Consumer | Cyber Security |

How to stay safe shopping online this festive season

By Jen Stockwell December 17, 2020

This year, we’ve been stuck inside – and on our phones and computers – more than ever. More than a million Aussie households shopped online between March and September this year for the first time ever. If that’s you, we have some advice to help keep you safe.

Australia Post predicts this trend is here to stay too, and it’s easy to see why. Shopping online lets you browse and choose what you need from the comfort of your lounge, and in the past few years Black Friday and Cyber Monday have become record-breaking online shopping events in Australia.

There’s another side to this, though: scams. According to Scamwatch, Australians have lost over $7 million to online shopping scams so far this year – up by up 42 percent this year. Scamwatch also says that scammers are typically out in force over Christmas, as families rush to get through their festive season shopping and bargain hunters trawl through all the digital Boxing Day sales.

Last year it was shoes, smartphones and tickets to concerts and events that were most likely to be listed online by scammers looking to make an illegitimate buck. This year, concert tickets aren’t likely to be as popular, but you should be more cautious than ever about making sure your online purchases are legitimate. As is usual on the internet, a little bit of caution can save you a lot of heartache.

One of the most popular methods of scamming you out of your hard-earned dollars while you’re online shopping is for a scammer to set up fake online stores. Scammers often set up fake websites that look convincingly real, or use social media platforms to host storefronts that may look like a genuine retailer’s. Often they have popular items at prices that may seem too good to be true. The big difference is that when you pay, you won’t see anything arrive in the post like you were expecting.

Another popular scam to watch out for is on classifieds websites, where scammers create fake seller profiles and list popular items at attractive prices. If you’re shopping for items on a classifieds site, a seller might suggest they’re travelling and a friend or agent will complete the sale for you once you’ve paid. There’s a reason that ‘buyer beware’ is a popular saying…

Here are some common-sense tips to help you stay a bit safer while shopping online:

  • If you’re shopping at an online store with its own website, do some research before you click ‘buy’: to check if it’s reputable. Look for independent reviews of the retailer. Are there clear contact details? Make sure you have trust in who you’re buying from, and where possible try to stick to reputable platforms (like eBay and Amazon) that will guarantee your purchase.
  • Shop with a credit card or VISA debit card from a reputable bank, or use a payment processor like PayPal, and check your statements regularly for any fraudulent or unexpected payments outside of your shopping. Always shop with a payment method that allows for disputes to be raised if necessary. And keep track of your purchases!
  • Be alert to phishing attacks: scammers are highly active this time of year. Treat every email or message with caution, especially if it’s asking you to do something or if the offer sounds too good to be true.

And if you’re browsing the classifieds for a second-hand bargain:

  • If possible, picking up the item that you’re buying in person is always preferable. It means you can inspect what you’re buying to ensure it is real and in the condition you expect, and you can agree with the seller to pay in cash or with an instant transfer. You want to avoid paying for the item before you have access to it.
  • When you’re communicating with a potential seller, ask for some proof that they have the item you’re looking to buy – like a new photo of the item. One of our favourites is taking a photo of the item on a recent newspaper with the day’s date. Digital timestamps on photos are also useful for this, especially if there’s no newspaper handy.
  • Carefully consider how much personal information you share when you shop online. Only complete the bare minimum mandatory fields needed to complete your order as any information you enter during sign up could be exposed if that website gets hacked.
  • And, of course, there’s one other piece of advice we’ll never shut up about: always use a strong and unique password, and turn on multi-factor authentication wherever you can. That way, if someone manages to guess your password, they won’t be able to get into your account.

Happy shopping!

Woman working at home on laptop with mobile phone
Consumer | Cyber Security | Small Business |

Invisible security at your fingertips

By Darren Pauli August 21, 2020

Consumer cyber security has become much more user friendly and effective in recent years with technical complexity hidden behind seamless usability and easy-to-use apps. Yet a whole suite of largely invisible cyber security defences too numerous to list are available, often for free, by applying software updates.

This week we’ve covered some of the most important defences as part of Scams Awareness Week; password managers and the adoption of passphrases instead of jumbled codes; free and easy multifactor authentication; updated advice on spotting phishing attacks, and locking down your sensitive data.

Scams Awareness Week: five ways in five days to free and easy cyber security

Set your devices to automatically update. Search online for ‘end of life’ and your device make and model to see if it is still supported and secure.

An update is available

Many modern apps and devices are set by default to automatically update. Updating can apply new features, improve stability, increase security, and close dangerous flaws.

