The Commonwealth Bank has also had some of its most prominent bankers recreated using deepfake technology in a bid to trick existing and would-be customers into clicking on malicious links.

The new tactics arrive as the big four bank has witnessed a shift away from older methods of targeting victims such as phishing – a method where a hacker tries to trick a person into providing information by posing as a reputable organisation over email or text message – in lieu of newer, more innovative methods.

CBA cyber defence general manager Andrew Pade told The Australian hackers were taking products from its website and using them in targeted advertisements on social media.

“We’re seeing a trend in which traditional phishing attacks are sort of shifting because people are becoming more aware. The more traditional emails or notes about a package coming, people are catching on to that,” he said.

“We’re seeing a move towards embedding malicious content in ads on social media. What’s happening is our customers will see an ad, it’ll look like it’s from us but it’s actually not and it’s got a lure inside.”

Hackers and scammers are also making up products and using deepfake technology to ­create videos of prominent bankers who appear to be promoting those products.

“We also see the growing trend of gen AI (generative artificial intelligence) video, where threat actors are creating fake CBA videos with prominent CBA employees who are known,” Mr Pade said.

“We’re seeing a bit of that as well, like promoting certain technologies or businesses that are not aligned to our organisation.”

Earlier this year a deepfake video circulating on Instagram and Facebook appeared to show CBA chief executive Matt Comyn promoting new investment themes. The bank was particularly concerned about malicious ads on social media as sometimes they were slipping through vetting processes, Mr Pade said. A lot of the bank’s customers and general social media users were also less sceptical of ads on social media platforms.

“People when they’re on these social media platforms, they kind of lower their guard, because they think that the ads have been vetted and trusted by the social media platform,” he said.

The bank was asking that consumers treat all ads on social media the same as they would suspicious looking emails in their inbox, Mr Pade said.

“We hunt for these ads, not only social media but online, and then we take them down by using a process within social media.”

One of the issues with malicious social media ads was that they can take more time to remove, as companies have to go through an official process on platforms such as Instagram and Facebook.

“When you create a website, they’re treated as largely untrusted until they have been online for a period of time and so we’re often able to find them before they’re used by threat actors,” he said.

“Whereas on social media it’s a bit harder because once (ads) go live, they’re live and so we then have to follow the social media process to get them removed.”

Mr Pade spoke at South by Southwest in Sydney on Tuesday, addressing a panel on how CBA was using AI to measure and respond to cyber threats. Today the technology is used to scan over 240 billion online activities for threats, assessing user behaviour including at transactions, login location and history.

More Coverage

How climate activists are tricking older Australians

Joseph Lam

Forget virtual and augmented, diminished reality is far scarier

Joseph Lam

Originally published as Deepfakes, social media scams hit CBA and its bankers