Consumer | Cyber Security |

We’re now blocking around 1.5 million scam calls a week

By Andrew Penn February 16, 2021

Growth and the overall success of the digital economy is inextricably linked to connectivity. Equally important is having a secure network that keeps those connections safe.

Cyber criminals and scammers have not failed to notice that millions of Australians are now much more dependent on being able to live, work and learn online because of COVID-19 and cyber-crime is on the rise again. Scam calls are not only annoying, they also have a real financial impact on Australians and are estimated to have cost ordinary Australians nearly $48 million last year.

This is why we’re announcing today that we are doubling down on efforts to address scam calls and are now blocking around 6.5 million suspected scam calls a month on average from reaching end customers. Scam volumes fluctuate day-to-day but on an active day for scammers, we’re sometimes blocking up to 500,000 calls a day before they can potentially defraud our customers, which is a huge increase from the 1 million plus scam calls we were blocking on average per month previously.


We are doing this to protect our customers and their livelihoods because we know that we can have a significant impact by taking proactive action at a network level.

This activity is part of our Cleaner Pipes initiative, where we are working to reduce the harm of phishing, malware, ransomware and other scams across our networks both online and through voice and SMS. We recently introduced a new pilot program to make SMS safer too, with the first impact being to block illegitimate messages pretending to be from Services Australia from reaching Telstra customers’ phones.

A lot goes into operating national and global telecommunications networks, from the physical assets of the fibre, exchanges and data centres humming away in the background of our cities and towns, to the operations that happen in the digital layer that keep this infrastructure and the people that use it safe.

Blocking scam calls is no mean feat. Our Networks team has built a smart platform that enables us to monitor inbound calls on our network that have suspicious characteristics, and block them before they can ever reach our customers.

We were already blocking around 1 million calls per month using a manual process, so the automation is a huge boon to our capabilities. Scammers use a range of methods and some of the more popular types at the moment include ‘wangiri’ or one-ring scams, and spoofed number calls either pretending to be a legitimate service (like the ATO) or a random number entirely.

We built this technology in-house and we are proud of the scale and expertise of our cyber security and networks teams as leading Australia’s telecommunications industry, but we also know that this is a team sport. The telecommunications industry and the Australian Communications and Media Authority (ACMA) recently introduced the Reducing Scam Calls Code is an important step towards a collaborative industry approach, creating the framework to work together on protecting Australians from scam calls.

Our efforts will always need to evolve to target new, creative tactics that scammers will use so no technology platform will ever stop scam calls entirely. Customers should always remain vigilant.

Related: Five ways to spot a scam call

If you think you are receiving a scam call, our simple advice is: hang up. Scammers operate on confidence and often victims are influenced to act quickly; if you buy yourself some time to think critically then your chances of avoiding a scam are far better. As a reminder, if Telstra is legitimately calling you, we will only call between 9am–8pm Monday to Friday, and 10am–3pm Saturday wherever you are based, and not on a Sunday. The exception to this is if you have an unpaid account or a customer-initiated inquiry with respect to an order, fault or complaint, someone from Telstra may call you outside of these hours. We’ll respect your wishes and terminate the call if you say no thanks and we won’t call repeatedly if you don’t answer – these are all hallmarks of scam calls. If you think you have been scammed, contact us.

The security of our activities online and on our smartphones is more important than ever, and it is critical that we take action to help our customers trust in the connectivity we provide. We see a future where scam calls of this type are effectively ring-fenced and eliminated from our network. It will take more investment and innovation, and continued support from Government but we have an ambition to make these kinds of changes to continue to improve the level of trust that Australians have in their phones, their emails and the websites they visit, and to encourage the rapid expansion of our country’s digital economy however we can.

For tips and advice on how to spot a scam phone call, visit our website.

Consumer | Cyber Security |

Getting cyber smart heading into 2021

By Matthew O'Brien February 8, 2021

Tomorrow is Safer Internet Day, a day when the world comes together to #startthechat about how we can make online experiences better for everyone. With more devices connected to the internet than ever, it’s important to make sure yourself and your family are safe online.

