Consumer | Cyber Security |

We’re now blocking around 1.5 million scam calls a week

By Andrew Penn February 16, 2021

Growth and the overall success of the digital economy is inextricably linked to connectivity. Equally important is having a secure network that keeps those connections safe.

Cyber criminals and scammers have not failed to notice that millions of Australians are now much more dependent on being able to live, work and learn online because of COVID-19 and cyber-crime is on the rise again. Scam calls are not only annoying, they also have a real financial impact on Australians and are estimated to have cost ordinary Australians nearly $48 million last year.

This is why we’re announcing today that we are doubling down on efforts to address scam calls and are now blocking around 6.5 million suspected scam calls a month on average from reaching end customers. Scam volumes fluctuate day-to-day but on an active day for scammers, we’re sometimes blocking up to 500,000 calls a day before they can potentially defraud our customers, which is a huge increase from the 1 million plus scam calls we were blocking on average per month previously.


We are doing this to protect our customers and their livelihoods because we know that we can have a significant impact by taking proactive action at a network level.

This activity is part of our Cleaner Pipes initiative, where we are working to reduce the harm of phishing, malware, ransomware and other scams across our networks both online and through voice and SMS. We recently introduced a new pilot program to make SMS safer too, with the first impact being to block illegitimate messages pretending to be from Services Australia from reaching Telstra customers’ phones.

A lot goes into operating national and global telecommunications networks, from the physical assets of the fibre, exchanges and data centres humming away in the background of our cities and towns, to the operations that happen in the digital layer that keep this infrastructure and the people that use it safe.

Blocking scam calls is no mean feat. Our Networks team has built a smart platform that enables us to monitor inbound calls on our network that have suspicious characteristics, and block them before they can ever reach our customers.

We were already blocking around 1 million calls per month using a manual process, so the automation is a huge boon to our capabilities. Scammers use a range of methods and some of the more popular types at the moment include ‘wangiri’ or one-ring scams, and spoofed number calls either pretending to be a legitimate service (like the ATO) or a random number entirely.

We built this technology in-house and we are proud of the scale and expertise of our cyber security and networks teams as leading Australia’s telecommunications industry, but we also know that this is a team sport. The telecommunications industry and the Australian Communications and Media Authority (ACMA) recently introduced the Reducing Scam Calls Code is an important step towards a collaborative industry approach, creating the framework to work together on protecting Australians from scam calls.

Our efforts will always need to evolve to target new, creative tactics that scammers will use so no technology platform will ever stop scam calls entirely. Customers should always remain vigilant.

Related: Five ways to spot a scam call

If you think you are receiving a scam call, our simple advice is: hang up. Scammers operate on confidence and often victims are influenced to act quickly; if you buy yourself some time to think critically then your chances of avoiding a scam are far better. As a reminder, if Telstra is legitimately calling you, we will only call between 9am–8pm Monday to Friday, and 10am–3pm Saturday wherever you are based, and not on a Sunday. The exception to this is if you have an unpaid account or a customer-initiated inquiry with respect to an order, fault or complaint, someone from Telstra may call you outside of these hours. We’ll respect your wishes and terminate the call if you say no thanks and we won’t call repeatedly if you don’t answer – these are all hallmarks of scam calls. If you think you have been scammed, contact us.

The security of our activities online and on our smartphones is more important than ever, and it is critical that we take action to help our customers trust in the connectivity we provide. We see a future where scam calls of this type are effectively ring-fenced and eliminated from our network. It will take more investment and innovation, and continued support from Government but we have an ambition to make these kinds of changes to continue to improve the level of trust that Australians have in their phones, their emails and the websites they visit, and to encourage the rapid expansion of our country’s digital economy however we can.

For tips and advice on how to spot a scam phone call, visit our website.

Valentines Day Cyber Security Scams
Cyber Security | Tech and Innovation | Telstra News |

Cyber security won’t win your Valentine

By Darren Pauli February 12, 2021

This year you did Valentine’s Day right. You booked that exclusive restaurant months in advance. The babysitter is sorted. And that present, nestled in a box and finished with a bow, lies ready to light up her face.

