Search Results

Share Article:

Facebook Twitter Linkedin Mail

Tag: cyber-safety

‘You got me’: Woman busts romance scammer after six month stint

Cyber Security Consumer advice

Posted on May 25, 2018

6 min read

It took six months for Kathryn to fall in love with Michael, but only minutes to reveal him as a romance scammer.

Accusing Michael of being a scammer was an unusual act of assertiveness for the reserved 55-year-old healthcare worker from the NSW Central Coast.

It was an unlikely act too; Kathryn (not her real name) had every reason to believe Michael was the caring, genteel man he presented as. They spoke regularly over the phone and, from his would-be London apartment, Michael arranged gifts of flowers, chocolates, and movie tickets.

Kathryn, divorced from a decades-long marriage and facing an intimidating and foreign dating scene, thought she had found in him a diamond in the rough. He was worth the long-distance relationship.

Through friends, she tells us how her relationship with Michael, which began on a dating site in late 2016, before quickly switching to email and social media, became possessive in its latter weeks. Facebook messages appeared more regularly in a tone that, with the benefit of hindsight, seemed more demanding: “what are you doing online”, “who have you been speaking to” they asked.

Michael was set to travel to Australia mid last year. They were both excited. Days before he was set to fly, he sent an exasperated message claiming he bought the wrong non-refundable plane ticket and that his passport was cancelled for elaborate reasons. He needed $7,450 to cover fares and fines.

Kathryn’s online sleuthing about his predicament gave her pause to reflect on his frantic request for money, and his escalated messages.

He called again, and she answered. “I think you’re a scammer,” she told him. A beat, then, a laugh. “Yeah, you got me,” he said. “But you know what? I’ve got 12 of you on the go.”

High-pressure sales

It’s impossible to know how Michael operated. He may have been a lone wolf. Or he may have worked in a call centre alongside other scammers.

“I’m convinced [romance scamming] is their day job,” says Sean Lyons, director of technology and partnerships at Netsafe, an online safety non-profit based in Auckland, New Zealand.

Lyons has not seen evidence of romance scammers operating in coordinated international networks, but says he sees indications – business hour operations and consistent messaging structures for example – that some scammers work in call-centre style environments.

“There may be much larger operations where you have [scammers] working in shifts and handing off to each other,” he says. “They may have CRM (customer relationship management) systems and work an account (a victim) in the same way that staff in high-pressure sales do.”

In such an environment, text messages to victims could be written by any scammer while voice calls would be made by a consistent perpetrator.

There is further evidence of romance scammers coordinating their operations. FBI Special Agent, Christine Beining, said in February last year that romance scammers typically work together sharing intelligence on vulnerable victims.

“From what we can tell, these are usually criminal organisations that work together,” Beining says.

“And once a victim becomes a victim, in that they send money, they will oftentimes be placed on what’s called a ‘sucker list’ [where] their names and identities are shared with other criminals [for] future recruitment.”

Lyons agrees that romance scammers are likely to organise. At present, evidence from Netsafe’s now shelved Re:scam artificial intelligence-like chat bot – which sent more than a million email replies to scammers in a bid to waste their time and energy – indicates a scattergun mass-email approach to targeting victims.

Reach out

Victims of romance scams are not stupid or gullible. They can be anyone.

Romance scams are deliberately ‘hyper-personal’, meaning they are of an overly intense nature that is designed to capture and isolate victims.

University of Warwick professor, Monica Whitty, in a paper published in February this year revealed victims are typically “middle-aged, well-educated women” who “tend to be more impulsive, less kind, more trustworthy, and have an addictive disposition”. Whitty’s work is designed to assist in the development of scam preventive and awareness programs.

Defence against romance scammers is tough for those involved in online dating. The Federal Government’s Scamwatch site has good advice which centres on not sending money to partners and provides clues to help spot fake social media profiles.

More broadly, experts agree that those in online relationships should keep trusted friends abreast of significant events including any plans to travel or requests for monetary loans.