Security researchers continually find and report vulnerabilities in hardware and software. No product is immune. Good vendors will produce fixes, or patches, for these flaws and distribute them in software updates.

Many consumer products from phones to routers and gadgets will receive updates for a period of time before the manufacturer deems them end-of-life, stops fixing security flaws, and recommends customers buy a new product.


Your router, if it is relatively new and produced by a major vendor, is likely set to automatically check, download, and install updates on a regular basis.

To check if it is, load your router’s administration page. Connect your computer via an ethernet cable to your router, likely through the socket at the back labelled WAN, and type in the router’s IP address into a web browser window.

The IP address is likely underneath your router and should look like a sequence of numbers and full stops in a sequence like The username and password required to access the admin page (not your Wi-Fi network) may also be on the underside. If not, search online for ‘default login’ followed by the make and model of your router.

Once inside, feel free to navigate around without saving any changes. You should find your software update status under general settings or admin.

Set your updates to automatic if possible and click a button to manually check for updates if it is available.

Look for a date of the last update – this might be next to or contained inside the update (firmware) file name such as tplink_abcxyz_20.03.2020.

Your router might be end of life if that date is more than a year old. You can verify by searching the internet for ‘end of life’ and the make and model of your router.

End of life routers should be replaced to ensure security. You may wish to consider replacing the router operating system instead with supported open source firmware like OpenWrt. These systems, while popular, generally have a highly technical interface and their application is a complex process that if done incorrectly could render your router inoperable.


Modern mobile phone operating systems such as Android and iOS, along with their apps, are set by default to automatically update.

You can check by going to settings and searching for updates. Open your app store and apply any updates and check any boxes to activate automatic updates.

Apple supports its line of iPhones for much longer than other manufacturers but most provide updates for their phones for two years or more. Some updates may occasionally be issued beyond that for highly critical security issues.


Microsoft now only supplies updates for Windows 8 and Windows 10 in its regular consumer operating systems, although it too occasionally issues updates for older platforms to fix the most pressing rare security issues.

Windows 10 contains a suite of built-in security controls that make computers significantly harder to hack than older Windows versions. It also offers well-performing built-in antivirus eliminating the general security requirement to purchase third party antivirus.

Apple will as of November no longer support macOS 10.13 High Sierra and instead cater to newer versions including macOS 10.15 Catalina which sports Activation Lock that helps prevent unauthorised use and erasure of disks in devices that have the Apple T2 security chip.


Additional security settings can be often found by looking around your settings. You may find options such as backups that help in the event of data loss or ransomware, a type of malware, and others that increase your security at the expense of some convenience. Try them out; you may find the new barriers worth the additional piece of mind.

Microsoft Office has similar security settings. Most malware utilises document macros as an initial step in attacks. These can be turned off if not needed to significantly increase security.

Consumers may also consider using a suite of tools called HardenTools, produced by Claudio Guarnieri, a highly-respected cyber security expert with Amnesty International. This Windows suite turns off many legitimate default features that cybercriminals commonly abuse to launch attacks. The process is reversible with the click of a button.

Organisations meanwhile can consider the deployment of Application Guard for Office, which protects macro use. It is in preview mode and available to customers who apply for access from Microsoft.

Scams Awareness Week runs from August 17 – 21. Make sure to check out our Cyber Security Hub for the latest info on staying safe from threats. Also see the ACCC’s ScamWatch podcast series on identity theft by the team at the ABC’s The Chaser.

Woman on laptop
Consumer | Cyber Security | Small Business |

Secure your sensitive data for free

By Darren Pauli August 20, 2020

Open your email account and search for ‘driver licence’. Then search for ‘passport’, ‘Medicare’, and ‘payslip’. Now think about your email account password; do you use the same password for other accounts? When did you last change it? The sensitive personal information contained in your inbox is at risk if your password is used across other accounts.

That risk is higher still if you are like the 90 percent of Google users who in 2018 did not make use of a simple additional security check, known as multi-factor authentication, to protect their accounts.

Here’s how to take small steps for big security gains.

Scams Awareness Week: five ways in five days to free and easy cyber security

Start by making your email password unique, then switch on multi-factor authentication. After that, delete your attachments.

Lock shop

Your email password needs to be unique, so change it if you have reused the same one anywhere else.

The best way to do this is through a password manager. These can help you change all your passwords to long and unique combinations that you can set and forget. All you need to remember is your one master password which is the key to your password vault.