And so it is with despondent confusion that, hours later over raspberry mascarpone and Veuve Clicquot, your stare at her as she roars in laughter, doubling over and swinging your gift around.

It wasn’t meant to end like this. Do you laugh along? You have seconds to decide as you drift between wrenching pain and confusion.

Too late. Her eyes open and she sees your deadpan face. “Wait, wait, you’re serious?” she asks incredulous, still laughing. “After all this you give me…” she trails off, screwing her face up at the little black rectangle, unsure of what it is.

“A multifactor authentication USB key,” you finish. “It’s the best thing you can use to secure your accounts.”

A hard sell

Cyber security experts care a lot about security. Every day we see the at times devastating real-life consequences on ordinary people who get it wrong.

My colleagues in Telstra’s cyber security team report to authorities thousands, sometimes tens of thousands, of usernames and passwords stolen from Australians and organisations across the country every week.

Any one of these people may have endured some of the consequences of having their passwords stolen.

Fear and anguish as their hacked work email account spreads malware to their peers. Tens of thousands of dollars lost as thieves doctor invoices in their work inboxes. Countless hours of uncertainty and stress while recovering from identity theft. Or the simple embarrassment of having their friends and work colleagues see their hacked social media posting scams.

However, much of this potential pain and fear can be all but eradicated with free and simple security apps.

So, you could be therefore forgiven for thinking my job promoting cyber security awareness is easy.

It isn’t. Better professionals than I have tried for decades to develop and promote these technologies yet seen little uptake. Google promoted hard for years the benefits of multifactor authentication but only 10 percent of users listened and took it up, according its most recent figures.

I pay myself enough credit to say I wouldn’t hand my partner a multifactor authentication key this Valentines Day. She too, would laugh.

But I do try, slowly, to get her to adopt it. I argue no security technology is more important. It is absolutely essential for your important accounts.

Multifactor authentication works with a code generated in an app or sent over platforms like SMS. You enter that code in after your password, and generally only once for each new device you use to log in, such as when you get a new phone.

Only a few security die-hards, and those with access to very important data, use the multifactor authentication USB key wrapped in that Valentine’s gift box.

But while most hackers need to work extremely hard to get that extra multifactor code and therefore give up (Google says use of the code eliminates common phishing) it is not impossible.

Criminals who can win your heart can win your wallet. Multifactor authentication won’t stop them if they have your trust. It’s one of the reasons romance scams are so dangerous and effective.

The love factor

Many of us consider online dating in the run up to Valentines Day. And that raises the chances we will be exposed to romance scams.

These scams are a staple of online cybercrime because they are so effective at separating victims from their money and property often under the guise of the scammer requiring flights, payments for debts, and funds for medical procedures.

Their damage goes beyond bank accounts; the months of deception can inflict deep emotional pain on victims. They can also be dangerous with some luring the victims overseas where they are exposed to international criminal networks.

Don’t think the scams are something for lovestruck fools; the average victim is a middle-aged and well-educated woman. Other characteristics include a propensity for urgency and sensation-seeking, trustworthiness, and an addictive disposition.

They are common, too. The Australian Competition and Consumer Commission received 3,680 romance scam reports last year of which a third resulted in financial losses. All told Australians lost more than $37 million to the scams last year.

The scams work, as we have written in previous years, by constructing a ‘hyper-personal’ relationship that is overly intense. They slowly capture and isolate victims increasing the victim’s dependence and decreasing the likelihood outside intervention will disrupt the relationship.

Much of this takes place on social media but prominent dating services are not immune so consider the scammers a risk in all online dating scenarios.

Stay safe

Experts agree that your best bet is to recruit a friend or family member as your confidant from the start of the online relationship. Their job is to be the objective voice of reason who can see relationship red flags before you will. Listen to them.

