Don't fall for it! The shocking truth about SMS links and how to stay safe.
- Replies 3
You probably already know this – we here at SDC have countless articles explaining why you shouldn’t trust links sent through SMS, even if they appear to be from your bank – but another reminder wouldn’t hurt especially when scams spike around the holiday period.
Generally scams are relatively easy to spot with a few telltale signs, but we can’t always expect people to be on guard. When in doubt, it helps to call the purported business directly (via a verified number), ask a friend, or consult an online community you trust.
On Reddit, one user sought the opinion of fellow Aussies after receiving a text message, supposedly from ANZ.
A text pretending to be from ANZ included a link that is supposedly for reporting unauthorised activity. Credit: Reddit
The text was written to appear as if it was sent in response to the Reddit user doing something that needed a PIN – many banks use a one-time password (OTP) sent through SMS before a transaction will go through. It then asked the receiver to click on a link immediately if they did not request a code.
Many Redditors responded to say that it was indeed suspicious. A top comment said: ‘It’s a common scam, sent to thousands of people, knowing that some will be ANZ customers and will worry, clicking on the link. The domain is dodgy to begin with (you would expect ANZ to use anz.com.au or similar).’
The poster did a bit of online sleuthing and found some useful information: ‘The domain was registered by ‘Internet Domain Service BS Corp’ which has a non-functioning registrar URL, and ANZ's real domain is registered via instra.com. I accessed the link via sandbox. It is designed to appear to be an ANZ page using their logos and asks for login credentials. None of the links work.’
They then encouraged the author to report it to ANZ who could then work to have it taken down.
The message had signs that it was a scam, which would probably be obvious to readers by now. Besides an unknown number, banks don’t typically add links for users to click to block transactions or use website URLs separate to their main site.
A Redditor said: ‘I don't bank with ANZ, but do with some other banks that send these types of 2FA (two factor authentication) messages. I checked a couple of them, and they say ‘Contact us immediately on <number> if you did not initiate this payment.’ The fact that they've sent you a clickable link instead screams scam.’
Another shared their experience with a compromised account: ‘When my account was exposed, along with others, my bank texted me to say ‘please contact or call into any branch of the bank as we need to discuss your account urgently’. They never gave any codes, asked for passwords etc. Just contact your bank ASAP.’
Spoofing URLs is also easy, so it doesn’t hurt to apply a general rule of never clicking links sent through SMS. Misleading links are more obvious to spot when using a desktop computer or a laptop – you can usually hover over hyperlinked texts to see where they will redirect – but not on mobile phones. (Don’t worry, all links on this article are safe to click.)
Phone numbers are also easy to fake. Messages that appear to be from ANZ instead of an unknown number aren’t automatically safe and are suspicious if they include links.
If you suspect unauthorised transactions made on your account, it’s still best to call the bank or type the link directly into your browser. As one user put it: ‘Remember folks, there's nothing wrong with doing the navigation and address typing yourself instead of trusting a link, especially regarding finance!’
On its website, ANZ tells its customers that it will never:
One user shared: ‘The more sophisticated attacks might attempt to push malware onto your device from the website itself. It depends on what's on the site, if there are web apps, or it might try to download something or ask for permissions in some way.’
If you are concerned about your account’s security, it’s best to change your passwords (make sure to do this on the official website or mobile app) and contact the bank directly. ANZ encourages its customers to close their browsers, clear their browsing history, and run a scan of their devices using up-to-date antivirus software.
You can also screenshot suspicious text messages and send them to ANZ through [email protected] for investigation.
If you receive a message claiming to be ANZ or any other Australian business or government agency and doubt its authenticity, delete the text, do not reply to the message, and report it immediately if you clicked on anything. Remember, time is of the essence, especially when you are a scam victim.
Be safe out there, folks!
Generally scams are relatively easy to spot with a few telltale signs, but we can’t always expect people to be on guard. When in doubt, it helps to call the purported business directly (via a verified number), ask a friend, or consult an online community you trust.
On Reddit, one user sought the opinion of fellow Aussies after receiving a text message, supposedly from ANZ.
A text pretending to be from ANZ included a link that is supposedly for reporting unauthorised activity. Credit: Reddit
The text was written to appear as if it was sent in response to the Reddit user doing something that needed a PIN – many banks use a one-time password (OTP) sent through SMS before a transaction will go through. It then asked the receiver to click on a link immediately if they did not request a code.
Many Redditors responded to say that it was indeed suspicious. A top comment said: ‘It’s a common scam, sent to thousands of people, knowing that some will be ANZ customers and will worry, clicking on the link. The domain is dodgy to begin with (you would expect ANZ to use anz.com.au or similar).’
The poster did a bit of online sleuthing and found some useful information: ‘The domain was registered by ‘Internet Domain Service BS Corp’ which has a non-functioning registrar URL, and ANZ's real domain is registered via instra.com. I accessed the link via sandbox. It is designed to appear to be an ANZ page using their logos and asks for login credentials. None of the links work.’
They then encouraged the author to report it to ANZ who could then work to have it taken down.
The message had signs that it was a scam, which would probably be obvious to readers by now. Besides an unknown number, banks don’t typically add links for users to click to block transactions or use website URLs separate to their main site.
A Redditor said: ‘I don't bank with ANZ, but do with some other banks that send these types of 2FA (two factor authentication) messages. I checked a couple of them, and they say ‘Contact us immediately on <number> if you did not initiate this payment.’ The fact that they've sent you a clickable link instead screams scam.’
Another shared their experience with a compromised account: ‘When my account was exposed, along with others, my bank texted me to say ‘please contact or call into any branch of the bank as we need to discuss your account urgently’. They never gave any codes, asked for passwords etc. Just contact your bank ASAP.’
Spoofing URLs is also easy, so it doesn’t hurt to apply a general rule of never clicking links sent through SMS. Misleading links are more obvious to spot when using a desktop computer or a laptop – you can usually hover over hyperlinked texts to see where they will redirect – but not on mobile phones. (Don’t worry, all links on this article are safe to click.)
Phone numbers are also easy to fake. Messages that appear to be from ANZ instead of an unknown number aren’t automatically safe and are suspicious if they include links.
If you suspect unauthorised transactions made on your account, it’s still best to call the bank or type the link directly into your browser. As one user put it: ‘Remember folks, there's nothing wrong with doing the navigation and address typing yourself instead of trusting a link, especially regarding finance!’
On its website, ANZ tells its customers that it will never:
- Ask you for your banking PINs, passwords or security codes
- Send you a link to log on to ANZ Internet Banking - always type the URL (anz.co.nz) into your browser
- Ask you to download any software onto your devices
- Ask you to give us remote access to your devices.
One user shared: ‘The more sophisticated attacks might attempt to push malware onto your device from the website itself. It depends on what's on the site, if there are web apps, or it might try to download something or ask for permissions in some way.’
If you are concerned about your account’s security, it’s best to change your passwords (make sure to do this on the official website or mobile app) and contact the bank directly. ANZ encourages its customers to close their browsers, clear their browsing history, and run a scan of their devices using up-to-date antivirus software.
You can also screenshot suspicious text messages and send them to ANZ through [email protected] for investigation.
If you receive a message claiming to be ANZ or any other Australian business or government agency and doubt its authenticity, delete the text, do not reply to the message, and report it immediately if you clicked on anything. Remember, time is of the essence, especially when you are a scam victim.
Be safe out there, folks!
.png){kind=icon}