Another option is to use phrases for your passwords (also known as a passphrase). A sentence that means something to you, not taken from a book or movie, is a great choice. You’ll remember it since it is a phrase, rather than a random combination of letters and symbols, and it’ll be harder for an attacker to guess or crack. You still can’t reuse passphrases across accounts, though, so a password manager would again come in handy here.

Next, deadbolt your email account with multi-factor authentication. It is supported by most major email providers and can be usually found under your account settings within the security or privacy tab.

This security control, which requires an extra code usually when you first log in, is simple and makes hacking your email account extremely difficult. It also means an attacker will not be able to access your account if they steal your password.


Find and delete any attachments that contain your driver licence, passport, and other highly sensitive personal information you would most like to keep out of hackers’ hands.

Most email services allow you to check a box to return search results with attachments, or you may be able to search the phrase ‘hasattachment:yes’ along with any keywords like ‘driver licence’.

Your account is unlikely to be compromised when protected with both a unique password and multi-factor authentication, but there are phishing attacks that can steal both.

By deleting searchable records of your personal information in your email, you’re minimising the potential damage should it be breached.


You, like me, may choose to store a copy of your personal information (like your driver licence, passport, and Medicare info) in one easy to access location. You can do this whilst also ensuring it is secure.

I store mine within Google Drive inside of an encrypted archive file – most commonly known as a zip file – using an entirely unique password. I use the 7zip extension with powerful AES encryption, both which are set as default options within the free open source 7zip software.

This control means hackers who breach my Google account will be unable to find a copy of my sensitive documents within my thousands of emails. They will also be unable to open the archive containing my personal information because the password is different from any they have stolen.

If you need more regular digital access to things like your driver license, try an app.

Tap of an app

I have not carried a wallet since 2017. My phone is my wallet, allowing me to pay and provide proof of identity.

So making fast and easy access to my driver licence is essential. I store a second copy of my driver licence and Medicare card, two items I often need in a pinch, in the cloud service.

This is a secure so-called ‘zero knowledge’ service which is protected with multi-factor authentication. This combination makes compromising my data very difficult, yet access convenient through an app on both Android and iOS.

Many identity providers are starting to offer identity services digitally. Apps like Australia Post’s Digital ID, Services Australia’s Express Plus Medicare mobile app, or if you’re in NSW or South Australia, your state government’s digital driver license apps, make it easy to access your identity documents quickly, backed by the government’s security chops.

Scams Awareness Week runs from August 17 – 21. Make sure to check out our Cyber Security Hub for the latest info on staying safe from threats. Also see the ACCC’s ScamWatch podcast series on identity theft by the team at the ABC’s The Chaser.

Woman working on laptop at home
Consumer | Cyber Security | Small Business |

Make hackers give up with multi-factor authentication

By Darren Pauli August 19, 2020

Burglars and cybercriminals have the same philosophy: when a target is secure, pick a softer victim. Using multi-factor authentication is like getting a free and easy deadbolt on your online accounts to go from a soft target to a hard target.

Two in three arrested burglars told police and academics they would avoid a home with a barking dog, while half would avoid one with a working alarm system.

Cybercriminals and professional hackers paid to test defences have said accounts protected with multi-factor authentication are an obstacle they would rather avoid.

It could be said then that adequate security is a matter of being more secure than your neighbors.

Scams Awareness Week: five ways in five days to free and easy cyber security

Most hackers are after quick money. Multi-factor authentication helps protect against these attacks.

The first step to securing your online accounts is to use a password manager and change any passwords that you have reused. Start with your most valuable accounts.

Next turn on multi-factor authentication (also known as two-factor authentication and two-step authentication).

Deadbolts for your accounts

Most hackers are after quick money. They blind fire phishing emails in an all-too-successful bid to snare usernames and passwords while others feed huge lists of hacked logins published online into automated password-guessing tools to break into accounts at scale.

Multi-factor authentication helps protect against these attacks with a deadbolt in the form of a check that is required after your password.

Most of the big technology platforms from Google to Microsoft, Instagram to Reddit offer it for free under user account settings and security or privacy. A directory listing services that allow multi-factor authentication is available at

It is often a six-digit code generated in a special app or sent over SMS. It may, in the case of Google and other services, be an easy notification that appears on your phone asking you to tap to approve access. It can also exist as fingerprint readers and special USB devices.

Attackers who have managed to steal your password must also steal these checks to gain access to your account.

But they have a short window to do it. The checks expire usually after 30 seconds to a few minutes placing a tight time window on any attempt to steal them.

