Confused man looking at phone
Cyber Security |

The FluBot SMS cyber attack continues to evolve

By Darren Pauli October 15, 2021

Criminals behind the prolific FluBot SMS-based cyber attack sweeping Australia and the world have flipped their scam on its head – they’re now telling potential victims they need to install a ‘security update’ to remove an existing FluBot infection. The ‘security update’ actually contains FluBot.

The latest trick showcases the criminals’ willingness to experiment with new scams (known as a pretext) in a bid to increase infections as news of the cyber attacks spread.

A sample of the new message being sent to users, which erroneously says they're infected with FluBot in a bid to install FluBot.
A sample of the new message being sent to users, which erroneously says they’re infected with FluBot in a bid to install FluBot.

We warned of FluBot in August as reports of strange, often garbled “missed call” messages began to hit people’s SMS inboxes.

FluBot is malware – like a computer virus – that can be installed on your Android device if you click on a malicious link in a SMS message. This malware then sends many similar text messages to other people from your phone without your knowledge, potentially infecting them.

The malware requests high levels of access to a victim’s phone in order to steal data and proliferate to other devices. Modern Android phones will provide owners with warnings about the access an app is requesting, but this may be of little protection to those who believe they are installing a legitimate app.

The scam is thought to have begun in Italy before spreading around Europe and then coming to Australia. The attacks are independent of carriers and can potentially affect everyone.

Currently, the FluBot “bait” messages you’re likely to receive suggest you have an unchecked voicemail as a way to get you to click the link. The message content can change, however, as we’ve seen from the messages claiming to help with an existing Flubot infection.

It has also in recent weeks claimed the recipient has missed a parcel and that Australia Post deliveries have been stalled amid the Covid-19 pandemic.

If you click on the link, the FluBot malware authors will attempt to trick you into installing the virus by deactivating some security settings on your device. FluBot webpages you click may ask you to allow the installation of “unknown apps”, which is restricted by default to stop malware like FluBot.

Android devices typically don’t allow unknown apps (that is, apps not from the Google Play Store) to be installed by default. FluBot cannot be installed if the installation of unknown apps is left as its default setting of denied. We strongly recommend you leave this setting as denied.

FluBot also cannot, to date, be installed on iOS devices like iPhones and iPads.

Infected Android phones should be factory reset after important data like photos and phone contacts are backed up. Make sure you restore from a backup that was taken before you were infected with FluBot, otherwise you may risk reinfecting yourself.

If you don’t regularly back up your device, now is the time to start!

The evolution of the FluBot scam reinforces our continued message that the public is best placed to beat scams by being sceptical of all unexpected communications, regardless of the message, the sender, and the medium on which it was sent – be it email, SMS, chat message, or a phone call.

Telstra and our industry peers are continually examining ways to combat sophisticated threats such as Flubot.

You can report a scam to Telstra using our website. If you want to learn more, we also have more cyber safety advice on our website.

How you can tell if you are infected with FluBot

If you have clicked one of these links, you may be infected with FluBot already. The malware sits on your phone and intercepts passwords and other login details, while simultaneously sending out messages to your contacts to encourage them to install it too.

You can tell if you have FluBot in a few ways. Your phone may warn you it is sending a large number of text messages, and you are also likely to receive SMS messages from mobile numbers that have received FluBot links sent from your device. Customers of Telstra will also receive a message from us warning of a likely FluBot infection.

Finally, you may notice an app called ‘Voicemail’ bearing an icon of a blue cassette in a yellow envelope on your device. Please bear in mind the name and icon of this app could change anytime.

What we’re doing about it

Connected technologies increasingly sit at the very heart of the lives of most Australians. But as we move more rapidly to a digital economy, we need to be more and more cognisant of the growing cyber risks and those who seek to do us harm online.

We get that scams like FluBot are annoying, and we’re working to make the internet a safer place for our customers through our Cleaner Pipes initiative.

Cleaner Pipes includes a range of existing work designed to help keep our users safe from malicious activity online. We also recently announced we’re blocking around 13 million scam calls, on average, from being delivered every month.