Requests for money by someone you met online are the biggest red flag of romance scams. However, if you are intent on wiring money, you must use Australian financial networks like those offered by your bank. There remains a chance of repatriating stolen money if these are used. Funds are much harder to claw back when international transfer services such as Western Union or cryptocurrency are used.

The Federal Government offers a range of services where victims of romance scams can seek assistance.

Finally, if you are not online dating but know someone who is, offer to be their confidant. By lending a trusting ear you will be giving them the best protection possible while enabling them to date safe.

Shop smart

Scammers abound elsewhere. Many of us who participate in Valentine’s Day will open our wallets at some point.

It is essentially impossible to determine if a website has been hacked and difficult to reliably spot scam sites. Defend yourself by shopping online with a card that reimburses fraudulent purchases.

Read your card’s terms and conditions. The short of it is that banks will often reimburse fraudulent purchases made against major credit cards provided they are reported within a certain period.

The website Finder has a good article on this. But, in general, it states, most big banks require credit card fraud to be reported within 30 to 60 days of it occurring for reimbursement to be considered. Check your statements to ensure a smooth and fast reimbursement.

PayPal also reimburses fraudulent payment in the same way as participating banks.

Fraud occurring when money is wired into accounts using direct transfers (BSB and account number for instance) is rarely covered so be careful when using these for online purchases.

There are a lot of complex and dynamic parts to cyber security. Passwords, phishing, malware, and fraud. It’s at times technical and tough. But start small by setting up multifactor authentication and a password manager. Head over the Government’s consumer cyber security site to learn how.

In time, you’ll master it. Perhaps you’ll become so enamoured you’ll want to help others become more cyber secure. Just spare the Valentine’s gift.

Crisis support services exist. Contact Lifeline on 13 11 14 or visit www.lifeline.org.au. For information about depression or anxiety, contact beyondblue on 1300 22 4636 or visit www.beyondblue.org.au

Consumer | Cyber Security |

Getting cyber smart heading into 2021

By Matthew O'Brien February 8, 2021

Tomorrow is Safer Internet Day, a day when the world comes together to #startthechat about how we can make online experiences better for everyone. With more devices connected to the internet than ever, it’s important to make sure yourself and your family are safe online.

To help with this, we’ve launched Telstra Cyber Security Device Protect with cyber security leaders Trend Micro to make it easier than ever to protect your household devices online. Whether it’s managing your kids’ screen time or helping to keep your devices safe against hackers or protecting your ID, we’ll have you covered.

To go with this, we’ve put together a few tips on how to stay safe online, as well as a few of the ways you can use Device Protect to manage it all in your sleep.

Managing the content your kids can access

They’ve just got back to school after a big break, and tests are already starting to come up that your kids need to study for, but all they want to do is chat to their friends online. Rather than stay on your kids’ backs the entire time, it can be much easier just to control what content they can access online and when they can access it.

With the Parental Controls feature in Device Protect, you can prevent specific categories of websites from being opened, and even set different rules for different computer accounts. You can also limit internet usage through time control on a shared PC at home, so your kids won’t be able to get online until they’re done with their study or homework.

Your Wi-Fi router may have settings that you can log in and set up, but Device Protect takes the concept further than just your Wi-Fi and helps keep your family’s devices safe individually wherever they are. Our Mobile Security for Android devices includes an App Lock for restricting app usage for even more in-depth control.

Did you know only 46% of Australian parents feel confident about dealing with the online risks their children face and 95% want more information about online safety? To mark Safer Internet Day eSafety is hosting a series of webinars for parents and carers this week on Cyberbullying and online drama. They also have a suite of resources available to help you start the chat about being safer online.

Protecting yourself on public WiFi

Free public WiFi can be a saving grace when you don’t have any mobile reception or want to pull out your laptop for some quick work, but you also need to make sure you’re careful around what things you do online. When you connect to a public network, you can never be too sure who runs it, or if anyone else on the network has managed to get in and snoop on other devices.