“Talk to someone not connected to the romance before a major event,” Lyons says.

“A dog dying in surgery, a passport not coming through, or bribes to corrupt regimes; talk to someone who isn’t in love with the person before you put pen to paper on that Western Union slip.”

As a last resort, Lyons says, those intent on wiring money to their love interest should stick to official and local credit card networks which can offer traceability that Western Union and other non-conventional payment providers cannot.

Academics have examined other hallmarks of romance scammers. They reveal psychological manipulation as a universal tool in romance scams which includes techniques akin to domestic violence.

Queensland University of Technology academics, Cassandra Cross, Molly Dragiewicz, and Kelly Richards, describe the four signs of this manipulation including isolation, monopolisation, degradation, and withdrawal.

If this story has raised any issues for you and you’d like to speak to someone, call Lifeline on 13 11 14 or Beyond Blue on 1300 224 636.

Businesses held to online ransom

Cyber Security Business tips

Posted on May 24, 2018

5 min read

Ransomware last year brought to a halt a chocolate factory, a metropolitan council, and an accountancy firm among scores of other Australian organisations by turning mission-critical data into an unreadable mess. But much of the impact from the events could have been reduced with a well-oiled business continuity plan.

Ransomware is a class of malicious software that encrypts data so it cannot be read or used by applications. Its perpetrators often promise to supply a decryption key to return the data to a normal state only after a ransom is paid.

The number of organisations impacted by ransomware is unknown since victims are often unwilling to report incidents to authorities, however, security companies claim in surveys that almost half of Australian businesses have been impacted by ransomware.

Some businesses are hit multiple times; Exchange knows of one accountancy firm that was hit three times by ransomware losing data each time, despite having attempted to recover and mitigate after each attack.

The financial impact to businesses can run into millions of dollars per incident with much cost ascribed to downtime and recovery efforts. Ransom demands by those behind the most effective ransomware forms is regularly tens of thousands of dollars.

Risky click and a mean trick

Ransomware is delivered through a wide variety of mechanisms. The most common forms of ransomware such as Cryptolocker may be sent by criminals in phishing emails, or woven into booby-trapped downloads or websites which then infect the computers they are exposed to.

Other ransomware forms such as the global cyber attacks known as Wannacry and NotPetya spread without the need for people to open email attachments or dodgy downloads. They did this by targeting vulnerable functions of computers and networks that were left turned on, loosely akin to thieves slipping through open doors.

Much of the defence against ransomware comes down to good security practice. This includes not running software from untrusted sources like unofficial websites and unknown email or chat conversations, and in ensuring systems are set to automatically apply updates (patches) when they are available.

Security vendors including ESET have created jargon-free guides for technical defences against ransomware which recommend patching, disabling a function called RDP, and filtering executables in emails.

However, business continuity plans are some of the more overlooked yet simplest controls that can help mitigate the large cost of business downtime from ransomware infections.

Lights on

Ransomware can and has stopped global shipping supplies. It has thrown hospital emergency rooms into chaos, brought down the biggest Hollywood movie studios, and forced countless businesses back to pen and paper.

“Business continuity planning might not save you from ransomware but it may save your reputation or your share price,” says Mark Cohen, a Melbourne-based business continuity manager at Telstra. “It will show you can operate in a crisis.”

Cohen says business continuity planning applies to all organisations, from the “fish and chips shop to a doctor’s surgery to enterprises” and helps in a large number of disasters, beyond ransomware.

To avoid disaster in ransomware incidents, all businesses must back up their critical data on a regular basis on different mediums following the 3-2-1 rule. This means the original copy should be backed up on two different mediums, say a cloud service and a disk drive, with the disk drive stored in a physically separated location. Cloud services and any drive connected to business computers via cables or WiFi can be affected in ransomware attacks.

