Protect ourselves Investment Scams

How to reduce the risk of financial scams

Protect your personal information

  • Use strong passwords.
  • Shred your personal documents.
  • Secure your devices with security software and use secure websites.
  • Monitor your bank transactions, credit card and online shopping accounts.
  • Check your credit report and your superannuation balance regularly.
  • Update privacy settings on your social accounts.

For more tips, see identity theft.

Do your own research

  • Check before you invest — Always check any investment opportunity to make sure it’s real, especially if approached through social media.
  • Ask questions — Be wary if someone avoids answering questions about the legitimacy of their offer.
  • Get advice — Get independent financial advice before you invest.

Don’t rush into a quick decision

  • Don’t click — on any links in suspicious text messages or emails.
  • Be wary of unexpected contact — particularly if you’ve been contacted through social media. You don’t know who you’re dealing with.
  • Take your time — Don’t be pressured to make a quick decision with your money you may regret later.
  • Trust your instincts — If an offer sounds too good to be true, it probably is.
  • Ask someone — If you’re unsure about something, talk to someone you trust about it. They may see red flags that you don’t.
  • Check payments — Be suspicious if you’re asked to pay for something with gift cards or cryptocurrency.

Signs of investment scams

An investment offer may be a scam if the person:

  • does not have an Australian financial services (AFS) licence
    a licence given by ASIC that allows people or companies to legally carry on a financial services business.

  • or says they don’t need one

  • constantly contacts you (phone calls, texts or emails) and pressures you to make a quick decision

  • uses the name of a reputable organisation to gain credibility (for example, NASDAQ, Bloomberg)

  • has an investment prospectus that isn’t registered with ASIC

  • offers you very high investment returns

If you spot any of these signs, hang up the phone or delete the email. If you manage to record any of the scammer’s details, report them to ASIC. Learn more about how investment scams work.

Signs of crypto scams

If you’re investing in crypto, watch out for these warning signs:

  • Unexpected contact — someone you don’t know contacts you with investment advice or offers.
  • Recommended by someone familiar — a fake celebrity endorsement, online influencer, online acquaintance or romantic partner.
  • Pressure to take action — to move your crypto, use crypto to pay for something, or pay to access your crypto.
  • Something feels off — strange tokens appear in your wallet or a crypto investment offers ‘guaranteed high returns’.

Find out more about how crypto scams work.

Signs of superannuation scams

Scammers can try to get access to your superannuation. For example, offers to help you get your super early or help you ‘control’ it by opening a self-managed super fund (SMSF). Learn more about how superannuation scams work.

Signs of banking and credit scams

A bank will contact you if there are suspicious transactions on your account. But they will never ask you for sensitive information such as online banking passwords or codes. Learn more about banking and credit scams.

Signs of identity theft

If your identity has been stolen, you may not realise for some time. Learn more about how to spot the signs of identity theft.

Check an investment is real

If you’re offered an opportunity to invest, check it’s legitimate by asking:

  • What is your name and what company do you represent?
  • Who owns your company?
  • Does your company have an AFS licence and what is the licence number?
  • What is your address?
  • Is your investing prospectus registered with ASIC?

Always verify any information through independent sources.

To do your own research, check:

If you suspect a scam hang up the phone or do not respond to the email. Stop dealing with the person or delete and block them if it’s through social media.

For more detailed steps to take, see check before you invest.

There are many ways investment scams may appear. Three main examples are:

  • The investment offer is completely fake.
  • The scammer is pretending to offer a legitimate investment, but keeps any money given to them.
  • The scammer says they work for a well-known company that is offering a legitimate investment – but they’re lying.

In any case, the money you ‘invest’ goes straight into the scammer’s bank account and not towards any real investment. It is extremely hard to recover your money if it goes to a scammer based overseas.

Anyone can be scammed, and every scam is different. Scams are often hard to spot and can feel legitimate in the moment. Scammers can use professional-looking websites, advertisements and apps, and impersonate legitimate companies.

Scammers are using deepfake technology to create fake celebrity videos promoting Quantum AI.

Quantum AI is a fake online investment program. It claims to use artificial intelligence (AI) technology and quantum computing to generate high returns for investors. Fake trading results are displayed on a website manipulated by scammers.

If you see a celebrity spruiking an investment, search online to see if the person has posted warnings about being impersonated.

Spot the signs of a deepfake video:

  • The person speaks with unusual pauses, odd pitches or different accents.
  • Mouth movements aren’t in time with their speech.
  • Facial expressions and movements don’t match the speaking tone.
  • The video is low resolution.