Because of this, a general rule of thumb is to never use a public WiFi network for any sensitive data – think online banking, making purchases online with your credit card or even signing up to things that reveal a lot of personal information. Try to always do these things on a private network, either on your mobile or on a WiFi network at home or at the place of someone you trust.

However, if you really need to make an emergency bank transfer or want to regularly pop down at your local cafe to work, having a Virtual Private Network (VPN) installed can help mitigate those risks by hiding from the network what you’re doing over the internet.

With Device Protect installed, your VPN will automatically turn on and encrypts your data communication when it detects you’re connected to an unsecured public network, giving you peace of mind without having to fuss around with securing your connection.

Keep safe against cyber threats

As we become more reliant on our devices for shopping, banking and connecting to others, it opens us up to more risks against cyber criminals.

It might be someone pretending to be from your bank or from a social network claiming you need to reset a password or have received a special message you need to log in to see, where they then try to take you to a fake page to steal your information. They could also make attempts to access your devices and information by sending you dodgy links that infect your device with a virus giving them access. Or they could try something even more advanced and sneaky!

But as long as you keep your eyes open and be vigilant with your device protection you should be able to keep yourself safe. Make sure to always pay attention to the URLs of links you click, and that they match the same place you’d usually login. Likewise, check the email address of who’s emailing you to make sure it’s correct and that they’re not using a fake name.

Or let Device Protect do the checking for you, such as automatic monitoring of anything you download to have confidence there are no viruses hiding in the file, getting alerts when a website you enter known to be a bit fishy or even add an extra layer of protection when entering your credit card or bank details.

Keeping your passwords and identity safe

Most of us are guilty of recycling passwords across most of our accounts online, but doing this is really risky – it means that a cyber- criminal only needs to get access to one of your accounts to get into all of them that share the same password. But on the flip side, it can also be quite hard to remember dozens of different passwords across all your accounts to be extra safe – which is the reason most of us don’t bother!

To make this easier, you can use a password manager like the one included in Device Protect to not only store all your passwords, but automatically generate super secure new passwords for you. You can then log into all of your accounts with one tap, so you’ll never need to think about passwords again!

While keeping your passwords protected is important to keep your data secure, it’s also important to make sure you haven’t already been hacked or had your personal information stolen.

Device Protect will also monitor sites on the internet and on the dark web for you to see if your personal information is posted or is for sale anywhere, then alert you if it’s found. That way you can contact the police, cancel your credit cards before anything is spent on them and get new ID documents to minimize the damage done.

Keeping your devices and identity protected online can be a bit scary, but there are simple things you can do as mentioned here to ease your mind and help protect yourself and your family. If you’re looking for a solution to help protect your family’s devices for you, Device Protect will help keep your digital world safe and secure.

Cyber security is ever more important in an interconnected world
Cyber Security |

A turning point for cyber security

By Andrew Penn October 20, 2020

2020 marks a turning point for cyber security in Australia. The Government’s landmark 2020 Cyber Security Strategy is set for implementation and today I am very proud to have been appointed chairman of an expert Industry Advisory Committee (IAC) to help bring it to life.

The IAC will play an important role in delivering the Federal Government’s digital agenda to keep Australia and Australians safe online.

The Committee brings together a wealth of experience from both the private and public sector and builds on the success of the Industry Advisory Panel (IAP) which helped shape the Strategy.

It is hard to imagine a more important piece of work. Connected technologies are now right at the heart of the lives of most Australians and increasingly pivotal in shaping our economy, our society and our prospects for the future. Our ability to fully embrace a digital future is also central to our post-COVID-19 recovery and long-term competitiveness.

But there are those who would do us harm. More abundant and better resourced cyber-criminals and cyber-activists and increasingly sophisticated and emboldened state actors mean Australia is quite literally under constant cyber-attack. In fact, cyber-crime affected almost one in three Australian adults in 2018 and cyber security incidents are estimated to cost Australian businesses up to $29 billion per year.