Alongside Cleaner Pipes, we’re actively working to help people who have inadvertently been infected with FluBot. We identify compromised users based on the distinctive nature of the FluBot malware and notify those affected as to how they can fix their infected devices.

For those close to home, our free Broadband Protect service also helps safeguard you and the devices connected to your home network from accessing many known dangerous websites. Our data shows that Broadband Protect blocks, on average, around 2.5 million malicious websites per hour.

For even more online protection when you’re out and about, our Device Protect product helps safeguard your mobile, tablet or laptop, keeping users from falling foul of scammers that want to do you harm.

Cyber Security |

Old cyber threats are now new threats all over again

By Andrew Penn July 15, 2021

In my role as the Chairman of Australia’s expert Industry Advisory Committee (IAC) on Cyber Security, I get a real-time, front-row view of the frequency and scale of attacks from hackers and criminal groups, and the damage they can do to our nation.

Today I gave a speech about cyber security at the National Press Club and made the point that Australia and its people are now under cyber attack all the time.

The IAC plays a vital role in keeping Australians safe online. Today we released our first annual report to the Federal Government on what more we need to do to continue to shore up our security as a country, as businesses and as individuals at home.

Every minute of every day there are malicious actors looking to beat Australia’s cyber defences. Concerningly, the sophistication of these attacks continues to improve. In my speech I called out the major threats that are facing Australians, including rapid growth of ransomware and business email compromise, ‘cybercrime-as-a-service’ whereby criminals with limited technological skills can now buy and use bespoke ransomware and increasing targeting of supply chains.

All supply chains are important but perhaps none more so currently than the COVID vaccine supply chain. Telstra has been working with Government to monitor Australia’s vaccine supply chains for threats, a crucial precaution given the criticality of our vaccine program.

You may also have heard about the increase of ransomware bringing big businesses to their knees, and stories about data breaches that see your personal information sold on the dark web. As hackers branch out and recruit more would-be criminals to their cause with cybercrime-as-a-service products, we can only expect to see these incidents increase.

Recovering from one of these attacks isn’t cheap: experts estimate the average total cost of recovery for businesses has grown to more than $2 million an attack. The good news is there are things you can do to help protect yourself, but they need to be done before an attack to be effective.

One classic hacking technique, known as “business email compromise”, is worth calling out because it is no longer exclusively targeting businesses and everyone at home who makes online payments could now be at risk.

In simple terms, this type of attack sees a criminal break into your email and pretend to be a trusted contact, either to gain access to sensitive data or to steal money by tricking you into paying into a bank account controlled by the criminal. 

Two scam victims recently reported having their emails intercepted while buying new Tesla cars, for example. They were sent bogus invoices claiming to be from Tesla, but the account numbers had been changed by hackers to accounts they controlled. Tens of thousands of dollars lost!

Email compromise attacks are a growing threat. In the 2019-20 financial year, the Australian Cyber Security Centre recorded more than 4,200 scams of this type, resulting in a loss of $142 million. It is thought that number is vastly underreported too, as many don’t feel comfortable reporting such losses. And now everyday Australians are also being targeted as scammers have become more brazen during the pandemic.

Cyber-criminals are not only becoming more sophisticated, but are also better organised. They monitor email traffic to learn about their targets and determine the most lucrative time to launch a scam. This not only increases the likelihood of success but also increases their overall financial gain.

And now that many of us are working from home due to the pandemic, we cannot afford to take our collective eyes off the ball when it comes to security in our personal or professional lives.

How to protect yourself from email compromise

  1. Recognise that nobody is too small to be scammed, hacked or attacked by malicious actors.
  2. Do the basics. Use a Password Manager to reduce the number of times you reuse the same passwords, and enable a multifactor authentication system on all of your accounts.
  3. Know who you’re paying. To reduce the ongoing risk of falling victim to these sorts of email compromise scams where invoices are switched, it is important to know exactly who you are paying and why, and double checking the payment details are correct before you pay.
  4. Make sure you keep an updated offline back-up of your data records.

If you are a small business owner looking to shore up your defences, you should check out the Federal Government’s Small Business Security Guide, which helps you protect your small business from the most common cyber security incidents.