Do not click on any links promoting Quantum AI, or similar scams such as Immediate Edge and Quantum Trade Wave. Learn more about this scam.

Scammers can come from anywhere. The most common approaches are:

  • Unexpected contact – they may contact you by phone, social media, email or text message. They might pretend to be someone you know, such as your bank, financial adviser, fund manager, or even a friend. They’ll offer guaranteed or unrealistic high returns on an investment.
  • Fake investment trading – they use real investment trading platforms to set up fake accounts. Then they will help you trade via an account manager or offer to trade on your behalf. Once you deposit your money it’s gone for good.
  • Fake investment comparison websites – scammers will get you to enter your personal information into their fake website, then contact you to sell their scam investment.
  • Websites with fake ASIC endorsements – slick websites with fake investing information and performance figures. They may claim to be endorsed or approved by ASIC, and may show the ASIC logo.
  • Dating apps – using romance to form a relationship with you, then offering you an ‘investment opportunity’. (This is also known as ‘romance baiting’.)
  • Paid advertising – scammers often pay big money for advertisements, to appear high in online search results. They also advertise through social media. Advertising a scam is illegal.
  • Fake news articles – scammers will promote fake articles on social media or news websites, linking to their scam websites.
  • Deepfake celebrity endorsement videos – scammers use a deepfake celebrity video to promote fake investments.

A scammer may tell you they’re offering:

  • guaranteed, quick and easy investment returns and sometimes tax-free benefits
  • investments in shares, cryptocurrency, mortgage, real estate or virtual investments, all with ‘high returns’
  • a (fake) trading platform to trade foreign currency, gold, options or futures
  • commissions for building their client base and getting others to invest
  • an opportunity with no risk or low risk, because you will:
    • be able to sell anytime
    • get a refund for non-performance
    • have insured or ‘guaranteed’ transactions
    • be able to swap one investment for another
  • inside information on initial public offeringsWhen a company lists on a stock exchange and offers shares to the public for purchase. Also known as a float.
    or discounts for early bird investors, often falsely impersonating real companies to pitch their offer

How scammers convince you

Scammers will look at the latest market and investment trends for opportunities. They often use well-known company names, platforms, and terms (such as ‘crypto’) to lure investors in and appear credible.

This may include fake:

  • crypto (virtual currency) investments
  • trading companies, getting you to invest with them through real apps and trading platforms
  • offers of inside information on public company floats, often naming ones that have been hyped in the media or on social media
  • offers to get your money back from a sharemarket fall or previous scam
  • references to well-known Australian companies or regulators, often using the Australian Coat of Arms or Government logos
  • offers to keep your money safe in well-known Australian banks

Beware of scammers offering investments or asking for payment using crypto. A legitimate financial services firm is unlikely to ask you for payment in crypto. Crypto-assets (for example, cryptocurrency) are largely unregulated in Australia and are high-risk, volatile investments.
Payments made using crypto are very difficult to trace and recover. To find out more, see cryptocurrencies.

Other tactics used by investment scammers

Operate from overseas
Investing in overseas companies or through brokers based outside Australia can be risky. If you invest and something goes wrong, you may not have access to important consumer rights and protections under Australian laws.

Convincing you not to pull out of the investment

They may try to swap your current investment for another one, convincing you the value will increase, or threaten you with legal action or fees.

A common tactic is to ask for ‘insurance’ or ‘taxes’ before funds invested can be released. This is just another method to extract more money from you.

‘Pump and dump’ scams

Scammers use social media and online forums to create fake news and excitement in listed stocks to increase (or ‘pump’) the share price.

Then they sell (or ‘dump’) their shares and take a profit, leaving the share price to fall. Any other investors are left with low value shares and will lose money. This may be market manipulation which is illegal.

Always use a licensed Australian financial services

A licence given by ASIC that allows people or companies to legally carry on a financial services business. This includes selling, advising or dealing in financial products. Only deal with licensed businesses. You are better protected if things go wrong and will have access to free dispute resolution services. A licence does not mean that ASIC endorses the company, financial product or advice. Or that you cannot incur a loss from the investment. ASIC grants a licence if a business shows it can meet basic standards such as training, compliance, insurance and dispute resolution. The business is responsible for maintaining these standards. The ASIC Connect Professional Registers will tell you if the company or person holds an AFS licence.

8 Likes

A long post @Gaby but a very good read. In fact worth maybe pinning for a while for those who may want to come back and go through it in bites and checkout links?

1 Like

Thanks @Gregr it can also be easy to find by ‘bookmarking’ ?

1 Like

It may also encourage more to find the Aust Govt MoneySmart website and learn from it. It’s the source of the content posted, and where the embedded links lead.

