Telstra bill? Bin it. Australian inboxes targeted by sophisticated phishing scam

A new phishing scam posing as Telstra is targeting Australian inboxes and all recipients are urged to delete the email immediately.

First noticed on Monday by online security firm MailGuard, the scam is especially sophisticated thanks to the consistently convincing visuals and branding across the email and linked website. It also features authentic markers such as a ‘Live Help’ button.

“A key feature is the inclusion of the sentence ‘If you have any questions or concerns about this email you can get in touch with us at telstra.com/contact’,” MailGuard’s statement reads.

The well-formatted email will look familiar to existing Telstra customers and asks users to click through to an attached bill. Although there are no attachments, a link is provided.

The link redirects through Tumblr to a fake Telstra login page.

Once logged in, recipients are directed through to a payment page.

The cyber criminals can then view and save user and payment credentials for further illegal activity.

All fake bills reported have shown the same account number.

Phishing scams masquerading as large corporations are commonplace, with NAB and Amex targeted last year, and the government’s AusTender website impersonated in January.

The Australian Competition and Consumer Commission (ACCC) earlier this year warned businesses, in particular, to be on alert after its Targeting scams report revealed a total loss of over $7.2 million last year.

Protect yourself and your business

Writing for SmartCompany, Cynch Security co-founder Susie Jones describes cyber security as “a long game”, urging users to build resilience to cyber attacks through “incremental steps” similar to a physical fitness regimen.

Simple steps such as avoiding duplicate passwords, then graduating onto more advanced steps such as investing in a password manager, creates habits that will better protect your organisation in the long run, she writes.

“The most important thing when it comes to building cyber fitness and improving your resilience to threats is to start doing something, anything, to improve.”

For phishing scams like this, MailGuard recommends recipients delete the email immediately from their inbox without opening attachments or clicking on links.

The ACCC has also set up Scamwatch, a site where community members can report scams. However, it does warn users it cannot help in the recovery of lost funds.

NOW READ: Bit by bit, day by day: How to play the long game with cyber security

NOW READ: ‘Don’t trust email’: Half-a-billion lost to scams in 2018, ACCC says