The Federal Government has extra cyber resources too, including a dedicated cyber hub.

There are also services like IDCARE, which actively help you restore your identify if you have been scammed.

How we are combatting cybercrime

All of this brings into very sharp focus the critical importance of the 2020 Australian Government Cyber Security Strategy. The Federal Government deserves credit for the leadership it has shown on cyber security, including through the development of Australia’s 2020 Cyber Security Strategy, including the announcement of $1.67 billion for a range of initiatives in the recent Federal Budget.

Meanwhile, Telstra is implementing our own safety measures to improve the security of our customers, and we would encourage other telcos to do the same.

Measures like automated blocking of 13 million scam calls per month to ensure they never reach our customers, and advanced verification of SMS messages from agencies like Services Australia to ensure hackers cannot dupe recipients.

Protecting ourselves, our families, our businesses and our country depends on Australia’s cyber defences being strong, adaptive and built around a strategic framework that is coordinated, integrated and capable.

The IAC that I chair with other cyber industry leaders looks forward to continuing to work with the Australian Government to build Australia’s cyber defences and play a key role in bringing many of the initiatives emanating from this work to life.

They could not arrive at a more important time.

Cyber Security | Small Business |

Five free steps to become a secure small biz

By Darren Pauli June 4, 2021

Late nights, early mornings, and working over weekends; familiar phrases for the small business owner, solo operator, and freelancer. So why should such a busy person cut into their limited time to improve their cyber security?

Because businesses across Australia experiencing every day how a business email compromise or ransomware cyber attack can unravel those countless hours in a fell swoop.

You cannot entirely outsource cyber security. The fundamental defences that spell the difference between a failed attack and a ruined business are the responsibility of everyone.

Fortunately, the tools and methods to achieving great cyber defence have never been easier. And you don’t need to spend a cent. Below are your greatest threats and the defences you can implement to knock them out.

Business email compromise

Small business owners often wait on invoices. Clear deadlines, gentle reminders, and terser emails are standard fare for getting paid. So they may not sweat it when funds fail to materialise after a client’s promise to pay. But business owners and now individual consumers are finding their payments funnelled into the bank accounts of cyber criminals.

These attacks, known as business email compromise (BEC), work in different ways but are typically centred on your email inbox.

How it works: The method of accessing inboxes varies but a common starting point for crims is to try to log in with stolen email and password logins that are found in massive databases compiled from security breaches.

Logging in like this works when people reuse passwords across apps and services. A business owner who reuses the same password for their business email account and their indoor plant fancier’s forum is in peril should the forum be hacked and the password copied into an online database.

Cyber criminals could search the database for a business’ email address and, if they find a hit, use the corresponding password to try to log into the business’ email account.

Criminals engaged in BEC have a few options once inside an inbox. A common tactic is to manipulate invoices by setting various mail rules that can redirect incoming and outgoing emails that contain invoices to folders. Setting rules against incoming invoices means they never show in the main inbox. Setting them against outbound mail catches invoices before they leave.

Criminals then can log in and change the BSB and account number before allowing the email to either appear unread in the main inbox or to send on to its original destination.

It often takes days for the account manipulation to be noticed by which time stolen funds have often left their fraudulent intermediate Australian bank accounts and been funnelled overseas where recuperation is difficult or impossible.


1. Use a password manager: Set unique passwords for business-critical accounts including email, banking, marketing and email services, cloud, and social media and websites. To do this, use a password manager. Managers set and store very complex passwords in a vault which you can access with a single master password.

There are many password managers available, paid and free, but large and popular tech companies are good choices as they generally have the resources needed to secure their managers and respond to new threats.

Password managers are much safer than setting passwords from memory which encourages people to reuse and set and weak combinations.

Set your master password and any other you choose to set yourself using a passphrase. This modern tweak makes it easier to set and remember unique passwords by replacing the series of capital letters and numbers with a phrase. A phrase, like Sunday lunch at mums! is much easier to remember than Summ3r2021! and harder for machines to crack. Just ensure your phrase is unique and isn’t a popular movie quote or reused anywhere else.

