How to prevent scams

Scams rely on people within a business being tricked into transferring money to accounts they shouldn't. To prevent scams, we encourage the following:

Call first

Before you make a first-time payment for any amount you're not prepared to lose, call the payee using a verified phone number to check it’s really them requesting payment.

Set strong, unique passwords

Ensure all of your accounts, especially email accounts, have strong, unique passwords and are setup with second-factor authentication (e.g. SMS).

Use an approval process

Setup a payments approval process for your business, preferably requiring multiple approvers, with no exceptions.

A culture of questioning

Encourage a culture where staff are comfortable to question a payment instruction even if it’s from a senior executive.

Business email compromise (BEC)

Business email compromise scams target businesses of all sizes. They involve emails from a compromised email address, or emails made to look like they are from someone you know, such as:

  • Your boss
  • Your supplier
  • Your customer
  • Your lawyer

These scams involve emails sent to you or your business with a request to make payment to a new account. This new account may be under the scammer's control, and your money could be lost. If you get an email with a request to pay a new account, or an invoice with different account details to those usually used - pause, review, reflect. Before making a payment, consider calling the sender of the email using a verified phone number.

Business email compromise (BEC)

Business email compromise scams target businesses of all sizes. They involve emails from a compromised email address, or emails made to look like they are from someone you know, such as:

  • Your boss
  • Your supplier
  • Your customer
  • Your lawyer

These scams involve emails sent to you or your business with a request to make payment to a new account. This new account may be under the scammer's control, and your money could be lost. If you get an email with a request to pay a new account, or an invoice with different account details to those usually used - pause, review, reflect. Before making a payment, consider calling the sender of the email using a verified phone number.

Phone impersonation scams

  • What to look for

    In a phone scam, the scammer will call, claiming to be from a well-known organisation, including government organisations, law enforcement, investment companies and law firms, Banks or telecommunication providers.

    When claiming to be calling from CommBank, the scammer will most often claim to be calling from the fraud department to query some attempted payments from your business’ account. The scammer will seek to speak to the person who processes payments.

    The scammer will then try to create a sense of urgency (e.g. claiming an unauthorised transaction), convincing you to disclose your credentials and one-time passcodes (token code or e-tokens) or to give remote access to your computer.

  • How to protect yourself

    • CommBank does not use SMS messaging to verify the legitimacy of a call
    • If you are also a personal CommBank customer and use the CommBank app, always ask the caller to verify themselves using CallerCheck
    • If you doubt the legitimacy of a call, hang up and message us in the CommBank app or call a number listed on commbank.com.au – don’t use a number received in an email or text.
    • CommBank will never ask you to disclose your Login ID, Login Password, or one-time passcodes (e-token or token codes)
    • CommBank will never ask you to give us remote access to your computer or ask you to download software
    • Never share your one-time passcode/e-token code/token codes with anyone, including CommBank

Remote access scams

Remote access scams begin as a phone impersonation scam, then the scammer gains access to your CommBiz Service or NetBank using your own computer, through the use of remote access software.

Learn about remote access scams

Payroll scams

  • What to look for

    One BEC variation that's prevalent is payroll scams. In these kinds of scams, cyber criminals impersonate employees in an attempt to trick staff into redirecting funds to the scammer. Staff working in HR, payroll or finance are most at risk.

    • The emails they receive might look official or even appear to come from a legitimate employee email address. 
    • They might ask for an urgent update of bank account details to a scammer account instead.
    • In other cases, the first email will seem harmless, simply asking what the process for updating payment details is. The idea is to later make contact with a more targeted follow-up.
  • How to protect yourself

    Educating staff on how to spot these fraudulent emails will mean your business isn’t compromised and money isn’t lost. Here’s how to keep your business safe, as recommended by the Australian Cyber Security Centre.

    1. If an email appears suspicious, don’t reply or click on any links. Instead, look up the person’s email address and create a new email to verify the request being made. If your company’s database lists phone numbers, give them a call to quickly check the email’s validity
    2. Always set a strong, unique, two-factor authentication password with your email. If you receive a notification about a bank account update you didn’t authorise, contact payroll immediately
    3. Frequently check your bank accounts for any unusual activity

Check the latest scams, fraud and security alerts

Educate your staff

It’s vital to educate your staff on what common scams look like so they can recognise them, report them and help safeguard your business from potentially costly mistakes.

Abstract image of a hand and technology

How to keep your business secure in the age of remote working

Successfully scaling up your business' remote working capability requires attention to make sure the security of devices, connections, tools and people are up to scratch.

Understanding business email scams

Email scams that target business have evolved and these days often look very similar to legitimate business emails, such as an expected invoice or payment request. That's why it's important to understand how they work.

Report a scam

  • Not sure whether a message is legitimate?

    If you haven't engaged with its contents, such as clicking a link or replying to it, report it to CommBank's 24/7 Cyber Security Centre by forwarding it to hoax@cba.com.au, then delete the message.

     

    If you're worried you've been scammed or noticed a suspicious transaction:

    • For NetBank customers please call us on 13 2221
    • For CommBiz customers please call us on 13 2339

    More steps to protect yourself