To help with this, we’ve launched Telstra Cyber Security Device Protect with cyber security leaders Trend Micro to make it easier than ever to protect your household devices online. Whether it’s managing your kids’ screen time or helping to keep your devices safe against hackers or protecting your ID, we’ll have you covered.

To go with this, we’ve put together a few tips on how to stay safe online, as well as a few of the ways you can use Device Protect to manage it all in your sleep.

Managing the content your kids can access

They’ve just got back to school after a big break, and tests are already starting to come up that your kids need to study for, but all they want to do is chat to their friends online. Rather than stay on your kids’ backs the entire time, it can be much easier just to control what content they can access online and when they can access it.

With the Parental Controls feature in Device Protect, you can prevent specific categories of websites from being opened, and even set different rules for different computer accounts. You can also limit internet usage through time control on a shared PC at home, so your kids won’t be able to get online until they’re done with their study or homework.

Your Wi-Fi router may have settings that you can log in and set up, but Device Protect takes the concept further than just your Wi-Fi and helps keep your family’s devices safe individually wherever they are. Our Mobile Security for Android devices includes an App Lock for restricting app usage for even more in-depth control.

Did you know only 46% of Australian parents feel confident about dealing with the online risks their children face and 95% want more information about online safety? To mark Safer Internet Day eSafety is hosting a series of webinars for parents and carers this week on Cyberbullying and online drama. They also have a suite of resources available to help you start the chat about being safer online.

Protecting yourself on public WiFi

Free public WiFi can be a saving grace when you don’t have any mobile reception or want to pull out your laptop for some quick work, but you also need to make sure you’re careful around what things you do online. When you connect to a public network, you can never be too sure who runs it, or if anyone else on the network has managed to get in and snoop on other devices.

Because of this, a general rule of thumb is to never use a public WiFi network for any sensitive data – think online banking, making purchases online with your credit card or even signing up to things that reveal a lot of personal information. Try to always do these things on a private network, either on your mobile or on a WiFi network at home or at the place of someone you trust.

However, if you really need to make an emergency bank transfer or want to regularly pop down at your local cafe to work, having a Virtual Private Network (VPN) installed can help mitigate those risks by hiding from the network what you’re doing over the internet.

With Device Protect installed, your VPN will automatically turn on and encrypts your data communication when it detects you’re connected to an unsecured public network, giving you peace of mind without having to fuss around with securing your connection.

Keep safe against cyber threats

As we become more reliant on our devices for shopping, banking and connecting to others, it opens us up to more risks against cyber criminals.

It might be someone pretending to be from your bank or from a social network claiming you need to reset a password or have received a special message you need to log in to see, where they then try to take you to a fake page to steal your information. They could also make attempts to access your devices and information by sending you dodgy links that infect your device with a virus giving them access. Or they could try something even more advanced and sneaky!

But as long as you keep your eyes open and be vigilant with your device protection you should be able to keep yourself safe. Make sure to always pay attention to the URLs of links you click, and that they match the same place you’d usually login. Likewise, check the email address of who’s emailing you to make sure it’s correct and that they’re not using a fake name.

Or let Device Protect do the checking for you, such as automatic monitoring of anything you download to have confidence there are no viruses hiding in the file, getting alerts when a website you enter known to be a bit fishy or even add an extra layer of protection when entering your credit card or bank details.

Keeping your passwords and identity safe

Most of us are guilty of recycling passwords across most of our accounts online, but doing this is really risky – it means that a cyber- criminal only needs to get access to one of your accounts to get into all of them that share the same password. But on the flip side, it can also be quite hard to remember dozens of different passwords across all your accounts to be extra safe – which is the reason most of us don’t bother!

To make this easier, you can use a password manager like the one included in Device Protect to not only store all your passwords, but automatically generate super secure new passwords for you. You can then log into all of your accounts with one tap, so you’ll never need to think about passwords again!