2. Set multifactor authentication: Multifactor authentication (MFA), also commonly called two-step or two-factor authentication, is most often a code or a notification message generated on your phone when you log into an app or service.

You’ll most often be asked to copy the code from an MFA app on your phone or to tap ‘approve’ on a notification.

This code and notification appear on your device and nowhere else. It stops someone who has stolen your password from accessing your account because they do not have your phone and is too complex to defeat for most financially-driven cybercriminals, including those engaged in BEC.

You usually need only go through the MFA process once for device you use to log into a service making this huge security boost very low touch.


Ransomware is taking the world by storm. The largest organisations are seeing hackers steal then encrypt their critical data and threaten to leak it on the internet unless multi-million-dollar ransoms are paid to have the data decrypted.

The most professional ransomware groups use encryption that cannot be reversed without the necessary decryption key. This restricts a business’ options to either paying the criminal ransom and hoping criminals honour the payment with the necessary key, or to restore from a backup and prepare for the fallout from leaked data.

How it works: Cyber criminals break into organisations using a variety of different methods from guessing logins to remote access services to phishing and even pirate downloads laced with malware.

The biggest ransomware criminal groups and their associates will encrypt any data they can find inside a target computer or network after stealing a copy to threaten to leak online to pressure victims into paying.

Small businesses are more likely to encounter ransomware that demands a smaller ransom that still costs tens of thousands of dollars.

Criminals usually leave a note on ransomed computers stating that an attack has occurred and how a ransom can be paid.


3. Harden remote access services: Log ins for remote access services such as RDP and commercials services like TeamViewer must be secured with strong and unique passwords and not left protected with default passwords. These services are often used to log into a laptop (say, at an office) from a remote laptop (say, at home). Set a good password with a password manager or a good passphrase and enable MFA when possible to protect these services. The open source HardenTools security suite developed by two respected security professionals can automatically disable remote services on Windows machines if they are not needed. Also log into your router (check underneath the router for instructions) to see if remote access services are active.

4. Backup: Back up your critical and important data on a regular basis and test to ensure you can restore it. You should consider backing it up to a cloud service and an external storage device that is not connected to your computer. How often you back up depends on how much data you are prepared to lose should your data be encrypted or destroyed. Free and paid services exist. If you’re backing up your data to a cloud service, make sure it’s secure, with a unique password, two-factor authentication and that any sharing settings are set up correctly.

5. Apply updates: Log into your website administration console, your router, and any other system and check for updates. Ensure they are set to be automatically applied or set reminders to check. These updates remove known security flaws that criminals could use to hack into those services. Turn on automatic updates whenever available or set regular reminders to check and apply new updates.

Consumer | Cyber Security |

We’re now blocking around 1.5 million scam calls a week

By Andrew Penn February 16, 2021

Growth and the overall success of the digital economy is inextricably linked to connectivity. Equally important is having a secure network that keeps those connections safe.

Cyber criminals and scammers have not failed to notice that millions of Australians are now much more dependent on being able to live, work and learn online because of COVID-19 and cyber-crime is on the rise again. Scam calls are not only annoying, they also have a real financial impact on Australians and are estimated to have cost ordinary Australians nearly $48 million last year.

This is why we’re announcing today that we are doubling down on efforts to address scam calls and are now blocking around 6.5 million suspected scam calls a month on average from reaching end customers. Scam volumes fluctuate day-to-day but on an active day for scammers, we’re sometimes blocking up to 500,000 calls a day before they can potentially defraud our customers, which is a huge increase from the 1 million plus scam calls we were blocking on average per month previously.

We are doing this to protect our customers and their livelihoods because we know that we can have a significant impact by taking proactive action at a network level.

This activity is part of our Cleaner Pipes initiative, where we are working to reduce the harm of phishing, malware, ransomware and other scams across our networks both online and through voice and SMS. We recently introduced a new pilot program to make SMS safer too, with the first impact being to block illegitimate messages pretending to be from Services Australia from reaching Telstra customers’ phones.

A lot goes into operating national and global telecommunications networks, from the physical assets of the fibre, exchanges and data centres humming away in the background of our cities and towns, to the operations that happen in the digital layer that keep this infrastructure and the people that use it safe.

