Case Study: Intelligence - Smishing Surge: Inside the AUD 30 Million Banking SMS-driven Fraud Targeting Australia

INDUSTRY: Financial Services | SECTOR: Banking | COUNTRY: Australia

BANKS:

• ANZ (Australia and New Zealand Banking Group) - www.anz.com.au
• Commonwealth Bank (CommBank) - www.commbank.com.au
• Westpac - www.westpac.com.au
• National Australia Bank (NAB) - www.nab.com.au
• Bank of Queensland (BOQ) - www.boq.com.au
• Bendigo Bank - www.bendigobank.com.au
• Macquarie Bank - www.macquarie.com.au

Smishing Down Under — How Australian Banks Were Targeted in Global Fraud Campaigns

SUMMARY

PORGiESOFT Security’s Fraud Risk Intelligence Portfolio (FRIP) from 2020-2025 has tracked a significant rise in smishing campaigns targeting Australian financial institutions, including ANZ, Commonwealth Bank (CommBank), and Westpac. These campaigns mirrored similar ones in the UK, US and Canada, sharing domains, language templates, and infrastructure patterns — a sign of cross-regional threat actor coordination.

Fraudsters exploited cost-of-living pressures and digital banking convenience to drive social-engineering success rates, using SMS lures that directed users to cloned login portals designed to harvest credentials and authorise fraudulent transfers.

1. Background

Australia is a high-income, digitally connected nation of about 26.9 million people. Internet use is near-universal, and over 93% of adults access online services daily. Its economy is highly cashless, with around 98% of consumer transactions occurring electronically through major banks such as Commonwealth Bank, Westpac, ANZ, and NAB.

Cybercrime has become a major concern. Regional reports estimate Australians lost more than AUD 2.5 billion to scams in 2023, with fraud and identity theft rising sharply. The government’s Cyber Security Strategy 2023–2030 promotes world-class threat sharing and closer collaboration between banks, telecoms, and law enforcement to counter phishing, smishing, and other digital-fraud threats.

Australia’s banking sector is one of the most stable and technologically advanced in the world. It is dominated by the “Big Four” institutions — Commonwealth Bank of Australia (CBA), Westpac Banking Corporation, Australia and New Zealand Banking Group (ANZ), and National Australia Bank (NAB) — which collectively hold the majority of retail deposits and lending.

2. Key Findings

1. Volume: Australian banking brands represented nearly 9% of all global smishing incidents analysed, ranking among the top four most impersonated financial sectors globally
2. Thematic patterns: “Services have been suspended”, “To avoid service restrictions”, “Your account has been locked”, “Follow the link to”, “To avoid service restrictions, please visit”— creating a problem and solution narrative to pique the interest of bank customers
3. Non-Traditional Methods: Around 30% of the attacks analysed used non-traditional top-level domains such as .reviews and .info — providing a cheaper delivery infrastructure for fraudsters
4. Shared Infrastructure: Broader threat actor tactics were very similar to those in UK campaigns. Multiple campaigns contained similar fraud forensic linguistic markers and attack classes
5. Language evolution: Early messages used generic English; later variants adopted Australian spelling, services and product names (“authorised”, “netbank” and .au domains) — evidence of localisation by threat actors
6. Banks Impersonated: ANZ (Australia and New Zealand Banking Group), Commonwealth Bank (CommBank/CBA), Westpac, National Australia Bank (NAB), Bank of Queensland (BOQ), Bendigo Bank, Macquarie Bank

Using verified FRIP data and average loss ratios from regional intelligence, PORGiESOFT Security estimates total financial exposure at AUD 30–32 million, including direct and potential losses. This represents approximately 1–2% of the nation’s annual reported scam losses.

3. Intelligence Implications

• I1. Standardised Message Templates: The recurrence of identical wording — particularly “locked,” “suspended,” and “confirm details” — across Australian, UK, and Canadian entries suggests that smishing operators reuse shared text libraries or prebuilt phishing kits
• I2. Localisation, Not Originality: References to NetBank (CommBank) and other local banking terminology demonstrate that threat actors apply light linguistic localisation for credibility. The underlying structure, grammar, and emotional triggers remain globally consistent
• I3. Human-Centric Exploitation: The dataset shows an emphasis on user-triggered account recovery rather than malware payloads — underscoring that SMS remains a social-engineering vector focused on manipulating trust rather than exploiting technical vulnerabilities
• I4. Operational Significance: Because text patterns are globally repeated, linguistic indicators can serve as early-warning intelligence across markets. Integrating these phrase-level signatures into detection systems (e.g., PORGiESOFT’s SenseText™) allows proactive filtering and inter-bank alerting, even before domain data is available
• I5. Infrastructure Fingerprinting: Investigation of shared infrastructure, timing, or phishing-kit reuse would aid intelligence investigations while requiring WHOIS, passive DNS, or HTML fingerprinting enrichment. Establishing infrastructure linkages and temporal correlations to strengthen data analysis

4. Attack Analysis

Textual analysis shows that Australian smishing messages overwhelmingly follow a credential-harvest pattern built around urgency and service interruption:

