Remote access scams explained
A remote access scam is when a cyber criminal convinces you to download an app or software which allows them to access your device remotely. Remote access scans pose a serious threat to businesses. In 2022 there was an 843% increase in reported remote access scams from the previous year. According to the Australian Competition and Consumer Commission (ACCC), the median reported loss for a business as a result of these scams in 2022 was $25,000.
Cyber criminals can gain access of your devices in a range of ways including:
- the cyber criminals may call you impersonating known businesses, telecommunication providers or government agencies and request access to your device to remove a “virus” or “fix an issue”
- cyber criminals can also create realistic looking websites impersonating known businesses. They use these to encourage you to download software by clicking on the website or a link. They can then start a “live chat” to assist you - however doing so can allow them remote access to your device
- in attempts to gain remote access, cyber criminals may convince you to contact them by displaying a pop-up warning on your device alerting you that the device has been compromised. The pop up will urge you to contact the team immediately using the number stated and the operator will ask you to download a software in order to “fix the issue”.
How cyber criminals can use your information
Your device is a key to access all stored information about yourself and your business. This may include your online banking passwords, credit card details, personal and work connections, your business data and other confidential information. Getting access to this information is a lucrative business for cyber criminals. If they can find a weak spot, they may attempt to use it for further malicious activities such as:
- stealing your identity
- stealing your money
- using your credit card
- stealing your business data
- holding your business data ransom
- infecting your device with malware.
You should not action any request for remote access made by a caller even if they claim to be from your bank or computer service provider.
Case study: customer scam
Bernie*, a NAB customer, received a call from someone claiming to represent a well-known technology company.
“The caller told me that there was a virus on my device, and they needed access to my device to prevent any data loss. The caller sent me a link to download an application and only needed me to approve access in order for them to remove the virus. The caller did not ask for any personal or banking information and the call ended shortly after.”
Bernie called NAB after logging in to their account and noticing there were two transactions, totalling $132, 000 that they didn’t make. Bernie mentioned the issue with their device and the call from the well-known technology company. It was discovered that by providing access to their device, this allowed them to make the transfers.
Regrettably the money could not be recovered, and Bernie was out of pocket for the full amount.
How did the scam unfold?
Bernie was unsure how the caller gained access to internet banking since Bernie had not provided any personal or banking information on the call. Unknown to Bernie, the caller had used remote access control of the device to find the internet banking login credentials. This allowed the cyber criminal to log in to Bernie’s internet banking and make two transfers over a 24 hour period.
*Name and some details have been changed for privacy reasons.
Remote access scams targeting NAB Connect users
Cyber criminals may target NAB Connect users by impersonating NAB and requesting login credentials, passwords and security tokens to “help secure their account or money” and may even claim they are working to prevent fraudulent activity.
You should not provide your NAB Connect password or digitally generated one time code to anyone calling, even if they claim to be from NAB.
The only time you should provide your digitally generated one time code is when you call us to reset your security token.
How you can help protect your business
- Treat any unsolicited phone calls with caution and do not provide remote access to your computer or online bank account to anyone calling you.
- When in doubt you should contact the organisation using a trusted channel (publicly listed number, online chat, in person) to confirm the legitimacy of the request.
- Never provide your personal or banking information during an unsolicited call.
- Do not download any applications or software from a link, or at the request of an unsolicited caller. Some apps and software may allow remote access to your devices without further actions.
- Only download apps or software from official stores such as the Apple App store or Google Play store, and not by clicking on links through websites or email.
- Keep your SMS security codes and security tokens safe. Do not share these codes with anyone calling you - not even NAB. These codes provide an extra layer of security for your accounts, so it’s important keep them and your phone safe.
- Ensure you carefully read any SMS security codes you receive if the message says, “don’t share this code with anyone, including NAB, your security code is XXXXXX for increasing your transfer limit”, then don’t share this code with anyone.
Important: While we do everything we can to recover money transferred as part of a scam, this is not guaranteed.
How we can help
If you’re a NAB customer and you believe your business or personal accounts have been impacted by fraud or a scam, we’re here to help. Explore the immediate steps you can take to protect yourself and discover when you should get in touch with us to make a report.
IDCARE is Australia and New Zealand's not-for-profit counselling and support service set up to assist Australians impacted by identity theft and cyber-related crimes.
IDCARE can assist NAB customers to navigate through the process when identity details or credentials have been compromised through fraud or scams. IDCARE is a free service for all Australians.
Australian Government | Australian Cyber Security Centre (ACSC)
The Australian Cyber Security Centre (ACSC) brings cyber security capabilities from across the Australian Government together in a single location. It’s the hub for private and public sector collaboration and information sharing to combat cyber security threats. ACSC provides topical, relevant and timely information on how home internet users and small businesses can protect themselves from, and reduce the risk of, cyber security threats such as software vulnerabilities, online scams, malicious activities and risky online behaviours.
Australian Government | ReportCyber
ReportCyber is a secure reporting and referral service for cybercrime and online incidents which may be in breach of Australian law. The ReportCyber website provides a cybercrime reporting mechanism as well as helpful information about cybercrime.
Australian Competition and Consumer Commission | Scamwatch
Scamwatch provides information to consumers and small businesses about how to recognise, avoid and report scams using publications, videos and other online resources.
Australian Government | Office of the eSafety Commissioner
The Office of the eSafety Commissioner provides online safety education for Australian children and young people, a complaints service for young Australians who experience serious cyberbullying, and address illegal online content.
Australian Government | Attorney-General’s Department
The Attorney-General’s Department website provides helpful information and resources about your rights and protections in regards to identity security, freedom of information and cyber security. The Department has developed a range of resources to assist people protect their identity and recover from the effects of identity crime.
Terms and Conditions
Apologies but the Important Information section you are trying to view is not displaying properly at the moment. Please refresh the page or try again later.