Blocking scam calls is no mean feat. Our Networks team has built a smart platform that enables us to monitor inbound calls on our network that have suspicious characteristics, and block them before they can ever reach our customers.

We were already blocking around 1 million calls per month using a manual process, so the automation is a huge boon to our capabilities. Scammers use a range of methods and some of the more popular types at the moment include ‘wangiri’ or one-ring scams, and spoofed number calls either pretending to be a legitimate service (like the ATO) or a random number entirely.

We built this technology in-house and we are proud of the scale and expertise of our cyber security and networks teams as leading Australia’s telecommunications industry, but we also know that this is a team sport. The telecommunications industry and the Australian Communications and Media Authority (ACMA) recently introduced the Reducing Scam Calls Code is an important step towards a collaborative industry approach, creating the framework to work together on protecting Australians from scam calls.

Our efforts will always need to evolve to target new, creative tactics that scammers will use so no technology platform will ever stop scam calls entirely. Customers should always remain vigilant.

Related: Five ways to spot a scam call

If you think you are receiving a scam call, our simple advice is: hang up. Scammers operate on confidence and often victims are influenced to act quickly; if you buy yourself some time to think critically then your chances of avoiding a scam are far better. As a reminder, if Telstra is legitimately calling you, we will only call between 9am–8pm Monday to Friday, and 10am–3pm Saturday wherever you are based, and not on a Sunday. The exception to this is if you have an unpaid account or a customer-initiated inquiry with respect to an order, fault or complaint, someone from Telstra may call you outside of these hours. We’ll respect your wishes and terminate the call if you say no thanks and we won’t call repeatedly if you don’t answer – these are all hallmarks of scam calls. If you think you have been scammed, contact us.

The security of our activities online and on our smartphones is more important than ever, and it is critical that we take action to help our customers trust in the connectivity we provide. We see a future where scam calls of this type are effectively ring-fenced and eliminated from our network. It will take more investment and innovation, and continued support from Government but we have an ambition to make these kinds of changes to continue to improve the level of trust that Australians have in their phones, their emails and the websites they visit, and to encourage the rapid expansion of our country’s digital economy however we can.

For tips and advice on how to spot a scam phone call, visit our website.

Valentines Day Cyber Security Scams
Cyber Security | Tech and Innovation | Telstra News |

Cyber security won’t win your Valentine

By Darren Pauli February 12, 2021

This year you did Valentine’s Day right. You booked that exclusive restaurant months in advance. The babysitter is sorted. And that present, nestled in a box and finished with a bow, lies ready to light up her face.

And so it is with despondent confusion that, hours later over raspberry mascarpone and Veuve Clicquot, your stare at her as she roars in laughter, doubling over and swinging your gift around.

It wasn’t meant to end like this. Do you laugh along? You have seconds to decide as you drift between wrenching pain and confusion.

Too late. Her eyes open and she sees your deadpan face. “Wait, wait, you’re serious?” she asks incredulous, still laughing. “After all this you give me…” she trails off, screwing her face up at the little black rectangle, unsure of what it is.

“A multifactor authentication USB key,” you finish. “It’s the best thing you can use to secure your accounts.”

A hard sell

Cyber security experts care a lot about security. Every day we see the at times devastating real-life consequences on ordinary people who get it wrong.

My colleagues in Telstra’s cyber security team report to authorities thousands, sometimes tens of thousands, of usernames and passwords stolen from Australians and organisations across the country every week.

Any one of these people may have endured some of the consequences of having their passwords stolen.

Fear and anguish as their hacked work email account spreads malware to their peers. Tens of thousands of dollars lost as thieves doctor invoices in their work inboxes. Countless hours of uncertainty and stress while recovering from identity theft. Or the simple embarrassment of having their friends and work colleagues see their hacked social media posting scams.

However, much of this potential pain and fear can be all but eradicated with free and simple security apps.

So, you could be therefore forgiven for thinking my job promoting cyber security awareness is easy.