• Emotional Triggers: “Unable”, “Avoid”, “Suspended”, and “Locked” are key urgency cues — core to social engineering
• Transactional Anchors: “Payment”, “Order”, and “Bill” show blending of banking and delivery scam language, a known hybridisation trend
• Call-to-Action Dominance: “Visit”, “Follow”, “Update” are linguistic flags for link-based smishing (Class A)

Common Themes:

• Access Interruption: “Your account has been locked”
• Verification Prompt: “Confirm your details to continue”
• Transaction: “New payee has been added”

Other Tactics:

• Sender ID Spoofing: Fake sender IDs appearing as “CommBank” or “ANZ”
• Non-Traditional Top-Level Domains (TLDs): Use of obfuscated TLDs (e.g. .reviews, .info and .services) with low registration costs
• Localisation: Use of Australian spelling

PORGiESOFT Security’s Fraud Risk Intelligence Portfolio (FRIP) uses a structured taxonomy to classify each smishing message by attack vector, method and delivery mechanism. The framework, first introduced in our Smishing Threat Intelligence Report 2022, helps separate URL-driven phishing attempts from hybrid or phone-based lures and other complex tactics.

5. How PORGiESOFT Security's Anti-Fraud Solutions Could Have Helped

In the face of sophisticated Australian banking smishing campaigns, PORGiESOFT Security’s suite of anti-fraud solutions offers multi-layered defence — to analyse, monitor and aggregate fraud and scam trends before it spreads.

1. SenseText™ Portal & API risk scoring

For bank customers, fraud analysts, telecom security leads and customer protection teams combating smishing and message-based scams - SenseText™ would have provided an AI-driven layer of protection, scanning and explaining the risk level of each SMS before action is taken. Banks could have achieved -

• 80% reduction in customer exposure to SMS fraud using AI-powered risk scoring and message analysis - a second opinion
• 25% reduction in SMS fraud losses
• Increase in consumer trust and safety through real-time detection and explanation of fraud cues (“why” it’s fraudulent)
• Seamless integration via API with bank and telecom systems and customer journey

2. Fraud OS — Cyber Fraud Fusion

Australian banks often worked in silos — fraud, security, cyber, customer, risk and compliance teams investigating separately. Fraud OS would have connected these units through a single platform, aligning strategy, data, and investigation workflows. With Fraud OS, Australian financial institutions could have achieved:

• 45% reduction in incident response time through centralised case management and shared fraud dashboards
• 60% increase in cross-team visibility by linking fraud data, alerts, and threat intel feeds
• End-to-end workflow automation reducing manual reporting for CISOs and fraud leads

3. Fraud Intelligence — News Monitoring

For threat intelligence analysts, fraud teams, risk officers, and compliance leaders monitoring emerging fraud threats, smishing and phishing campaigns evolved faster than traditional awareness cycles. Fraud Intelligence would have tracked and analysed new fraud narratives, scam wording, and domain trends across regions delivering -

• 50% reduction in detection lag with automated monitoring of news and open-source threat data
• Increase in predictive visibility via weekly or monthly curated fraud briefings
• Cross-region correlation with FRIP data linking global threat patterns and tactics

4. Fraud Awareness — AI Avatars

Bank Security Awareness, HR learning, and Customer Education teams focus on improving fraud literacy but have consistently discovered that written training is often ignored. PORGiESOFT Security’s AI Avatars deliver video-based, scenario-driven anti-fraud education using real smishing examples, improving engagement and long-term retention, which could achieve -

• 70% employee, supplier and customer engagement with hyper-realistic AI video explainers
• A reduction in smishing and fraud susceptibility by 65% using real FRIP attack examples
• Monthly AI Avatar updates providing ongoing fraud awareness content

6. Conclusion

The fraud threat landscape will continue to evolve locally and globally. Australia’s smishing surge shows how fast cyber-enabled fraud evolves when language, technology, and trust intersect. Most attacks were URL-based, but the rise of hybrid and callback variants marks a shift toward coordinated, multi-channel fraud — exploiting both human, institutional and system vulnerabilities.

Across the attacks analysed, PORGiESOFT Security estimates links to over AUD 30M in confirmed and potential fraud losses, affecting thousands of victims across banking ecosystems. This scale underscores that fraud has become a national resilience issue, that

is demanding joined-up responses between banks, tech companies, telecoms, government and regulators.

The findings confirm that language is the new infrastructure of fraud. Attackers reuse tone, urgency, and phrasing faster than they can deploy new domains — turning communication itself into the weapon. Defence now depends on connected systems that merge detection, intelligence, and education. PORGiESOFT Security's anti-fraud solutions deliver this layered defence. Together, these solutions can cut fraud exposure by over 35%, reduce customer fraud losses and accelerate incident response, building human resilience at scale.

The lesson from Australia’s case is clear — fraud resilience depends not only on stronger technology, but on smarter, connected fraud intelligence systems and human readiness.

Download the Full Case Study

Learn More:

Read or download our Banking Case Study: Smishing Down Under — How Australian Banks Were Targeted in Global Fraud Campaigns