While keeping your passwords protected is important to keep your data secure, it’s also important to make sure you haven’t already been hacked or had your personal information stolen.

Device Protect will also monitor sites on the internet and on the dark web for you to see if your personal information is posted or is for sale anywhere, then alert you if it’s found. That way you can contact the police, cancel your credit cards before anything is spent on them and get new ID documents to minimize the damage done.

Keeping your devices and identity protected online can be a bit scary, but there are simple things you can do as mentioned here to ease your mind and help protect yourself and your family. If you’re looking for a solution to help protect your family’s devices for you, Device Protect will help keep your digital world safe and secure.

Woman working at home on laptop with mobile phone
Consumer | Cyber Security | Small Business |

Invisible security at your fingertips

By Darren Pauli August 21, 2020

Consumer cyber security has become much more user friendly and effective in recent years with technical complexity hidden behind seamless usability and easy-to-use apps. Yet a whole suite of largely invisible cyber security defences too numerous to list are available, often for free, by applying software updates.

This week we’ve covered some of the most important defences as part of Scams Awareness Week; password managers and the adoption of passphrases instead of jumbled codes; free and easy multifactor authentication; updated advice on spotting phishing attacks, and locking down your sensitive data.

Scams Awareness Week: five ways in five days to free and easy cyber security

Set your devices to automatically update. Search online for ‘end of life’ and your device make and model to see if it is still supported and secure.

An update is available

Many modern apps and devices are set by default to automatically update. Updating can apply new features, improve stability, increase security, and close dangerous flaws.

Security researchers continually find and report vulnerabilities in hardware and software. No product is immune. Good vendors will produce fixes, or patches, for these flaws and distribute them in software updates.

Many consumer products from phones to routers and gadgets will receive updates for a period of time before the manufacturer deems them end-of-life, stops fixing security flaws, and recommends customers buy a new product.

Routers

Your router, if it is relatively new and produced by a major vendor, is likely set to automatically check, download, and install updates on a regular basis.

To check if it is, load your router’s administration page. Connect your computer via an ethernet cable to your router, likely through the socket at the back labelled WAN, and type in the router’s IP address into a web browser window.

The IP address is likely underneath your router and should look like a sequence of numbers and full stops in a sequence like 192.168.1.1. The username and password required to access the admin page (not your Wi-Fi network) may also be on the underside. If not, search online for ‘default login’ followed by the make and model of your router.

Once inside, feel free to navigate around without saving any changes. You should find your software update status under general settings or admin.

Set your updates to automatic if possible and click a button to manually check for updates if it is available.

Look for a date of the last update – this might be next to or contained inside the update (firmware) file name such as tplink_abcxyz_20.03.2020.

Your router might be end of life if that date is more than a year old. You can verify by searching the internet for ‘end of life’ and the make and model of your router.

End of life routers should be replaced to ensure security. You may wish to consider replacing the router operating system instead with supported open source firmware like OpenWrt. These systems, while popular, generally have a highly technical interface and their application is a complex process that if done incorrectly could render your router inoperable.

Mobile

Modern mobile phone operating systems such as Android and iOS, along with their apps, are set by default to automatically update.

You can check by going to settings and searching for updates. Open your app store and apply any updates and check any boxes to activate automatic updates.

Apple supports its line of iPhones for much longer than other manufacturers but most provide updates for their phones for two years or more. Some updates may occasionally be issued beyond that for highly critical security issues.

Computer

Microsoft now only supplies updates for Windows 8 and Windows 10 in its regular consumer operating systems, although it too occasionally issues updates for older platforms to fix the most pressing rare security issues.

Windows 10 contains a suite of built-in security controls that make computers significantly harder to hack than older Windows versions. It also offers well-performing built-in antivirus eliminating the general security requirement to purchase third party antivirus.

Apple will as of November no longer support macOS 10.13 High Sierra and instead cater to newer versions including macOS 10.15 Catalina which sports Activation Lock that helps prevent unauthorised use and erasure of disks in devices that have the Apple T2 security chip.