It isn’t. Better professionals than I have tried for decades to develop and promote these technologies yet seen little uptake. Google promoted hard for years the benefits of multifactor authentication but only 10 percent of users listened and took it up, according its most recent figures.

I pay myself enough credit to say I wouldn’t hand my partner a multifactor authentication key this Valentines Day. She too, would laugh.

But I do try, slowly, to get her to adopt it. I argue no security technology is more important. It is absolutely essential for your important accounts.

Multifactor authentication works with a code generated in an app or sent over platforms like SMS. You enter that code in after your password, and generally only once for each new device you use to log in, such as when you get a new phone.

Only a few security die-hards, and those with access to very important data, use the multifactor authentication USB key wrapped in that Valentine’s gift box.

But while most hackers need to work extremely hard to get that extra multifactor code and therefore give up (Google says use of the code eliminates common phishing) it is not impossible.

Criminals who can win your heart can win your wallet. Multifactor authentication won’t stop them if they have your trust. It’s one of the reasons romance scams are so dangerous and effective.

The love factor

Many of us consider online dating in the run up to Valentines Day. And that raises the chances we will be exposed to romance scams.

These scams are a staple of online cybercrime because they are so effective at separating victims from their money and property often under the guise of the scammer requiring flights, payments for debts, and funds for medical procedures.

Their damage goes beyond bank accounts; the months of deception can inflict deep emotional pain on victims. They can also be dangerous with some luring the victims overseas where they are exposed to international criminal networks.

Don’t think the scams are something for lovestruck fools; the average victim is a middle-aged and well-educated woman. Other characteristics include a propensity for urgency and sensation-seeking, trustworthiness, and an addictive disposition.

They are common, too. The Australian Competition and Consumer Commission received 3,680 romance scam reports last year of which a third resulted in financial losses. All told Australians lost more than $37 million to the scams last year.

The scams work, as we have written in previous years, by constructing a ‘hyper-personal’ relationship that is overly intense. They slowly capture and isolate victims increasing the victim’s dependence and decreasing the likelihood outside intervention will disrupt the relationship.

Much of this takes place on social media but prominent dating services are not immune so consider the scammers a risk in all online dating scenarios.

Stay safe

Experts agree that your best bet is to recruit a friend or family member as your confidant from the start of the online relationship. Their job is to be the objective voice of reason who can see relationship red flags before you will. Listen to them.

Requests for money by someone you met online are the biggest red flag of romance scams. However, if you are intent on wiring money, you must use Australian financial networks like those offered by your bank. There remains a chance of repatriating stolen money if these are used. Funds are much harder to claw back when international transfer services such as Western Union or cryptocurrency are used.

The Federal Government offers a range of services where victims of romance scams can seek assistance.

Finally, if you are not online dating but know someone who is, offer to be their confidant. By lending a trusting ear you will be giving them the best protection possible while enabling them to date safe.

Shop smart

Scammers abound elsewhere. Many of us who participate in Valentine’s Day will open our wallets at some point.

It is essentially impossible to determine if a website has been hacked and difficult to reliably spot scam sites. Defend yourself by shopping online with a card that reimburses fraudulent purchases.

Read your card’s terms and conditions. The short of it is that banks will often reimburse fraudulent purchases made against major credit cards provided they are reported within a certain period.

The website Finder has a good article on this. But, in general, it states, most big banks require credit card fraud to be reported within 30 to 60 days of it occurring for reimbursement to be considered. Check your statements to ensure a smooth and fast reimbursement.

PayPal also reimburses fraudulent payment in the same way as participating banks.

Fraud occurring when money is wired into accounts using direct transfers (BSB and account number for instance) is rarely covered so be careful when using these for online purchases.

There are a lot of complex and dynamic parts to cyber security. Passwords, phishing, malware, and fraud. It’s at times technical and tough. But start small by setting up multifactor authentication and a password manager. Head over the Government’s consumer cyber security site to learn how.

In time, you’ll master it. Perhaps you’ll become so enamoured you’ll want to help others become more cyber secure. Just spare the Valentine’s gift.

Crisis support services exist. Contact Lifeline on 13 11 14 or visit For information about depression or anxiety, contact beyondblue on 1300 22 4636 or visit