There is a new phishing scam that is posing as a Telstra bill targeting Australian inboxes and all Telstra customers are urged to delete the email immediately.
It was first spotted by the security company Mailguard on Monday who said the scam is especially sophisticated thanks to the consistently convincing visuals and branding across the email and linked website. It also features authentic markers such as a ‘Live Help’ button.
“A key feature is the inclusion of the sentence ‘If you have any questions or concerns about this email you can get in touch with us at telstra.com/contact’,” MailGuard’s statement reads.
It has been well designed to look familiar to existing Telstra customers and asks users to click through to an attached bill with a link with no attachments with the email.
Here is an example of the fake Telstra Bill
When you click on the link, it then redirects you to Tumblr with a fake Telstra Login page like the one below
Then, once signed in, it then redirects to a payment page that looks like this
The cyber criminals can then use the users details and payment credentials for further illegal activity.
All fake bills reported have shown the same account number.
Cybercriminals behind this scam use several elements within the email body to convince you that it is a legitimate notification from Telstra. These include employing high quality graphical elements such as Telstra’s branding in the emails.
This disclaimer, along with the included link to the telecommunication company’s online assistance contact page, boosts the credibility of the email as it is a common feature that recipients are used to seeing in legitimate notifications from Telstra.
Telstra, by its large database and established brand credibility, is an ideal company to spoof by cybercriminals as it widens their victim pool.
Telstra’s website offers this advice to their customers on how to recognise and avoid email scams:
- Never trust emails that ask for personal details
- Think twice before giving personal details online – instead, contact the sender using their publicly available contact details
- Visit trusted websites via their URL, rather than clicking a link in the email
- Only provide financial details on secure websites
- Use a spam filter to help block unsolicited and hoax emails