“With back-ups in place, the mindset of how to operate when tech systems go dark and data is inaccessible is key”, Cohen says. Business owners and staff should think about where their critical data is, and whether it is readily and immediately available offline in the form of offline and isolated storage like USB sticks and external disk drives, or on paper documents.

“Ask yourself what are you going to do in a disaster to continue to provide service to your customers?” Cohen says.

Restoring from back-ups can take a long time. And, while some major ransomware forms are as-yet impossible to unravel and are sent by attackers who honour ransoms with decryption keys, other forms are poorly-built and can never be decrypted.

It is the expensive downtime between the restoration of back-ups or the wait for decryption keys that Cohen’s planning hopes to reduce.

“[Recovering from] ransomware is more than just file retrieval – it’s about what you are doing when that is happening and how you are addressing your customers,” Cohen says.

“Plans must be tested too. The first test run is the most arduous with each iteration becoming easier with small tweaks added to the central plans,” Cohen says. “It is there that you discover your recovery time capability (RTC).

“Business continuity planning clauses are written into major contracts so having one, practicing it, and demonstrating its effectiveness will help you win and retain business – along with helping you, your manager, and your shareholders sleep well at night.”

The marathon scam phone call

Consumer advice

Posted on May 23, 2018

4 min read

When the phone rang on the morning of April 11, Neil and Beryl Kennedy had no idea that their day’s plans would be waylaid by a marathon five-and-a-half hour scam phone call.

By the end of it the pair had only narrowly avoided losing $4400 of their life savings.

The retired married couple from Eaglemount Heights were surprised when an unexpected caller – who told them he was from Telstra – said the company owed them $440, and offered to repay it. He gave them instructions on how to download a program called Team Viewer that would provide him remote access into their computer so he could transfer the money.

The couple wasn’t suspicious at this point because as far as they knew, scammers call to tell you that you owe them money, not the other way around. They’d also had a legitimate bill query with Telstra a few months ago for a similar amount, which the scammer seemed to be aware of.

Once the Team Viewer program was installed, the caller got the Kennedys to access their online banking, where he “accidentally” deposited $4400. He told them they had to hand back the overpayment immediately or they would face investigation by the Australian Federal Police.

But a simple bank transfer would not suffice – the Kennedys were told to go to a nearby shopping centre to buy iTunes cards to the value of $4400, and then relay the codes to the caller. The couple was also told to stay on the phone while they made their way to the shopping centre.

The first two stores the caller directed them to proved unfruitful: one was permanently closed, and the other didn’t have enough iTunes cards in stock to reach $4400. Staff at the second store raised suspicions that the phone call was a scam, but fear of prosecution by the AFP had taken over the couple and they were convinced they needed to repay the money.

Before trying a third store, the Kennedys made a detour to a nearby branch of their bank. They thought that if they could just transfer the $4400 it would save all the running around.

But bank staff were immediately suspicious and checked the couple’s accounts. After spotting unauthorised activity, the bank shut the Kennedys’ accounts and informed them it was a scam. The couple then hung up – five-and-a-half hours after the phone had first rung.

“We’re very lucky we didn’t lose anything, apart from the cost for the laptop to get fixed and a lot of heartache,” Neil said. “We’ve learnt our lesson. We’re not giving anyone access to our computer or personal information again.”

The Kennedys are still receiving calls from scammers, but now, they hang up immediately.

If you have fallen victim to a scam call, report the matter through the Australian Cybercrime Online Reporting Network (ACORN) and your local police. If you are a Telstra customer, you can reach out to us through our security reporting service.

A silent cyber crime blitzkrieg as Aussie businesses robbed of millions

Cyber Security Business tips

Posted on May 22, 2018

5 min read

Business email compromise devastates Australia, but a few simple steps can foil attacks.

It was a mundane email sent to a delinquent client: “Payment of your invoice is overdue”. Nothing about it alluded to the deep financial and personal pain the owners of the small Melbourne construction business were set to endure at the hands of online criminals who had just fleeced them of more than $100,000.

