Bank Impersonation Scams
Scammers pose as your bank's fraud team by phone or text — often spoofing the bank's real number or landing in the same SMS thread as genuine messages — to 'protect' your money. The goal is your login details, your one-time security codes, or convincing you to move funds to a so-called safe account. These are among the most financially devastating scams reported in Australia.
This guide explains how the scam works, the warning signs to watch for, and what to do if you've been caught out. Got a specific message in front of you? Check it now and get an instant verdict.
How this scam works
It starts with a hook: a text about a suspicious transaction, or a call from the 'fraud team' saying your account is under attack. Because sender IDs and caller numbers can be spoofed, the contact can appear to come from CommBank, NAB, ANZ or Westpac's real number — sometimes inside the same message thread as genuine bank texts. The 'fraud officer' sounds calm and professional, may know basic details about you, and manufactures urgency: your money must be moved right now, or you need to read out the one-time code just sent to your phone 'to verify it's you'. In reality, that code authorises the scammer's own transfer, and the 'safe account' belongs to them. Money moved by real-time transfer is extremely hard to claw back, which is why these scams cause some of the largest individual losses Scamwatch sees.
How to spot it
- Anyone asking for your internet banking password, PIN or a one-time SMS code — no Australian bank ever asks for these, in any situation
- Requests to move money to a 'safe', 'holding' or 'audit' account — banks never do this; your money is already in your account
- Links in texts to log in to your bank — always type the address yourself (e.g. netbank.com.au, nab.com.au) or use the official app
- Pressure not to hang up, not to visit a branch, and not to tell family — isolating you is a core scam tactic
- Instructions to install remote-access software such as AnyDesk or TeamViewer
What to do if you have been targeted
- Hang up, then call your bank on the number from its official website or the back of your card — never a number the caller gave you
- If you shared codes or passwords, tell the bank immediately so it can freeze access and attempt to stop or recall transfers — the first hours matter most
- Change your internet banking password, plus any other account using the same password
- Report it to ReportCyber (cyber.gov.au) and Scamwatch (scamwatch.gov.au)
- If you're unhappy with how your bank handles the loss, you can complain to it formally and then escalate to the Australian Financial Complaints Authority (AFCA)
Where to report it
- Scamwatch — Report the scam to the ACCC's national scam service.
- ReportCyber — Report cybercrime and financial loss to the police.
- ACMA — Report scam texts and spam SMS or calls.
- Forward to 7226 (SPAM) — Forward the scam SMS to short code 7226 so your carrier can block the source.
- IDCARE — Free identity and cyber support if your details were taken.
Related brands targeted by this scam
Scammers often impersonate these names in bank impersonation scams. Here's how to tell a genuine message from a fake:
Check a suspicious message now
Paste the text or email you're unsure about and get an instant scam verdict, free.
Frequently asked questions
The call came from my bank's real phone number. How can it be a scam?
Caller ID can be faked — scammers routinely spoof banks' published numbers, so the number on your screen proves nothing. The reliable test is what's asked of you: a genuine bank will never ask for passwords, one-time codes, or transfers to another account. When in doubt, hang up and dial the bank yourself using the number on the back of your card.
My bank does send fraud alerts. How do I tell a real one from a fake?
Real fraud alerts ask you to confirm or deny a transaction — usually in the bank's app — and never include login links or ask you to reply with codes. A fake alert pushes you to a link or a phone call where someone asks for your credentials. Open your banking app yourself: if there's a genuine issue, it will be visible there.
I read out a one-time code to a caller. What should I do right now?
Call your bank immediately on its official number — that code may have authorised a payment or a device registration on your account. The bank can freeze access and try to stop or recall transfers, and speed makes the difference. Then change your banking password and report the scam to Scamwatch and ReportCyber.
Can I get my money back after a bank impersonation scam?
Sometimes, but it depends heavily on speed and how the money was taken. Banks can attempt to recall transfers, and funds are occasionally frozen at the receiving end if reported within hours. Unauthorised card charges are often recoverable through disputes. Report to your bank the moment you suspect a scam, and if you believe it mishandled your case, escalate to AFCA.
Why did the scammer know my name and details?
Personal details leak through data breaches and are bought and sold by scammers, who use them to sound credible. Knowing your name, address or even part of your account number doesn't make a caller your bank. Judge the request, not the knowledge: a demand for codes, passwords or transfers is always a scam.
Related scam types
Other scams hitting Australians right now — know the warning signs:
This guide is general information, not legal or financial advice — if you've lost money, contact your bank and the reporting channels above straight away.