Bank-impersonation scams are now better than the real bank's emails. Here is the difference, every time.
If you've banked online in the last year, you've received a fake message from your bank. It looked perfect — same logo, same colours, same tone. The reason fake bank messages work is that real bank messages also feel a bit alarmist ("unusual activity detected", "verify your account"). Here's how to tell them apart, every time.
A real client story. A whedo.it client received an SMS in 2024 from what looked like NAB: "Suspicious login from Brisbane device. Tap here to lock your account: nab-au.com/secure". They tapped, entered their login, and the criminal moved $14,000 to a mule account within four minutes. The lesson: the bank doesn't text you links. Ever. If they need to contact you about something urgent, they call from a number they've published on their website, or they leave a message in the secure inbox inside the banking app itself.
Not one Australian bank sends links in SMS for login or account verification. Ever. Their fraud teams won't allow it because they know the message can't be distinguished from a phishing one. Any text claiming to be from your bank that contains a link is fake.
Email is read on phones, often in a rush. Banks use their app's secure inbox or their voice line for anything that requires you to do something. If an email asks you to click and confirm, log in, or update details, it's not from the bank.
Real bank emails come from a clear @[bankname].com.au address. Fake ones come from things like nab-au-services.com, commsec.alerts.com, or some random Gmail. Tap the sender name on a phone to expand the full address — if it isn't the bank's own domain, it's not the bank.
Every bank phishing message is urgent: "locked in 60 minutes", "unauthorised transfer", "verify now". Real banks default to slow and procedural; they let you call them at your convenience. Urgency is a manipulation tactic — pressure to bypass verification. If you feel rushed, that's the warning sign.
Find the bank's phone number on the back of your card or via Google (not from the message). Call them and ask "did you just text/email me?" — they'll tell you yes or no within 10 seconds. No bank fraud team is annoyed by these calls; they get hundreds a day.
If you entered your login on a fake bank page, call the bank's fraud line immediately. Most banks can roll back unauthorised transfers within 24 hours if reported quickly. The earlier you call, the higher the chance of recovery.
Bank scams use the same playbook as phishing — once you recognise the pattern, you spot all of them.
whedo.it runs short bank-scam awareness sessions for client teams — current Australian scam patterns, real screenshots, a quick simulation. Pays for itself the first time someone almost falls for one.
A Support Representative will get in touch.
A Support Representative will be in touch the same business day.
No deck, no pitch — walk your environment with a senior Australian practitioner. Confidential by default.
I built this business because I wanted to do Managed services properly — for a small number of clients, at a senior level, with the same person on the end of the phone every time. The work is too important and the stakes are too high for anything less.
Behind the formal qualifications: a Cyber Security degree from the University of the Sunshine Coast, currently working on my Master’s, plus a continuous stack of Microsoft, Acronis and Nerdio certifications — the ones that have to be renewed because the threats don’t stay still.
Behind the certifications: thirty years of doing the work. I cut my teeth in consulting, then went to Cisco on the team building the original iPhone — Cisco’s VoIP handset, the trademark Apple later acquired in the 2007 settlement. At TPG in 1999 I sold frame-relay networks when frame-relay was the cutting edge of business connectivity. I built and sold a Sydney-based MSP called Online IT before relocating to Perth.
Three decades of watching what’s actually changed and what hasn’t. The technology has changed almost beyond recognition. The principles haven’t. Identity first. Backup that has actually been tested. A senior practitioner who knows your environment. Calm in an incident. Honest answers when the answer is “no.”
That’s whedo.it. That’s the brief. That’s why long-tenure clients don’t leave.
— Warren Ephron, Director