high as $800,000 or more, this type of fraud fleeced Australians of over $20 million in 2022.
That toll came in a year when losses from all types of scams rose 80% to top $3.1 billion and when, according to the ACCC, Australians were on edge and ready to act on alerts over threats to their personal information and assets following the Optus and Medibank data breaches.
This was the case for Lauren, who was inclined to follow the caller's instructions, knowing she was at risk of being hacked following the Medibank saga.
"I had only found out a few weeks before that I was one of the customers whose details were leaked… It was playing into my mindset at the time. I thought: 'Well, someone does have all my data, so I need to follow his advice'."
Bank impersonation scams usually begin with SMS messages appearing to come from your bank, alerting you to supposed suspicious activity in your account.
Scammers aided by poor SMS security
Cyber security experts say scammers are able to execute this form of phishing fraud thanks to vulnerabilities in the networks that so many of us use to communicate.
SMS messaging, for example, has been around for over 30 years, which makes it easy to abuse, says senior lecturer in security Dr Suranga Seneviratne from the University of Sydney's school of computer science.
"One of the reasons why SMS has survived so far is its usability and simplicity… [But] it wasn't designed with security in mind," he explains. "There's no authentication inbuilt, so if I'm sending a message, I can manipulate some of the metadata."
One piece of metadata that can be manipulated is the sender ID – the names or numbers that come up at the top of a message thread – and this can be done when sending application-to-person (A2P) messages.
One of the reasons why SMS has survived so far is its usability and simplicity… [But] it wasn't designed with security in mindDr Suranga Seneviratne, University of Sydney
Unlike messages sent from one phone to another, A2P messages are sent from one computer running a certain portal or piece of software, to a number of phones.
Last June, the Australian Communications and Media Authority (ACMA) handed down new rules which say telcos and other carriage service providers (CSPs) should check that senders of A2P messages have the right to use the sender IDs they're distributing messages under.
However, Dr Mohi Ahmed, senior lecturer in computing and security at Edith Cowan University, is sceptical of whether the numerous services hosting A2P messaging actually verify their users.
"Those messages are sent by software which doesn't require verification of the [sender's] identity," he says.
"Anyone can write a combination of text or numbers in their sender ID and we can't really control it."
In a sign of lagging standards by some CSPs, the ACMA in May issued formal warnings to several for not properly verifying the identities of SMS senders and allowing more than 100,000 messages to be dispatched under sender IDs impersonating road toll and postal companies.
Corrupted thread makes scam more convincing
Once they've sent an SMS under a phoney ID, scammers are then often assisted by the receiving phone's message app, which will usually merge texts coming from the same sender ID.
"It will find all the texts are in the same thread. So it's really hard to differentiate between which one is legitimate and which one is not," Ahmed explains.
This particular ability of fraudsters to slip their messages into legitimate threads is what's catching many off guard
The ACCC is warning that this particular ability of fraudsters to slip their messages into legitimate threads is what's catching many off guard.
The Commission has shared the stories of people for whom this feature of SMS technology proved a decisive factor in their being duped by impersonation phishing.
One victim featured in the ACCC's Targeting Scams Report lost over $300,000 after a scam SMS urging them to call a number to discuss a loan appeared under previous legitimate messages from their bank.
Phone call spoofing seals the steal
In their initial overtures to victims via SMS, bank impersonators will often include a phone number, which will connect the target to someone posing as a member of a bank's fraud team.
In other instances, fraudsters will cold call targets and deploy the SMS method to allay any concerns from the victim about the legitimacy of the caller.
In either case, scammers are able to change their caller ID to the phone number of a bank by over-stamping or 'spoofing' their calling line identification (CLI) – something made possible by voice-over-internet protocol (VoIP) software.
Bank impersonators will often include a phone number, which will connect the target to someone posing as a member of a bank's fraud team
This is only illegal if it's being done for unlawful reasons, but the ACMA is increasingly scrutinising the practice, introducing new rules directing telcos to do more checks to make sure they're not carrying calls by users spoofing their caller ID to a number they don't have the right to use.
Computer experts we spoke to say this has been effective in stopping many impersonators, but the stories of those fleeced of their savings indicates that some still get through.
Cheap services provide easy payoff
The experts also say cheap SMS and phone services are combining with a proliferation of leaked numbers being sold for modest prices online, including on the dark web, to make bank impersonation fraud a promising prospect for scammers.
"The cost is quite low for them," says Seneviratne. "Using these platforms, they can reach a large number of subscribers and out of that, if one or two convert, they are probably [already] covering their costs."
A proliferation of leaked numbers being sold for modest prices online, including on the dark web ... make bank impersonation fraud a promising prospect for scammers
With the large market of victims these call and messaging platforms afford, he adds, impersonation scammers usually aren't targeting specific people, but are instead just hoping they'll reach enough customers of the brand they're pretending to represent.