But perpetrators of business email compromise (BEC), a form of cyber-crime described by seasoned security experts as “out of control” and operating on a “phenomenal” scale costing businesses billions of dollars a year, rarely offer victims clues of their crimes until it is too late.

The scams, experts agree, are on an epidemic scale with businesses in each Australian state and territory losing thousands of dollars every day. Criminal investigators say Australian businesses regularly lose “often more than $100,000 per incident”.

Yet public reports of these attacks have been minimal.

These attacks are a world apart in their technical complexity from the type of advanced state-sponsored hacking that captures headlines; BEC is mostly textbook swindling with an occasional click of automated hacking platforms.

It take different forms, all of which criminals deploy to devastating effect. Criminals, in an example known as whaling, will impersonate a company director in an email to a subordinate financial controller ordering them to pay money to their bank account.

In another, known as doctored invoicing, scammers will use automated tools to break into a business’ email inbox and alter the payable bank accounts on client invoices.

A brazen online criminal apparatus means criminals need not even hack email accounts and can simply buy that access from other criminals.

Chain of events

This is what happened to the Melbourne-based Buildr (we are concealing the victim’s true identity).

Buildr staff discovered they had been robbed only after their client informed them the invoice was paid two months earlier.

This chain of events made little sense to Buildr. Emails showed their project manager had sent the invoice to the client, along with a thank you note and glib wishes for the weekend.

There was no reply and the exchange fell silent for the next three months.

Follow up phone calls revealed the invoice the client received contained a bank account number that did not match that sent by Buildr.

A Buildr IT technician suspected foul play and appealed to trusted information security contacts, finding Kayne Naughton – a Melbourne-based threat intelligence expert at Cosive, with a much-exercised history in computer forensics and combatting financially-driven cyber-crime.

“This isn’t even my day job, it’s barely my side job, and I’ve handled about $2 million in losses across Australian businesses in the last few years,” Naughton says.

“It’s out of control”.

The same attacker who targeted Buildr is thought to have stolen hundreds of thousands of dollars from more than a dozen Australian businesses using the same BEC techniques.

Rising tides

Business email compromise is exploding in growth and financial impact across the world. The FBI in October last year estimated BEC had cost businesses in all countries some US$5.3 billion.

The Australian Federal Government says businesses here have lost more than $20 million to BEC between 2016 and 2017, up from $8.6 million the previous year. It had in the three years to December received more than 2000 reports of BEC.

Government numbers on BEC attacks have steadily increased but remain it says “only a small percentage of total activity” thanks to “misreporting and underreporting”.

Source: Telstra’s Security Report 2018.

Losses from BEC are high. Multiple Australian organisations in the last three years have each lost millions of dollars in single unreported BEC attacks, security responders with first-hand knowledge of the incidents tell us.

Typical losses incurred by businesses vary between experts. Some find BEC victims lose about $10,000 an incident, while others handle cases between $25,000 and $50,000 each. Well-placed crime investigators say losses of $100,000 per incident in Australia are common.

Many of these losses are likely absent from government registers. Security experts working in private and public sectors agree that total of all cyber-crime losses reported to government is significantly less than the true costs because many victims, especially businesses, are reluctant to report incidents for fear of public exposure.

Security incident responders contracted to assist hacking and BEC victims are often made to sign non-disclosure agreements that can prevent them from supplying even anonymised crime data to the Federal Government. Many well-intentioned contractors try and fail to convince their clients to lift the reporting ban.

How to spot a scammer

Cyber Security Consumer advice

Posted on May 21, 2018

5 min read

How to spot a scammer

It only took one phone call for Georgia to lose access to her emails, PayPal account, and $600. Someone claiming to be a ‘Telstra technician’ said her new NBN service was being used illegally without her knowledge, and required an urgent fix.

She agreed to let the caller remotely access her computer, but when he did her screen turned blank and she couldn’t see what he was doing. Before long she was $600 out of pocket and had lost control of her PayPal and email accounts.