It is a hurdle that for most cybercriminals proves too hard.

Multi-factor authentication is easy for you, however. It is usually only required once, provided you use the same device or web browser and remained signed in. Some sensitive services like online banking that log you out after inactivity require the code be entered on each login.

Super thief

Phishing works because people are at times inattentive and generally trust what they see.

It stands to reason that those who are willing to enter their details into a login form they believe is legitimate will also enter their multi-factor authentication codes.

Basic phishing sites store stolen passwords in databases that can be used in subsequent attacks.

Advanced phishing sites immediately send captured usernames and passwords to the legitimate services they mimic and log into the victim’s account in real-time. The sites then prompt victims to enter their multi-factor authentication codes which, when supplied, allow the criminal to access the victim’s account.

Other dedicated criminals can steal SMS-based multi-factor authentication by abusing phone porting, a feature that allows consumers to churn their mobile number to new providers.

Criminals need to have enough information on their victim to pass identity checks in order to gain control of a victim’s phone number and receive any SMS-based authentication.

New industry security controls make this attack very difficult. Pre-port verification codes must now be entered before phone porting can take place.

Scams Awareness Week runs from August 17 – 21. Make sure to check out our Cyber Security Hub for the latest info on staying safe from threats. Also see the ACCC’s ScamWatch podcast series on identity theft by the team at the ABC’s The Chaser.

Woman on laptop computer at home
Consumer | Cyber Security | Small Business |

Super secure passwords you don’t need to remember

By Darren Pauli August 18, 2020

Passwords are a nightmare: many of us have set, forget, and reset them enough that we use the same one or two combinations for everything. Some use the same password for everyone in their family. But this practise, known as password reuse, is akin to using the same key for your house and car: criminals with your password in hand could access accounts that share the same login as much as a thief with your universal key could rob your house and drive away in your car.

Here’s how to have secure passwords that are easy to access so you never click ‘reset your password’ again.

Scams Awareness Week: five ways in five days to free and easy cyber security

Use a password manager. They are built into Apple, Google, and Samsung phones, web browsers, and are stand-alone apps. Most are free.

Huge lists published online containing millions of hacked usernames and passwords increase the chance that criminals will compromise accounts with reused passwords.

These attacks occur at scale. Criminals can automatically cycle through thousands of compromised logins until an attempt is successful.

Forget your passwords

Use a password manager. These set and store highly-complex, random passwords inside a secured service that is protected with the only password you need to remember. Set one password and forget the rest.

There are many free and easy options available, but you may find it easiest to use the built-in managers you may already have.

Apple’s iCloud keychain password manager is built into iPhones, iPads, Mac OS, and the Safari web browser. Google’s password manager is built into Android-based phones including Pixel and Samsung lines, tablets, and in the Chrome web browser.

Web browsers Firefox and Edge also contain a built-in password manager, while separate free and paid apps exist that work across all mobile devices and computer operating systems.

A good password is a Sentence1

Prevailing advice for decades has taught people to use passwords that are hard to remember and often easy for computers to break.

Requirements to set passwords with an upper and lower case letter, a number, and a special character result in people setting predictable passwords like P@ssw0rd1 or Summer2020!, and hackers know it.

Ultimately, security that comes at the expense of convenience inevitably comes at the expense of security.

So make the last password you need to remember for your password manager one that is strong but easy to remember by using a phrase that is unique to you.

Write it as a normal sentence, complete with spaces, and throw a number somewhere to make a highly original combination.

Another thing

Ensure your password manager is active whenever you wipe or buy a new phone or laptop. The software will capture your usernames and passwords as you log in to apps and sites, often a one-time requirement on mobile devices.

Your password manager can start warning you if your accounts are reusing passwords once the manager has saved a collection of them. You can use the inbuilt features to generate a new strong random password with which to replace it.

Start by changing the passwords that protect your most valuable accounts. Bank accounts, email, social media, and any associated with a business you may operate including website, email, and mailing list administration. These are popular targets with criminals.

Prioritise changing breached passwords. Many password managers alert when your passwords are found in hacked lists giving you the opportunity to change them before they are used by criminals.

You may also choose to visit, a legitimate security service, which collects and conceals the same hacked usernames and passwords allowing people to check if they are affected.

Scams Awareness Week runs from August 17 – 21. Make sure to check out our Cyber Security Hub for the latest info on staying safe from threats. Also see the ACCC’s ScamWatch podcast series on identity theft by the team at the ABC’s The Chaser.