"If you send 100,000 messages, based on the market share there will be at least 20% who are in fact customers of a major bank. Out of that, there will be some customers where the circumstances are right [for them to believe]."
How to spot and avoid impersonation scams
The good news is that there are strategies consumers can deploy to mitigate the risk of falling for phoney texts or calls.
As a starting point, Senevritane says to be wary of any SMS purporting to be sharing important information.
"Don't trust anything that comes over SMS," he says. "If you want to take some action, verify by different channels."
These could include your bank's smartphone app or website, or a phone call to a customer service representative via a number you've found yourself.
Similar advice is proposed by the ACCC, which warns against clicking on links or phone numbers you receive over SMS that appear to be from your bank.
The consumer watchdog says impersonation texts can sometimes stand out from legitimate messages in a thread due to different wording or phrases. It also says to be alert to the fact that most will be attempting to stir panic.
"It's critical to remember that no matter how legitimate the call or message seems, a bank will never ask you to urgently transfer funds," says a spokesperson.
Hang up if you receive a call from someone claiming to be from your bank requesting you to transfer money to 'keep it safe', and call your bank back using contact details you have found independentlyACCC spokesperson
"Hang up if you receive a call from someone claiming to be from your bank requesting you to transfer money to 'keep it safe', and call your bank back using contact details you have found independently."
What's being done to stop bank impersonation scams
Several major banks have already taken steps to fight back against fraudsters impersonating their brands.
The Commonwealth Bank, for example, has introduced CallerCheck, which allows bank staff who are on the phone with a customer to trigger an alert in the client's smartphone banking app to verify that the call is coming from the lender.
Ahmed says these developments are positive, but argues that they still put the onus on the customer themselves to sort fact from fraud.
"This is an effective process; however, it depends on the users," he says. "The actual solution is a SMS sender registry or caller registry."
Australia set to get an SMS sender ID registry
Luckily, this isn't too far away. In the May Budget, the federal government announced plans to give the ACMA $10.9 million to establish an Australian SMS sender ID registry, after similar systems were set up in the UK and Singapore.
Under one model being considered, the federal government says, organisations sending mass texts to the public will be able to register their sender IDs with the body and telcos will then have access to the list and should block messages coming from sources not associated with that sender ID.
The federal government announced plans to give the ACMA $10.9 million to establish an Australian SMS sender ID registry
The cyber experts we spoke to say the registry will form a "second layer of defence" against impersonation SMS messages in situations when A2P services don't properly verify the identities of their users.
The ACCC similarly welcomes the scheme as a step forward in the fight against scams, and told us it would like to see Australia's registry implemented in a similar way to Singapore's.
Established in March last year, the Singapore sender ID registry (SSIR) has facilitated a 64% reduction in scam SMS messages.
The Singapore sender ID registry has facilitated a 64% reduction in scam SMS messages
The SSIR began as a voluntary scheme, but in October 2022, it was announced that brands wishing to send mass texts would have to register. Since January, any SMS coming from an unregistered ID has been accompanied by a "Likely-SCAM" disclaimer.
When we asked the ACMA if it planned to follow Singapore's example, it confirmed it was in close contact with regulators in the island nation, but said it was too early to discuss the details of the registry.
The regulator also emphasised the importance of making any model "fit for purpose in the unique Australian context".
Registry not a complete solution
CHOICE agrees a registry is a good idea, but warns it won't curb fraud for which an unrecognisable number is key to the scammer's narrative, such as the 'Hi mum' scam.
"An SMS ID registry is an important step in the right direction, but it won't prevent all impersonation scams," says CHOICE senior campaigns and policy adviser Alex Söderlund.
"We've heard from a number of people who've fallen victim to impersonation scams that didn't appear to involve phone number spoofing. And many felt let down by their bank's response after reporting a scam."
We've heard from a number of people who've fallen victim to impersonation scams that didn't appear to involve phone number spoofingCHOICE senior campaigns and policy adviser Alex Söderlund
Lauren is one of those who feels let down by her bank following her scam experience.
The second call from her scammer came as she was getting fed up with trying to negotiate with the banks involved to try to get her money back.
"I said: 'You owe me $5000, you've already done this to me and your record keeping is shit, because you've already done it.' I just went crazy at him until he hung up."
She welcomes the federal government's promise of an SMS registry as a "great idea", but says she would have also liked to have seen her bank Up do more to alert customers about possible impersonation scams.
"Up Bank never alerted me. Even when I called them back and said he's still doing it, there was no alert next time I went into the app."
Up told CHOICE it was "aware of and working hard to prevent a rising level of scam activity" and that it had distributed "scam education materials" to customers via its app and other channels.
*Not her real name.
Stock images: Getty, unless otherwise stated.