Explore

Additional security settings can be often found by looking around your settings. You may find options such as backups that help in the event of data loss or ransomware, a type of malware, and others that increase your security at the expense of some convenience. Try them out; you may find the new barriers worth the additional piece of mind.

Microsoft Office has similar security settings. Most malware utilises document macros as an initial step in attacks. These can be turned off if not needed to significantly increase security.

Consumers may also consider using a suite of tools called HardenTools, produced by Claudio Guarnieri, a highly-respected cyber security expert with Amnesty International. This Windows suite turns off many legitimate default features that cybercriminals commonly abuse to launch attacks. The process is reversible with the click of a button.

Organisations meanwhile can consider the deployment of Application Guard for Office, which protects macro use. It is in preview mode and available to customers who apply for access from Microsoft.

Scams Awareness Week runs from August 17 – 21. Make sure to check out our Cyber Security Hub for the latest info on staying safe from threats. Also see the ACCC’s ScamWatch podcast series on identity theft by the team at the ABC’s The Chaser.

Woman on laptop
Consumer | Cyber Security | Small Business |

Secure your sensitive data for free

By Darren Pauli August 20, 2020

Open your email account and search for ‘driver licence’. Then search for ‘passport’, ‘Medicare’, and ‘payslip’. Now think about your email account password; do you use the same password for other accounts? When did you last change it? The sensitive personal information contained in your inbox is at risk if your password is used across other accounts.

That risk is higher still if you are like the 90 percent of Google users who in 2018 did not make use of a simple additional security check, known as multi-factor authentication, to protect their accounts.

Here’s how to take small steps for big security gains.

Scams Awareness Week: five ways in five days to free and easy cyber security

Start by making your email password unique, then switch on multi-factor authentication. After that, delete your attachments.

Lock shop

Your email password needs to be unique, so change it if you have reused the same one anywhere else.

The best way to do this is through a password manager. These can help you change all your passwords to long and unique combinations that you can set and forget. All you need to remember is your one master password which is the key to your password vault.

Another option is to use phrases for your passwords (also known as a passphrase). A sentence that means something to you, not taken from a book or movie, is a great choice. You’ll remember it since it is a phrase, rather than a random combination of letters and symbols, and it’ll be harder for an attacker to guess or crack. You still can’t reuse passphrases across accounts, though, so a password manager would again come in handy here.

Next, deadbolt your email account with multi-factor authentication. It is supported by most major email providers and can be usually found under your account settings within the security or privacy tab.

This security control, which requires an extra code usually when you first log in, is simple and makes hacking your email account extremely difficult. It also means an attacker will not be able to access your account if they steal your password.

Purge

Find and delete any attachments that contain your driver licence, passport, and other highly sensitive personal information you would most like to keep out of hackers’ hands.

Most email services allow you to check a box to return search results with attachments, or you may be able to search the phrase ‘hasattachment:yes’ along with any keywords like ‘driver licence’.

Your account is unlikely to be compromised when protected with both a unique password and multi-factor authentication, but there are phishing attacks that can steal both.

By deleting searchable records of your personal information in your email, you’re minimising the potential damage should it be breached.

Protect

You, like me, may choose to store a copy of your personal information (like your driver licence, passport, and Medicare info) in one easy to access location. You can do this whilst also ensuring it is secure.

I store mine within Google Drive inside of an encrypted archive file – most commonly known as a zip file – using an entirely unique password. I use the 7zip extension with powerful AES encryption, both which are set as default options within the free open source 7zip software.

This control means hackers who breach my Google account will be unable to find a copy of my sensitive documents within my thousands of emails. They will also be unable to open the archive containing my personal information because the password is different from any they have stolen.

If you need more regular digital access to things like your driver license, try an app.

Tap of an app

I have not carried a wallet since 2017. My phone is my wallet, allowing me to pay and provide proof of identity.

So making fast and easy access to my driver licence is essential. I store a second copy of my driver licence and Medicare card, two items I often need in a pinch, in the Sync.com cloud service.

