New BPAY Scam email - and good one at that!

Received a very well constructed scam email today, purporting to be from BPAY. If I was a regular BPAY user it might have got me it was so well done. The title of the email is “BPAY Order Confirmation” and it shows as coming from “BPAY Support” with the address showing as The contents of the email are as follows:

At the top of the email here is a logo saying Bpay View

Your order #is: 00755998
We’ll email you an order confirmation with details and tracking info.

Biller Code: 7624521

Here is a blue box containg View BPAY DETAILS - this box is a hyperlink to a https address at

It looks official, the spelling and grammar are good and they’ve kept it short. Also if you are using a webmail like Yahoo, Gmail, etc. they have done it so well it even fools them, as an ad for Bpay will show up at the side of the email page. However when you open up BPAY’s website in another window by manually typing their address (never click on an email link, even if it looks like it’s from someone you trust), if you search for the Biller Code you will find it’s not valid - you’ll get a “No records found” message.

Hope no-one gets caught by this as it’s a damn good one, but remember the golden rule. Don’t click on email links, especially when they are anything to do with financial stuff such as bills, payments, banking, etc. The days of the simple Nigerian Prince who wants you to hold his millions for him until he gets out of the country are over, they are much better at it now :).


Good advice @obbigttam, thanks for spreading the word about this one.


I received this spam a few days ago also. It only took me a second to know it was spam as I don’t buy anything through BPay. It got ‘junk’ and ‘deleted’ very quickly. Thank you for the advice here though. I was waiting for it to come into my Facebook newsfeed by the police but that hasn’t happened yet.


From what I understand, Bpay is a bill payment system and not a good or servicds ordering system. Bpay itself won’t be a biller or indicate that goods or services need payment.

This alone should raise eyebrows in relation to its validity. It appears thay the scammers don’t understand what Bpay is or hope that the email receipents don’t know.

I suspect the phishing is for Commonwealth Bank login information if the link takes you to a fake login site.

And agree that one should never click on links in any email. It is also worth doing a online search if one is unsure to see if anyong else has reported the potential scam. Even if there are no positive ingernet searches, one can always contact the business named in the scam email to determine if it is genuine (using contact details from the business website/yellowpages rather than those potentially in the scam email).

It is also worth reporting such scams to Scamwatch and the business in question. Both can publish online confirmation that the emails are scams so others don’t potentially get caught.


Great stuff! Why aren’t warning letters like yours seen everywhere !!! Wherever people can go and buy a computer, smart phone, also newsagents, post offices,supermarkets etc etc.


Just a few thoughts on that. Exactly where would those posts be displayed?

Would that be on their windows, walls, a bulletin board by the toilets, by the till, anywhere they chose? How many read things so posted ever, let alone regularly?

Would it be more hit and miss to rely on manually posted warnings as compared to a single managed source such as scamwatch?


BBG - all valid points. I guess I was thinking more of the older and less sophisticated tech people who are often the ones caught out the most with these scams. Many of these people may have no idea about scam watch and the like.


It appears there have been regular Bpay scams over the years. I could imagine someone who uses email but is oblivious to internet banking and Bpay potentially getting scammed.

I fondly remember the days of community boards where many if not most of us checked for all sorts of local events and information. In the metro areas they reflect a bygone era. Are they still common in the smaller regional centres and bush?

Some of the banks have prominently flagged recent scam emails, but some just have general references and links to scamwatch and staysmartonline.

I could be overly cynical (or realistic) but there have always been and always will be scammers who prey on the elderly and unsophisticated. Prior to the internet they would go door to door and sometimes still do (eg fake tradies offering repairs, once upon a time horrendously overpriced vacuums, fake charity collectors, etc). Some days I wonder whether I will be susceptible to the scams as they evolve in the next 10-20 years as I age. That mirror of life can be unsettling.

1 Like

The other thing to consider is the scam environment changes regularly and information provided in hard form say when buying an computer, will be out of date soon there after. Scammer evolve to try and beat the protections which may exist out there (e.g. reported scams, spam filters etc).


You are correct in your understanding, however that is part of what they are banking on in the scam. With the speed that businesses change and adapt these days, they are hoping that some people who receive this email think “Oh, Bpay have expanded into a payment service for shopping now”, and that they’ll click on the link to see which store the order came from (before thinking “Did I buy anything online recently?”).

With email scams it’s a fairly simple game for those that do them well. Use a bulk mailer to send out 10,000 emails, hope that 2500-3000 of those get past the Spam filter and if even 5% of that 3000 (so 150 emails) are successful they’ve done well for themselves. To send that batch of 10,000 emails it takes them the time to write one and load it into the bulk mail program. Each time after that they want to send another batch of the same it’s as fast as hitting enter.

They also bank on the fact that government anti-scam programs such as “Scamwatch” are pretty much useless at stopping them from making money. First the offending scam email/phone call has to be reported quickly, and then it has to be posted on the site quickly as well. It then relies on each susceptible member of the general public logging onto Scamwatch each day to see what the latest ones to look out for are. All this has to happen before enough people have fallen for the scam and lost enough that the scam hits the evening news - that’s when the general public finds out.

It’s the same thing as product recall notices. They are placed in newspapers 10 or so pages in, and also posted in Supermarkets (most often somewhere near the service desk). I’ve asked people before whether or not they go looking for recall notices every time they walk into a store and am yet to have someone say “Yes, yes I do.” As for the newspaper listing just look at the dying sales of daily papers to tell me how great that works lol. There needs to be a general education campaign that’s on-going to alert the general populace on where to go to find the information about particular things such as scams and recalls, but the campaign ALSO has to include a guide and general hints and tips on how to avoid scams in the first place.

What may seem common sense to those of us that are more computer literate, has no meaning whatsoever for an elderly person/migrant/refugee. In your face scams like door knocks or phone calls are even worse. For a new arrival or elderly person, having someone who appears to have some authority tell them they have to pay X to avoid paying Y or end up in court is an easy win for them in a lot of cases - so many of those scams don’t even get reported.