This week, we’re helping customers understand common scams and how to avoid them.

Olive had a similar problem – a ‘Telstra technician’ called her to warn that her internet would be cut off within two hours because her computer had been “hacked”.

Olive also let the caller remotely access her computer. This time, the scammer convinced Olive to hand over her bank account details so she could buy $1600 worth of iTunes cards that he said would help Telstra track the hackers’ movements.

Georgia and Olive were just two of 33,000 people in Australia to report falling victim to a threat-based and impersonation scam in 2017. A combined $4.7 million was lost to this type of scam last year.

The bad news is these scams are on the rise – in 2016 the ACCC’s Scamwatch only received 24,400 reports of threat-based and impersonation scams and $1.6 million in total losses.

But the good news is there are some simple, practical ways to help you stay one step ahead of the bad guys.

Anatomy of a scammer

In 2017, there were almost 33,000 reports of threat-based impersonation scams to Scamwatch.

While scams come in all shapes and sizes, impersonation scams generally have a few common traits.

They usually go something like this: someone calls you up and says they’re a representative of a trusted organisation like a government agency or a telco.

The caller may warn you of a problem and demand payment, generally by iTunes vouchers, wire transfer, or Bitcoin, or ask you for your sensitive personal information.

They might threaten you with some sort of action if you don’t comply – like the disconnection of your internet, a fine, or even a lawsuit.

You may also be asked to give the caller remote access to your computer so they can fix the ‘problem’.

The scammers might offer to send you an email that contains “proof” of an unpaid bill or fine, as an attachment to the email or a URL. This will likely contain malicious software (malware) that will infect your computer.

Real versus fake

Over $4.7m was reported lost to scammers by Australian consumers in 2017.

Luckily there are a few easy ways to tell whether the person on the other end of the line is who they say they are.

Firstly, we will never call you and threaten to cancel your service or take court action if you don’t immediately make a payment or hand over your information.

We will never make an unsolicited call and ask for remote access into your computer, or demand your sensitive personal or financial information.

Our staff should only ever treat you with respect and courtesy.

If you get an unexpected call from someone who says they are a Telstra representative, try to verify the person is who they say they are. Try to verify the caller is legitimate through an independent source (like a phone book or online search), and never use the contact details the caller provided you.

If something doesn’t feel right, trust your gut – take the time to stop and think about it, and if you feel uncomfortable, just hang up.

Call the company on the number listed on their official website, like telstra.com.au. Don’t use any contact details provided by the caller as they will likely be fake.

What if I’ve fallen victim to a scammer?

Telstra represented 35 per cent of all threat-based impersonation scams reported to Scamwatch in 2017.

If you’ve lost money or given a scammer your personal or financial information, there are a number of things you can do to limit the damage.

The first step is to contact your bank as soon as possible. They might be able to block a transaction or close your account to protect you from further financial loss.

The next thing to do is change your passwords. If you think one of your online accounts has been compromised, change your password immediately to lock out the scammers – and ensure you aren’t sharing passwords across multiple accounts.

You can also contact IDCARE. The not-for-profit national identity and cyber support service can help you respond to your specific situation.

Tell your family and friends. You can help protect other people from falling victim to the same type of scam.

[Older Australians are particularly vulnerable; they submitted more than 5800 reports to Scamwatch last year and lost almost $1 million to scams. Talk to your grandparents and elderly friends and relatives about how they can identify if they’re being scammed.]

Stay alert

The best way to protect yourself is to stay alert to all the different kinds of scams that are out there. You can do this through the ACCC’s Scamwatch website, or our own cyber scams guidance.

Scam checklist:

Common scams may include some or all of these hallmarks:

  • Unsolicited call that contains a threat, like a fine or disconnection of internet service.
  • Pressure to hand over financial or personal information.
  • Demand for immediate payment, generally through unusual methods like iTunes vouchers, wire transfer, or Bitcoin.
  • Request for remote access to your computer to ‘fix a problem’.