Cyber security, scams & fraud

Keep your CommSec account and devices secure.

Protecting you is our priority

CommSec will never ask you to share your CommSec credentials with us. To avoid exposure to scams and fraud, it's important that you never share your CommSec credentials, such as your Client ID or password with anyone including CommSec, third parties, trusted organisations or family and friends. 

Scams & fraud

Scams

Scammers gain your trust in order to steal your money or information.

Discover the latest scams, how to spot them and what to do if you've been scammed.
More about scams

Fraud

Account fraud usually happens when somebody accesses your personal/account information without your knowledge or authority.

Find out how to protect yourself from fraud.
More about fraud

Learn about the latest scams

Facebook/WhatsApp investment scam – December 2025 / January 2026

CommSec has been made aware of a number of investment scams where people are invited to join a Facebook group or WhatsApp chat for the purpose of receiving investment recommendations. This investment scam promotes different scam “strategies” through different WhatsApp groups based on interest and how much money participants are willing to invest.

There are many variations of this type of scam, including being run by someone who falsely claims to work with Tom Piotrowski (note: Tom Piotrowski is no longer associated with CommSec) or claims to be an investment adviser / expert.

Below is one example of an invitation to join a chat / site under the guise of receiving investment ‘tips’ to ‘buy’ a specific stock. This type of scam seeks to artificially inflate the price of a company's shares, allowing the scammers to then sell at a profit, and leaving the scammed investors holding the stock and, inevitably, facing losses.

Typically, once victims share their phone number to join the WhatsApp chat group, the scammers begin to send so-called “stock recommendations” or updates from the “investment expert”. The scammers are currently focused on NASDAQ-listed microcap stocks.

The Scammers may also promote different scam “strategies” based on how much money participants are willing to invest.

If you’ve come across or been invited to any Facebook group, or have provided your phone number to a WhatsApp group, please call us on 13 15 19 and also report the scam to hoax@cba.com.au.

Secure your CommSec account

CommSec has additional security features that provide an extra level of safety to your account. These only take a few minutes to set up on the CommSec website.
  • Verbal phone PIN 
    A 6-16 digit numerical PIN that can be used to identify you when you call us.

  • Security questions & answers
    These questions will be used to identify you if you forget your password, or whenever we need extra verification. 

  • Trading password 
    To add an extra level of security to your account, you can use trading password when placing orders via the CommSec website, CommSec Mobile app or CommSec IRESS. This password is different to your login password. 

  • SMS security 
    SMS-based two-factor authentication (2FA) and SMS one-time passwords (OTP) allow you to verify your identity with a code, sent to you via text message. 

Set up these security features on the CommSec website:

1. Log into CommSec

2. Select Settings

3. Go to Security & Passwords section

4. Select the feature you want to enable


CommSec is not liable for any losses resulting from the scams of third parties that have compromised your CommSec credentials.

Verify your calls with CallerCheck

What is CallerCheck? 

CallerCheck allows you to confirm if a caller claiming to be from CommSec or CommBank is legitimate, by triggering a security message in your CommBank app.  

We also use CallerCheck to make sure we’re speaking with the right person when receiving and making calls, before we share any details about your account. 

It’s our preferred way of identifying you over the phone safely.  

CallerCheck is only available for CommSec customers who are CommBank app users. You'll need to have version 4.37 or newer of the CommBank app installed. This feature is not currently available in the CommSec mobile or CommSec Pocket apps.     

Find out more about CallerCheck.

Remember 3 simple steps:

Stop. Check. Reject

1. Stop

Does a call, email or text seem off? The best thing to do is to stop and take a breath. Real organisations won't put pressure on you to act instantly.

2. Check

Ask someone you trust or contact the organisation the message claims to be from.

3. Reject

If you're unsure, hung up on the caller, delete the email, block the phone number and change your passwords.

Create strong, unique passwords

Your banking, social and email accounts contain important information that make up your digital identity. Here’s how to create strong passwords to help keep your information safe.

