- Banking Scams
- Cybersecurity
- Email Fraud
Over 70,000 callback scam emails impersonating Australia's big four banks were detected in July 2025. Learn how to protect yourself from this sophisticated campaign targeting businesses.
Massive Banking Scam Campaign Uncovered in Australia
A sophisticated scam campaign has emerged across Australia, with more than 70,000 fraudulent emails sent throughout July 2025 alone. These deceptive messages impersonate Australia's big four banks and specifically target organisations in the insurance, legal, and education sectors. Risk management firm Mimecast identified this alarming trend, though experts warn that many more emails may have slipped through undetected. Most concerning is that this campaign remains active and continues to evolve.
According to Garrett O'Hara, senior director of solutions engineering at Mimecast, this campaign represents a particularly dangerous evolution in cybercrime tactics. The scammers cleverly combine two powerful psychological triggers: the inherent trust Australians place in their banking institutions and the sense of urgency created by fraudulent transaction alerts. This combination makes the scam exceptionally effective at deceiving even cautious recipients.
Evolution of Callback Scam Tactics
Traditionally, callback scam campaigns have posed as well-known payment services like PayPal. However, the latest intelligence reveals a strategic shift towards impersonating banks using increasingly realistic email notifications. This evolution demonstrates the adaptability of cybercriminals and their ability to exploit trusted institutions to maximise their success rates. The professional appearance of these emails makes them particularly difficult to distinguish from legitimate bank communications.
O'Hara emphasises that the threat continues to grow and will likely target an even larger number of Australians in the coming months. This makes widespread awareness about this specific scam absolutely critical for protecting individuals and organisations from financial loss and data breaches.
Identifying the Scam: Red Flags to Watch For
The fraudulent emails typically use subject lines designed to create urgency and alarm. Common examples include phrases such as "Alert Completed Details Enclosed", "Financial Summary Sent Recently", "Invoice Completed Recently", and "Your Recent Payment: Summary Notification". These subject lines are carefully crafted to prompt immediate action from recipients who may fear unauthorised transactions on their accounts.
The scammers utilise various phone numbers to appear legitimate, including "03 8256 7521", "02 5621 1059", and "1800 458 259". These numbers may appear convincing at first glance, particularly the toll-free number, but none are associated with genuine banking institutions. Recipients who call these numbers risk exposing sensitive financial information or personal details to criminals.
How Legitimate Banks Actually Communicate
One crucial point that every Australian should understand is that legitimate banks will never request urgent callbacks via email. This is a fundamental security principle that genuine financial institutions follow strictly. Banks have established protocols for customer communication that prioritise security and verification. If you receive an email claiming to be from your bank and requesting an immediate callback, this is an extremely strong indicator of fraudulent activity.
Authentic bank communications typically provide multiple ways to verify the message's legitimacy. They encourage customers to contact the bank directly using official contact details found on bank statements or the official website, rather than using contact information provided in the email itself.
Protecting Your Organisation from Banking Scams
For organisations, the scale of this attack demonstrates that Australian businesses have become prime targets for sophisticated scammers. O'Hara recommends that organisations implement strict verification processes requiring staff to independently verify any banking communications through official bank channels. This means employees should never use phone numbers provided within suspicious emails, but rather look up official banking contact details through trusted sources.
Businesses that invest in proactive staff training and establish strong verification processes will be significantly better positioned to avoid falling victim to these scams. Regular security awareness training should include specific examples of current scam tactics, including the banking impersonation campaign, to ensure employees can recognise and report suspicious communications before any damage occurs.
Steps to Take If You Receive a Suspicious Email
If you receive an email that claims to be from your bank and raises any suspicions, do not click on any links or call any phone numbers provided in the message. Instead, contact your bank directly using the phone number on your bank card or official bank statement. Report the suspicious email to your bank's fraud department and to Scamwatch, the Australian Competition and Consumer Commission's scam reporting service. Delete the email after reporting it to prevent accidental interaction with any malicious elements.
Additionally, organisations should have clear protocols in place for reporting suspected phishing attempts. This ensures that IT security teams can quickly assess threats, warn other employees, and implement additional protective measures if necessary. A culture of security awareness, where employees feel comfortable reporting suspicious communications without fear of criticism, is essential for maintaining robust cybersecurity defences.