Bank Impersonation Scams in Australia — Why Your Bank Will Never Call Like This

Bank impersonation scams are one of the most financially damaging scam categories targeting Australians. Criminals can make calls appear to come from your bank's official phone number — a technique called caller ID spoofing — and increasingly they possess some genuine information about your account obtained from previous data breaches, making the call seem entirely credible.

How the Scam Works

You receive a call from what appears to be your bank's fraud line. The caller says they have detected unusual activity on your account. They may know your first name, your suburb, or recent transaction details obtained from dark web data breaches or previous scams. They tell you that to secure your account, you need to transfer your funds to a "safe account," or to verify your identity by providing your internet banking password and a one-time code that your bank is about to send you. There is no suspicious activity. There is no safe account. The one-time code they are asking you to read out is the code your actual bank just sent you to authorise a fraudulent transfer they are making in real time — using credentials they have already obtained.

The Real-Time Attack

The most sophisticated version of this scam involves the criminal conducting a live attack at the same time as the phone call. While keeping you on the line, they are logged in to your actual internet banking account and attempting to authorise a transaction. Your bank sends you a one-time code — which the criminal asks you to read out, claiming it is a "security verification." When you read the code, you have just authorised the fraudulent transfer yourself.

Why Caller ID Cannot Be Trusted

Caller ID spoofing is inexpensive and easy for criminals to implement. The number displayed on your phone when receiving a call does not verify the identity of the caller. This means that even if your phone shows your bank's official number, it may not be your bank calling. The fact that a call appears to come from a legitimate number is not, by itself, evidence that it is genuine.

What Your Bank Will Never Do

• Ask you to transfer money to a "safe account" or "holding account"
• Ask you for your full internet banking password or PIN
• Ask you to read out a one-time security code sent to your phone
• Ask you to install software on your device
• Tell you not to tell anyone about the call or contact
• Demand you act immediately without time to verify

If you receive a call matching this description, hang up. Call your bank directly using the number on the back of your card or from their official website — not any number provided by the caller. If you have already provided information or transferred funds, call your bank's fraud line immediately — some transactions can be reversed if reported quickly.

What to Do If You Have Already Given Information

If you have provided information to someone claiming to be from your bank — particularly if you read out a one-time code or transferred funds — act within minutes. Call your bank's genuine fraud line using the number on the back of your card or from their official website — not any number from the call. Alert them that you may have provided verification codes or authorised transfers under fraudulent circumstances. Ask them to freeze your account immediately and review recent transactions. Some fraudulent transfers can be recalled if reported fast enough. Also change your internet banking password immediately from a trusted device.

Reporting and Follow-Up

Report the scam to Scamwatch at scamwatch.gov.au — your report helps the ACCC track these operations and may help recover funds in some cases. Your bank has an obligation under the ePayments Code to investigate your complaint, and if they find the correct procedures were not followed on their end, you may be entitled to a refund of fraudulently transferred funds. If you are not satisfied with your bank's response, you can escalate to the Australian Financial Complaints Authority (AFCA) for free, independent dispute resolution. Document everything: save any call records, write down the date, time, what was said, and what information you provided. IntrusionX provides security awareness education on bank impersonation scams for businesses and individuals — contact us to learn more.