A recent report from The Sydney Morning Herald shows that bank impersonation scams are on the rise in Australia. In the first nine months of 2024, almost 3,000 customers from one bank alone reported these scams. This data comes from the Australian Competition and Consumer Commission’s (ACCC) Scamwatch, which tracks public reports.
Scamwatch also warns that many scams go unreported, so the true number of victims may be much higher. While some banks have stopped losses, many are still at risk due to weak safeguards.
Last year, Proofpoint research revealed a concerning gap in email security across Australia’s financial institutions. 78% of Australian-owned banks and foreign subsidiaries lagged in essential cybersecurity measures. While this year’s figures have improved, 52% of Australian financial institutions still do not proactively block email fraud. Spoofed emails serve as a primary entry point for these scams. It’s urgent that banks strengthen their email defences, especially as bad actors increasingly use AI to create ever-more convincing messages.
This is not just happening in Australia. Financial institutions across the Asia-Pacific (APAC) region are being impacted.
- In Singapore, impersonation scams surged at government agencies and banks in September 2024. Over 100 cases were reported that month alone, accounting for S$6.7 million in losses. One major Singapore bank reported at least 14 cases reported within 18 days, with around $29,000 lost.
- Last year in Japan, institutions reported over 5,500 online banking fraud cases with damages surpassing 8.7 billion yen. That’s highest amount on record.
These troubling figures highlight the urgent need for stronger fraud prevention and protections against scams. In this blog post, we discuss how you can keep your institution safe.
What is a bank impersonation scam?
Bank impersonation scams come in many forms. Some involve bad actors posing as trusted bank employees. In others, messages look like they’re being sent from bank application systems to trick recipients into handing over their login credentials or other personal data.
Typically, these scams start with a phishing email, SMS or phone call that looks like it’s from the victim’s trusted bank. They appear urgent, warning the victim of suspicious activity or demanding that they take immediate action to verify information. Once the victim clicks engages, they are directed to a fake website that’s designed to look just like the bank’s official site.
Here are some common tactics that scammers use:
- Display name spoofing. Scammers manipulate the display name in an email’s From field to look like they’re coming from a trusted bank. This misleads users who take the message at face value.
- Domain spoofing. Scammers imitate the legitimate sending server or domain to deceive recipients into believing that an email is genuine.
- Lookalike domains. Scammers create domains that closely resemble trusted sources. These lookalike domains exploit minor variations in domain names, which users can easily overlook.
- Compromised supplier accounts. Cybercriminals can compromise the email account of a supplier that regularly interacts with a targeted business. By hijacking the communication between the target and its supplier, threat actors position themselves to solicit fraudulent payments or request sensitive information.
7 Tips for combating bank impersonation scams
Here are some tips for choosing the right solution to mitigate bank impersonation risks.
1: Harness advanced technology
Organisations should invest in modern email security tools that use advanced technologies like artificial intelligence (AI), machine learning (ML), behavioural analysis, threat intelligence and large language models (LLMs). This ensures robust protection against threats in real time.
2: Enable adaptive controls
Adaptive controls, like automatic isolation of URLs from high-risk suppliers, help minimize your exposure to compromised accounts while ensuring business continuity. Look for a tool that analyses emails, URLs and attachments. Features like URL defence—which rewrites suspicious links in emails to prevent users from visiting malicious sites—add a proactive layer.
3: Authenticate all emails
Strong email authentication is vital to prevent domain spoofing and brand abuse. Protocols like DMARC can help. Choose a DMARC tool that provides complete visibility into email authentication across all communications, including third parties, users and applications. You should also be able to separate user email from transactional emails from applications and SaaS partners. Experienced consultants play a key role in streamlining DMARC deployment. This helps to ensure that legitimate emails don’t get blocked.
4: Use dynamic lookalike domain protection
Protect your brand by actively monitoring and removing malicious lookalike domains. Advanced detection technologies use high-quality intelligence to continuously analyse millions of domains so that deceptive sites can be swiftly identified and taken down before they damage your brand. Also, they keep track of similar threats that might be targeting your suppliers.
5: Get cloud security
When cybercriminals compromise cloud account credentials, they can impersonate legitimate users and cause havoc. That’s why it's crucial to deploy a solution that can detect account takeover (ATO) attacks. Look for comprehensive visibility into both pre- and post-compromise activities. It should also provide inline access controls, data loss prevention (DLP) and advanced threat protection to secure cloud apps like Microsoft 365 and Google Workspace. You also want automated remediation to minimize dwell time and mitigate damage.
6: Secure your digital communications
Fraudsters exploit various communication channels like email, SMS, WhatsApp, MS Teams and social media to deceive people. To combat these threats, look for a tool that expands protection beyond email to cover multiple channels.
7: Empower your employees
No single technology or solution can eliminate all threats. So, it’s crucial to complement your threat detection solution with comprehensive security awareness program. This helps users to identify and report potential scams efficiently. And it helps your organisation build a critical line of defence.
How to stay vigilant against impersonation scams
While banks are responsible for reinforcing defences, individuals must also adopt vigilant behaviours to reduce the risk of impersonation scams. Here are a few practical tips for safeguarding personal information:
- Verify the source. Directly contact your bank if you receive any suspicious messages. Avoid using phone numbers or links provided in the message itself.
- Be wary of urgent requests. Scammers often use panic-inducing language to push recipients to act without caution.
- Inspect URLs carefully. Before clicking, always verify the link destination. Scammers often disguise fraudulent URLs to look like legitimate websites.
- Report suspicious activity. Report scams to organisations like Scamwatch in Australia. This can help with identifying and stopping larger scam trends.
Combating bank impersonation scams together
Bank impersonation scams are rapidly increasing across APAC. Advanced technologies—like AI, ML and deepfakes—have empowered bad actors to convincingly impersonate individuals and institutions. This makes them more effective.
In response, many countries are putting new protections in place:
- The Singapore Monetary Authority has introduced strict regulations for digital payment services as well as new consumer protections.
- The Hong Kong Monetary Authority has provided banks with guidelines to enhance their cybersecurity frameworks.
- The Reserve Bank of New Zealand is pursuing regulatory reforms to address fraud risks.
- The Central Bank of Malaysia is driving improvements in real-time fraud detection through initiatives like the National Scam Response Centre.
To combat the rising threat of impersonation scams, banks need robust security tools. They also need to empower their employees and customers to identify scams. By working together, organisations and individuals throughout APAC can enhance their defences and decrease the number of these scams.
Learn more
Proofpoint helps you maintain trust between your organisation and your customers, suppliers and business partners. We understand that people are the most targeted link in the attack chain, which is why we focus on protecting them. We provide comprehensive protection against impersonation threats with a range of advanced cybersecurity solutions including:
With a human-centric approach to security, we deliver multilayered protection to keep your trusted business communications safe. Proofpoint has successfully stopped different types of impersonation attacks, ranging from brand impersonation to executive spoofing and supplier fraud.
To learn more, check out Proofpoint Impersonation Protection.