Get all your news in one place.
100’s of premium titles.
One app.
Start reading
ABC News
ABC News
Business

Scammers can disguise their number so it looks like your bank is calling — here are red flags to watch for

An edited recording of a scam attempt shows how convincing criminals can be.

Your phone starts ringing. 

On the screen, the number for your bank appears, so you pick up. 

The person on the end of the line tells you they're from your bank's fraud team and they've been alerted to an unexpected transaction overseas.

You can't put your finger on it, but something about the call seems suss.

But the way they're talking sounds like someone from your bank and they even know your address and details about your credit card. 

Surely it couldn't be a scammer, could it?

Scammers can impersonate numbers 

Unfortunately, the caller ID that comes up on your phone isn't always correct.

The ACCC's Scamwatch is warning people that scammers are using technology to trick victims by:

  • making the call appear to come from the bank's legitimate phone number
  • sending a text that appears in the same conversation thread as genuine bank messages.

It's called "spoofing" and it's a technique used in bank impersonation scams.

That's when victims are tricked into thinking they're dealing with someone from their bank, when they're really dealing with a criminal. 

And scammers can use what's called "alpha tags" to make messages appear in a thread of legitimate messages from your bank. 

The video above is an example of one such call to a Westpac customer last year, but these scammers could claim to be from any bank — big or small.

Last year, Scamwatch had 14,603 reports about bank impersonation scams, totalling more than $20 million in losses. 

Scammers can also trick people with their dodgy ads for banks online.

When people type their bank's name into a search engine, they may click on the first link that comes up — and scammers can take advantage of that.

They might set up what looks like legitimate website for the bank, but it actually takes them to their dodgy impostor site instead. 

One call cost $500,000

ACCC deputy chair Catriona Lowe says bank impersonation scams are a big problem.

People who report to Scamwatch do so under the condition of anonymity so we can't identify these victims, but we can tell you their stories.  

"We know of a man who lost over $500,000 after receiving a call from someone claiming to be from a major bank's security department, wanting to know if a payment had been authorised," Ms Lowe says. 

"In another case, a man lost $38,000 after receiving a scam text message about a suspicious transaction.

"The scam text appeared in the same conversation thread as legitimate messages from his bank.

"He called the number in the text and was put through to a member of the bank's fraud team.

"Unfortunately, it was an elaborate scam and he lost everything."

Just because a person sounds like they're calling you from your bank, doesn't mean they're legitimate.  (ABC News)

And it's not just spoofing. 

A News Breakfast viewer emailed the ABC about their sister falling victim to scammers via online banking. 

ABC presenter Madeleine Morris summed up what happened:

"She Googled the name of her bank to do online banking and clicked on the top search return, which was actually a fraudster.

"It looked exactly like the link to her bank.

"She clicked on it and went and gave all her online banking passwords.

"They attempted to withdraw $10,000."

How does this happen?

Spoofing is done by something the Australian Communications and Media Authority (ACMA) labels as calling line identification (CLI) overstamping. 

Here's how the ACMA website explains it:

"CLI overstamping allows the person calling you to display a different number from the number they are calling from.

"For example, an Australian company which operates an overseas call centre may overstamp their calls (which originate from overseas) with an Australian number so that you recognise this number and return a call."

There's a few practical uses for this. 

Companies might use this to stop angry callers from harassing a specific employee on their direct line or, if the person misses the call, they are directed back through the company's main caller menu.

Is this legal?

Yes, CLI overstamping is legal, but only when used for legitimate reasons

Here's what the ACMA says on that front:

"This is legal in Australia, unless it is being done for unlawful or malicious purposes, most commonly to carry out scams."

What are the red flags to watch out for?

Let's go back to that example from Westpac.

It was published back in September when the bank announced plans to try to crack down on spoofing. 

Pointing to the fact that they're calling you from an 'official' number to prove legitimacy:

A would-be scammer tries to legitimise himself by telling the victim he's calling from the bank's number when he's not.

Building a sense of fear and urgency:

A would-be scammer creates a sense of fear and urgency through the threat of a fraudulent transaction.

Using information collected elsewhere to prove their legitimacy: 

A would-be scammer states a victim's address in a bid to convince her the call is legitimate.

Asking the victim to repeat a code they claim was sent from their bank:

A would-be scammer asks a victim to read out a 'cancellation code' while posing as a bank.

Another big red flag is a bank asking you transfer money to "keep it safe". 

No bank will ask you to do this, so do not transfer money. 

And, when it comes to texts that supposedly came from your bank, make sure to scrutinise them carefully. 

"There might be subtle differences in the message," Ms Lowe says. 

"It might look different, use different phraseology ... 

"We do want consumers to be very wary and to never click on a link.

"Your legitimate bank will never send you a message with a link to click."

What should I do if I think I'm being spoofed?

Hang up and call the bank back on its official, publicly-listed number. 

Dial that number yourself rather than just clicking a link you've search for online or tapping a link from a message claiming to be from your bank. 

Can I prevent spoofing calls?

There's nothing you can do to prevent scammers from using spoofed numbers to call you according to ID Care, a national not-for-profit organisation that helps people who have fallen victim to identity theft.

"Being on the Do Not Call Register will not assist, as this is a service used by legitimate companies and not scammers to determine who does not wish to contacted," ID Care says. 

However, that doesn't mean to have to answer those calls. 

The Communications Alliance recommends allowing unknown calls to go to voicemail.

If they leave a message, you can listen to it to see if it's a genuine call.

And some phones allow you to send unknown numbers straight to voicemail.

What are the banks doing about spoofing?

We looked at the four big banks in the Australian market: ANZ, Commonwealth, NAB and Westpac. 

Commonwealth Bank, for example, launched a feature that allows customers to verify whether callers claiming to be from the bank by triggering security messages in their banking app. It also has feature to review the bank details entered for first-time payments.

Last month, NAB introduced a spoofing-specific protection measure that it says has already "significantly reduced" the scams targeting customers. 

"We'll also shortly be adding more proactive prompts to help customers identify potential scams when making a payment and to check that a payment is going to the intended recipient," says Chris Sheehan, who is NAB's executive for group investigations. 

In September, Westpac partnered with Optus to become the first private Australian business to block calls from scammers impersonating the bank, adding more than 94,000 Westpac phone numbers to a "Do Not Originate" list.

"ANZ has a range of processes and systems in place to protect our customers against fraud and scams," an ANZ spokesperson says. 

Scammers are impersonating banks in a bid to trick victims out of money.  (ABC News: Dannielle Maguire)

Can't banks just … get the money back?

It's not that simple.

Because once money has been transferred out of your account, there's no magical "undo" button. 

Mr Sheehan — a former fraud detective with the Australian Federal Police — says the criminals act very quickly once they've got your money. 

"We will always make every attempt to prevent these scams and recover funds where possible," he says. 

"When a scam is reported to us, one of the immediate steps we take is to contact and report the fraud to the receiving bank as soon as possible to try to secure the money before it's moved.

"However, once the funds have left a victim's account, it can often be difficult to recover them, due to the sophistication of these criminals and the speed with which they move stolen funds."

An ANZ spokesperson mirrors that. 

"We always attempt to recover funds customers have lost to scams or fraud," they said. 

"Whether funds can be recovered depends on a number of factors, including whether they are transferred to another financial institution, how quickly scammers subsequently on-transfer the funds and whether the funds are used to purchase cryptocurrency."

"Once we have been made aware of a scam or fraud on an account, we work closely with other banks to take action and we do our best to recover any funds," a Commonwealth Bank spokesperson said. 

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.