Bank impersonation scams: spotting fake fraud-team calls

Published 30 April 2026 · 7 min read

"This is the Commonwealth Bank fraud team. We've detected a suspicious transaction on your account. Please confirm a few details so we can stop it." It's the most lucrative scam template in Australia: pretend to be the bank, manufacture an urgent fraud alert, and walk the victim through "verification" steps that hand the scammer everything they need to drain the account. Here's exactly how it works and what real banks will and won't do.

How a bank impersonation call goes

1. Spoofed caller ID. Your phone shows a real number for CBA, Westpac, ANZ, NAB, Bendigo, ING, Macquarie, etc. The scammer uses overseas VoIP to set the displayed number to anything they want. See our guide on caller ID spoofing for the technical details.
2. The hook. "We've detected a transaction on your card from [implausibly far place: Romania, Vietnam, the US] for [oddly specific amount: $843.27]. Did you make this purchase?"
3. The reassurance. "No worries, we can stop it. To verify your identity, can I confirm a few details?"
4. The harvest. Card number, expiry, CVV, online banking username, the SMS code that just landed (which is actually authorising the scammer's transfer), or your one-time code from the bank's authenticator app.
5. The "safe account" pivot. A more advanced version: "We're going to move your funds to a secure holding account while we investigate. Please transfer everything to this account number." The "holding account" is the scammer's mule account.
6. The cover. "Do not log into your banking for the next 24 hours while we investigate. If anyone calls you about this, including someone claiming to be from us, hang up." This buys the scammer time before you check your account and notice the missing money.

What real Australian banks will never do

• Ask for your full PIN, password, or authenticator code. They never need these. A genuine fraud team can already see everything they need on your account.
• Read out an SMS code and ask you to confirm it. The SMS code authorises a transaction, so reading it back is the scam.
• Ask you to "transfer your money to a safe account". No bank in Australia operates this way. If your account is genuinely compromised, the bank locks it down at their end; you don't move funds anywhere.
• Threaten you with arrest, account closure within an hour, or legal action if you don't stay on the line.
• Ask you to install remote-access software (AnyDesk, TeamViewer, UltraViewer, Quick Assist) to "diagnose" anything.
• Demand you keep the call confidential and not discuss it with anyone, including other staff at the bank.

What real banks actually do

• If a transaction looks suspicious, most banks first send an in-app push notification or SMS asking you to confirm. You respond Y/N. That's it.
• If they do call, they reference details only the bank knows (the last few digits of your card, the merchant name, the transaction amount), but they don't ask you to confirm details they should already have.
• They invite you to call them back through the number on the back of your card or through the in-app "contact us" function. Genuine fraud teams welcome this; it confirms it's actually them.
• They never ask for your password, PIN, or any one-time code, full stop. This is now an industry standard published on every major Australian bank's website.

How to verify a suspicious bank call in 60 seconds

1. Hang up. Don't argue, don't explain, don't try to extract information from them; just end the call.
2. Wait at least one minute before redialling. Sophisticated scams hold the line open even after you "hang up" on a landline, so when you "call your bank" you're actually still connected to them. Waiting one minute and ideally using a different phone (your mobile if the call came in on the landline, or vice versa) defeats this.
3. Call the number on the back of your card. Not the number that called you. Not a number from a Google search. The number physically printed on your card.
4. Tell the bank's real fraud team what happened. They'll check whether there's a real flag on your account (almost always: there isn't), and they'll log the scam call.

What protections do you have?

Australian banks have, until recently, been inconsistent about reimbursing victims of "authorised push payment" scams (where the customer technically initiated the transfer themselves, even if under deception). The Scams Prevention Framework coming into force progressively from 2025 onwards introduces clearer obligations on banks, telcos and digital platforms to detect, disrupt and respond to scams, including reimbursement obligations when the institution failed in its duty.

Practical implications for you:

• Banks now have stronger obligations to delay or block transfers to known scam accounts.
• If your bank failed to act on a flagged account that received your funds, you have a clearer path to reimbursement.
• The Australian Financial Complaints Authority (AFCA) handles disputes and is free for consumers.

That said: prevention is still vastly better than the reimbursement process. Hang up.

If you've already given them information

1. Call your bank's after-hours fraud line right now using the number on the back of your card. Most banks can freeze a card or block an attempted transfer in under two minutes if you reach them quickly.
2. Change every password the scammer might have collected, especially online banking, email, and any account that uses the same password.
3. Report to ReportCyber and Scamwatch.
4. Contact IDCARE on 1800 595 160 for identity-protection support.
5. Look up the scammer's number on Phony and report it so the next person sees the warning before they pick up.

Bank impersonation is sophisticated; sometimes the script is so polished that it takes a sceptic five minutes to spot it. The defence is blanket: any caller asking for codes, passwords, or transfers to "safe" accounts is the scam, no matter how convincing they sound. Your real bank will not be offended when you hang up and call them back.