It arrives in your inbox looking completely official. Your bank’s logo sits at the top. The colours match exactly. The email address even looks right at a glance. It says there’s been suspicious activity on your account and you need to verify your details right away.
But is it actually from your bank?
This is one of the most common — and most effective — scams targeting Australians right now, particularly people who grew up trusting written correspondence and institutional authority. Understanding how these fakes work, and how to check them in seconds, is one of the most valuable things you can do for your financial security.
What scammers can fake
Let’s be clear about what scammers are able to replicate, because it’s more than most people realise.
They can copy logos, fonts, and colour schemes perfectly. They can register email addresses that look almost identical to real ones — think “noreply@commbank-secure.com” instead of the real Commonwealth Bank domain. They can even spoof sender names so that the “From” field displays “Commonwealth Bank” even though the email is coming from an entirely different address.
On mobile, it gets trickier. Scammers can sometimes inject fake texts into the same conversation thread as real messages from your bank, making them appear completely legitimate. This technique, called SMS spoofing, means the fake message sits right alongside genuine ones from your bank with no visual difference whatsoever.
Knowing that all of these things are possible is the first step. The second step is having a reliable system for checking.
The two checks that work every time
You don’t need technical knowledge to verify whether a message is genuine. You need two simple habits.
Check number one: did you expect this message?
Think carefully. Did you recently make a transaction, change your details, or contact your bank? If a message arrives out of nowhere about activity you weren’t expecting, that’s your first warning sign. Legitimate banks typically only contact you reactively — in response to something you’ve done — or they send messages you’ve opted into, like monthly statements. A bolt-from-the-blue warning about “suspicious activity” you weren’t aware of deserves scepticism.
Check number two: verify the sender independently.
Never click any link or call any number provided in a message you’re unsure about. Instead, contact the organisation directly using details you already know are real — the number on the back of your bank card, the official website address you’ve used before, or the number listed on a recent paper statement.
If the message was genuine, the organisation will confirm it when you call. If it wasn’t, you’ve just protected yourself from a potentially devastating scam.
How to check an email sender properly
On most devices, you can see the actual email address a message came from — not just the display name — by clicking on the sender’s name in your inbox. The real address will appear, and often it looks nothing like the organisation it claims to represent.
A genuine message from your bank will come from a domain that matches their official website. Commonwealth Bank uses commbank.com.au, NAB uses nab.com.au, Westpac uses westpac.com.au, and so on. If the domain looks even slightly different — extra words, hyphens, or a completely different address — the message is fake.
What about phone calls?
Scammers also call, claiming to be from your bank’s fraud department. They may already know your name, partial account number, or recent transaction details, which makes them sound convincing.
The rule is the same: hang up and call back on the official number. Your bank’s fraud line is printed on the back of your card. Use that number, not one the caller gives you. A real bank will never object to you hanging up and calling back — only scammers will pressure you to stay on the line.
Red flags in bank messages
Beyond the two main checks, watch for these warning signs in any message claiming to be from a financial institution:
Urgent language demanding immediate action. Requests for your full password, PIN, or card number. Links to websites with addresses that don’t match the bank’s real domain. Instructions to download an app or piece of software. Requests to transfer money to a “safe account” — a tactic that has cost Australians millions.
If you’re ever unsure, do nothing first
The single safest response to any message you’re uncertain about is to do nothing with that message. Don’t click, don’t call the number provided, don’t download anything. Simply contact the organisation yourself through a verified channel.
This approach might occasionally mean a slight delay if the message happened to be genuine. But it will never result in you handing your money or personal details to a criminal.
Genuine organisations understand caution. Scammers count on people not being cautious enough.
For a comprehensive, plain-English guide to spotting fake messages, understanding what scammers can and can’t do, and building simple habits that protect your money and identity, Cyber Safe & Confident covers all of this and more — written specifically for Baby Boomers navigating the digital world.
It arrives in your inbox looking completely official. Your bank’s logo sits at the top. The colours match exactly. The email address even looks right at a glance. It says there’s been suspicious activity on your account and you need to verify your details right away.
But is it actually from your bank?
This is one of the most common — and most effective — scams targeting Australians right now, particularly people who grew up trusting written correspondence and institutional authority. Understanding how these fakes work, and how to check them in seconds, is one of the most valuable things you can do for your financial security.
What scammers can fake
Let’s be clear about what scammers are able to replicate, because it’s more than most people realise.
They can copy logos, fonts, and colour schemes perfectly. They can register email addresses that look almost identical to real ones — think “noreply@commbank-secure.com” instead of the real Commonwealth Bank domain. They can even spoof sender names so that the “From” field displays “Commonwealth Bank” even though the email is coming from an entirely different address.
On mobile, it gets trickier. Scammers can sometimes inject fake texts into the same conversation thread as real messages from your bank, making them appear completely legitimate. This technique, called SMS spoofing, means the fake message sits right alongside genuine ones from your bank with no visual difference whatsoever.
Knowing that all of these things are possible is the first step. The second step is having a reliable system for checking.
The two checks that work every time
You don’t need technical knowledge to verify whether a message is genuine. You need two simple habits.
Check number one: did you expect this message?
Think carefully. Did you recently make a transaction, change your details, or contact your bank? If a message arrives out of nowhere about activity you weren’t expecting, that’s your first warning sign. Legitimate banks typically only contact you reactively — in response to something you’ve done — or they send messages you’ve opted into, like monthly statements. A bolt-from-the-blue warning about “suspicious activity” you weren’t aware of deserves scepticism.
Check number two: verify the sender independently.
Never click any link or call any number provided in a message you’re unsure about. Instead, contact the organisation directly using details you already know are real — the number on the back of your bank card, the official website address you’ve used before, or the number listed on a recent paper statement.
If the message was genuine, the organisation will confirm it when you call. If it wasn’t, you’ve just protected yourself from a potentially devastating scam.
How to check an email sender properly
On most devices, you can see the actual email address a message came from — not just the display name — by clicking on the sender’s name in your inbox. The real address will appear, and often it looks nothing like the organisation it claims to represent.
A genuine message from your bank will come from a domain that matches their official website. Commonwealth Bank uses commbank.com.au, NAB uses nab.com.au, Westpac uses westpac.com.au, and so on. If the domain looks even slightly different — extra words, hyphens, or a completely different address — the message is fake.
What about phone calls?
Scammers also call, claiming to be from your bank’s fraud department. They may already know your name, partial account number, or recent transaction details, which makes them sound convincing.
The rule is the same: hang up and call back on the official number. Your bank’s fraud line is printed on the back of your card. Use that number, not one the caller gives you. A real bank will never object to you hanging up and calling back — only scammers will pressure you to stay on the line.
Red flags in bank messages
Beyond the two main checks, watch for these warning signs in any message claiming to be from a financial institution:
Urgent language demanding immediate action. Requests for your full password, PIN, or card number. Links to websites with addresses that don’t match the bank’s real domain. Instructions to download an app or piece of software. Requests to transfer money to a “safe account” — a tactic that has cost Australians millions.
If you’re ever unsure, do nothing first
The single safest response to any message you’re uncertain about is to do nothing with that message. Don’t click, don’t call the number provided, don’t download anything. Simply contact the organisation yourself through a verified channel.
This approach might occasionally mean a slight delay if the message happened to be genuine. But it will never result in you handing your money or personal details to a criminal.
Genuine organisations understand caution. Scammers count on people not being cautious enough.
For a comprehensive, plain-English guide to spotting fake messages, understanding what scammers can and can’t do, and building simple habits that protect your money and identity, Cyber Safe & Confident covers all of this and more — written specifically for Baby Boomers navigating the digital world.