Meeting that challenge requires Australia’s cyber defences to be strong, adaptive and built around a strategic framework that is coordinated, integrated and capable. The 2020 Cyber Security Strategy provides that framework.

The Strategy has been shaped by 60 key recommendations provided by the IAP during its development. The recommendations, built around the five key pillars of Deterrence, Prevention, Detection, Resilience and Investment, were focussed on striking a balance between increasing cyber defences while promoting the development of a digital economy and countering threats to the economy, safety, sovereignty and national security.

Not a moment too soon

The 2020 Cyber Security Strategy is designed to have a clear and immediate impact. The Strategy – and the appointment of the IAC – means collaboration and interaction between governments and the private sector is stronger and deeper; the right organisations and people are engaged; and the tempo of engagement across the community is quickening. It means our defences are increasingly sophisticated and in-depth.

All of this is not a moment too soon. Australian businesses, families and individuals continue to be targeted by cybercriminals. Foreign actors continue their efforts to compromise our national security. And all the while as a country there is a growing need to continue to fully embrace the digital opportunities that are increasingly central to a prosperous Australia. With so much at stake it really is too important to get wrong.

Cyber Security | Enterprise | Small Business |

The growing threat of ransomware

By Allie Coyne October 14, 2020

Ransomware operators are becoming more emboldened to target big-name brands in the hopes of extracting a big bounty, and they’re upping the stakes to make a payout more likely.

The list of prominent brands that have been targeted in recent months is long: Luxottica, Carnival, Equinix, Toll, Canon, LG Electronics, and Xerox are just a few. In the majority of these cases, the victim’s files were not only encrypted but also stolen, and then sometimes leaked publicly if the ransom wasn’t paid.

Traditionally a ransomware attack meant a system was left encrypted and inaccessible until a ransom was paid; now there are around 20 different ransomware gangs that also steal and leak files when the victim refuses to meet the hackers’ demands.

It makes the decision of whether or not to pay the ransom quite a bit more difficult.

The recent ransomware attack on technology company Garmin was labelled a “warning” to other big organisations by Wired. Garmin reportedly handed over the US$10 million the hackers demanded to unlock its systems.

Earlier this year Travelex was reported to have paid US$2.3 million to hackers to bring its systems back online. Cloud service provider Blackbaud also revealed it had succumbed to demands from hackers who unleashed ransomware on its network.

And in August travel management firm CWT reportedly paid US$4.5 million to restore 2TB of stolen data and 30,000 computers (side note, if you’ve ever wondered how ransomware negotiations actually go down, check out this Reuters reporter’s Twitter thread).

The problem is – there’s no guarantee your data will be returned or your systems restored. Paying the ransom also encourages this lucrative criminal industry and spurs other hackers to get in on the game, resulting in larger numbers of victims.

It also identifies you as someone willing to pay the ransom, increasing the risk you’ll be targeted again.

Expert advice has long been not to give in to the demands. However, as the FBI noted in updated ransomware guidance last year, the problem has become more nuanced for many organisations.

While it still doesn’t advocate paying up, the FBI says it understands that crippled businesses will need to evaluate all options “to protect their shareholders, employees and customers”.

(For an insight into how a business recovers without paying a ransom, read about how Norsk Hydro got back on its feet after a painful 2019 brush with ransomware).

Tips to avoid a ransomware attack

Ransomware attacks are often perpetrated through vulnerabilities in web-facing systems, email phishing campaigns, and by breaking into remote access systems.

The best way to protect your organisation is to ensure it is strong at the basics:

  • Applying software and security updates as soon as possible,
  • Using multi-factor authentication wherever possible, but especially on critical systems,
  • Ensuring you have current off-site back-ups and a business continuity plan, and
  • An educated workforce able to spot things like phishing and social engineering attacks.

A reputable endpoint security solution will also help to identify and block any malware attempting to infect your systems via the devices on your network. Having these important foundations in place lowers your chance of ever having to face the question of whether or not to pay the ransom.