This is a secure so-called ‘zero knowledge’ service which is protected with multi-factor authentication. This combination makes compromising my data very difficult, yet access convenient through an app on both Android and iOS.

Many identity providers are starting to offer identity services digitally. Apps like Australia Post’s Digital ID, Services Australia’s Express Plus Medicare mobile app, or if you’re in NSW or South Australia, your state government’s digital driver license apps, make it easy to access your identity documents quickly, backed by the government’s security chops.

Scams Awareness Week runs from August 17 – 21. Make sure to check out our Cyber Security Hub for the latest info on staying safe from threats. Also see the ACCC’s ScamWatch podcast series on identity theft by the team at the ABC’s The Chaser.

Woman working on laptop at home
Consumer | Cyber Security | Small Business |

Make hackers give up with multi-factor authentication

By Darren Pauli August 19, 2020

Burglars and cybercriminals have the same philosophy: when a target is secure, pick a softer victim. Using multi-factor authentication is like getting a free and easy deadbolt on your online accounts to go from a soft target to a hard target.

Two in three arrested burglars told police and academics they would avoid a home with a barking dog, while half would avoid one with a working alarm system.

Cybercriminals and professional hackers paid to test defences have said accounts protected with multi-factor authentication are an obstacle they would rather avoid.

It could be said then that adequate security is a matter of being more secure than your neighbors.

Scams Awareness Week: five ways in five days to free and easy cyber security

Most hackers are after quick money. Multi-factor authentication helps protect against these attacks.

The first step to securing your online accounts is to use a password manager and change any passwords that you have reused. Start with your most valuable accounts.

Next turn on multi-factor authentication (also known as two-factor authentication and two-step authentication).

Deadbolts for your accounts

Most hackers are after quick money. They blind fire phishing emails in an all-too-successful bid to snare usernames and passwords while others feed huge lists of hacked logins published online into automated password-guessing tools to break into accounts at scale.

Multi-factor authentication helps protect against these attacks with a deadbolt in the form of a check that is required after your password.

Most of the big technology platforms from Google to Microsoft, Instagram to Reddit offer it for free under user account settings and security or privacy. A directory listing services that allow multi-factor authentication is available at twofactorauth.org.

It is often a six-digit code generated in a special app or sent over SMS. It may, in the case of Google and other services, be an easy notification that appears on your phone asking you to tap to approve access. It can also exist as fingerprint readers and special USB devices.

Attackers who have managed to steal your password must also steal these checks to gain access to your account.

But they have a short window to do it. The checks expire usually after 30 seconds to a few minutes placing a tight time window on any attempt to steal them.

It is a hurdle that for most cybercriminals proves too hard.

Multi-factor authentication is easy for you, however. It is usually only required once, provided you use the same device or web browser and remained signed in. Some sensitive services like online banking that log you out after inactivity require the code be entered on each login.

Super thief

Phishing works because people are at times inattentive and generally trust what they see.

It stands to reason that those who are willing to enter their details into a login form they believe is legitimate will also enter their multi-factor authentication codes.

Basic phishing sites store stolen passwords in databases that can be used in subsequent attacks.

Advanced phishing sites immediately send captured usernames and passwords to the legitimate services they mimic and log into the victim’s account in real-time. The sites then prompt victims to enter their multi-factor authentication codes which, when supplied, allow the criminal to access the victim’s account.

Other dedicated criminals can steal SMS-based multi-factor authentication by abusing phone porting, a feature that allows consumers to churn their mobile number to new providers.

Criminals need to have enough information on their victim to pass identity checks in order to gain control of a victim’s phone number and receive any SMS-based authentication.

New industry security controls make this attack very difficult. Pre-port verification codes must now be entered before phone porting can take place.

Scams Awareness Week runs from August 17 – 21. Make sure to check out our Cyber Security Hub for the latest info on staying safe from threats. Also see the ACCC’s ScamWatch podcast series on identity theft by the team at the ABC’s The Chaser.