Creating a secure password

  • Use a mix of letters, numbers and symbols 
  • Use as many characters as you can – a longer password is harder to decipher 
  • Avoid anything that can be easily guessed such as your address or birthday, or common quotes and phrases 
  • Consider a passphrase: Similar to a password but instead of creating a string of letters, numbers and symbols, use words that tell a story. For example: MyPetGo@tHa$@PhD. It tells a silly story that’s easy to remember, while increasing the unpredictability of your password and making it difficult to guess 

 

Password security

  • Don't share your passwords with anyone  
  • Don’t write your passwords down anywhere 
  • Make them unique: reusing a password multiple times makes it less secure – it only requires one breach to compromise all the accounts with the same password 
  • If you have many accounts, setting alphanumeric passwords for each can be difficult to remember. In this instance, you may want to consider using passphrases instead 
  • When available, enable multi-factor authentication. This adds an additional check to prove your identity. An example might be a code you must enter which is accessed via an authenticator app on your mobile device 

Protect yourself from SMS and email scams

We will never send you an email or SMS asking for banking information like your CommSec Client ID, password, or NetCode; or include a link to login directly from the email or SMS.

Always type commsec.com.au into a browser or use the CommSec app to securely access your investing.

How to check if a message is legitimate:

  • When contacted by an unsolicited third party, it's better to be over-cautious. Contact the organisation directly using a phone number from their website (not the email or message) before you reply.
  • Hover your mouse over a link to see the destination URL (web address), before clicking it. On a smartphone you can press and hold a link to inspect it. Carefully read these URLs, as they’re often created to look similar to legitimate addresses.

Reduce your risk of being scammed by paying close attention to messages or emails that:

  • Aren't quite right – scammers may use similar email addresses (e.g. @combank.com or @Comsec.com) and copy the look and feel of official messages to trick you into thinking a message is legitimate
  • Have spelling mistakes and incorrect grammar
  • Include an urgent call to action, such as asking you to unlock or verify an account, or log on and pay a traffic infringement notice. They might also contain malicious software (also known as malware) designed to infect your machine and steal data over time

Read all SMS security code messages carefully. Only enter a security code if you'd like to authorise the activity. Never share your security code with anyone, including CommBank & CommSec.

Secure your computer & mobile phone

Your phone and computer carry a lot of your personal information, so we want to help you protect them against malware, fraud and scams.

Protect your computer by:

  • Enabling automatic updates to ensure you always have the latest operating systems and software
  • Never downloading remote access software at the request of a third party
  • Always downloading software from a reputable source
  • Ensuring you have the right level of protection for your laptop and computers. Anti-virus software protects against viruses, spyware, malware, phishing attacks, spam attacks and other online cyber threats 
  • Keeping your anti-virus software up to date and check regularly that it still meets your needs

Protect your device by:

  • Using a PIN, password or biometrics
  • Keeping your operating system up to date
  • Using the latest version of the CommSec app
  • Disabling apps from any untrusted sources
  • Keeping hardware restrictions on your phone. Do not jailbreak (Apple) or root (Android) in order to install unapproved third party apps or features
  • Not downloading remote access software at the request of a third party
  • Contacting us if your mobile service is suddenly disconnected or you’re notified of a change of provider without your permission

We're here to help

Have questions about account security or think you've been scammed? Call us immediately.

In Australia: 13 15 19
From overseas:  +61 2 8397 1206
8am-6pm Sydney time, Monday to Friday

Received a suspicious message but haven't clicked on it yet? Report it to hoax@cba.com.au

Follow us on:

Download the CommSec App

 

© Commonwealth Securities Limited ABN 60 067 254 399 AFSL 238814 (CommSec) is a wholly owned but non-guaranteed subsidiary of the Commonwealth Bank of Australia ABN 48 123 123 124 AFSL 234945. CommSec is a Market Participant of ASX Limited and Cboe Australia Pty Limited, a Clearing Participant of ASX Clear Pty Limited and a Settlement Participant of ASX Settlement Pty Limited.

The information on this page has been prepared without taking into account your objectives, financial situation or needs. For this reason, any individual should, before acting on this information, consider the appropriateness of the information, having regards to their objectives, financial situation or needs, and, if necessary, seek appropriate professional advice.

CommSec does not give any representation or warranty as to the accuracy, reliability or completeness of any content on this page, including any third party sourced data, nor does it accept liability for any errors or omissions.

Top