It would be equally informative to know if there is a Govt Website dedicated to informing business of what they need to be aware of such that they

  • do not loose any customer data
  • accounts are not falsely set up using fake or stolen identities
  • funds or the ownership of assets are mot transferred by other than the genuine owner
  • high risk and unusual transactions are mot processed without added checks/verification
  • third party providers of IT services are legally and financially present in Australia and subject to Australian regulation/legal penalty

There is a volume of resources on the SmartMoney website. I’m left to wonder whether every consumer has the capacity to meet their expectations 100% of the time. Politely consumers need to keep the pressure on enterprise/business and Government to do more, not less. Because when a business gets it wrong, us consumers one way or another wind up with the bill.

1 Like

The information is a good start, but the people I know who are duped by these scams are visual people. They believe what they see. They won’t read these descriptions, and they may not believe them because they mostly have a distrust of authority, which scammers capitalise on.

I would like to see a site where pictures of these scams are featured. Where I can say “that video of Kochie you saw - look - it’s a fake, a scam” This is how it works…

2 Likes

Anyone, please feel free to join me in the ‘Protect Ourselves’ series :pray:
Any information from reliable/credible sources especially those authorised by the Australian Government but not only (unless restricted by copyright).
The aspiration is to help people be protected by the armour of knowledge, it is then up to them to take it on board or not.
Let’s work together :pray:

3 Likes

The sophistication has risen to all but undetectable by most people. This article highlights some of the less obvious things scammers do and re the phone call, can do.

4 Likes

“[I] did a Google search for the ING contact number. [It] was exactly what I put in and it came up: 13 34 64,” she said.

“It is their phone number, but I rang it and I didn’t get through to ING, I got through directly to the scammers.”
O’Mahony was unaware her phone had been spoofed by the scammers, meaning they had the ability to redirect her calls to pose as ING.

This does not sound at all like what I have had described as phone spoofing - misrepresenting the number that has called you.

Can anybody tell me if the deception described in the article is real, if so how does it work? Presumably the victim did not allow anybody to physically interfere with her phone. How exactly can your phone be made to call a different number to the one you have keyed in and how can it be done remotely?

Number diversion/call forwarding might be one way of getting a number that you didn’t call. If set by the other person or persons that when a number is called, it is forwarded to a different number, this could be done entirely remotely and totally opaque to the person calling the number. Almost similar to when you call an Australian number here but end up speaking to a service representative in the USA, India, UK, or wherever.

1 Like

Using the above example this implies somebody at the ING number diverted the call. That sounds very unlikely to me and it isn’t ID spoofing.

If they used the phone to read/click on getting the quote, it could be a piece of malware that bots the phone. Call the number that is set as a diverted number and you get whatever replacement number that has been set. As they actively clicked the get quote button that was what possibly did the drive by infection.

Scam ads can look entirely legitimate, so they searched and found a believable web page that looked like but wasn’t ING. They activated the malware by actually clicking, after that anytime they rang what was a legit number for ING, they called another number that led them to the scammers.

https://www.reddit.com/r/chimefinancial/comments/155fns4/new_android_possible_malware_redirect_scam/

So it has been a known bit of malware since about 2022.

3 Likes

Isn’t spoofing a carrier issue? They’d have a record?

Also, sounds to me (but I’m not an expert) like web page redirection?

1 Like

It isn’t spoofing and the ABC article isn’t correct. It is installing an app on a phone to allow hackers to control the phone, including how calls are made. This article provides an example:

There is good advice available never to download apps (or their installation files) from locations other than Google or Apple stores. If one is asked to install an app by someone else, especially from a website or that sent by email, it is a flashing red flag - a definite scammer.

3 Likes

You don’t always know you are getting the malware, in this case it was possible that the get quote button was both a loader and approval of the install of the malware and sent a contact to the scammer or the malware once installed (silent installation) contacted home. It would need cleaning out now to ensure that any legit banking number they called wasn’t redirected.

2 Likes

So you are saying this scam relies on a combination of convincing the victim (as they do) plus installation of malware on a mobile phone in case they call ING to verify.

Assuming that this is possible and what happened in this case I feel a little better as the alternative is quite horrifying. The canon for avoiding scams is NOT to call unknown numbers given to you by strangers but if you need to contact an organisation go via the public number in the phone book. If that method of ensuring who you are speaking to had been voided the consequences would be most alarming.

If the spammers could install such a payload why not a key-logger that captures all the banking details, passwords and etc from everything the victim does?

I am not too impressed by the journalism in this example, it has the look and feel of lacking adequate verification.

1 Like

You do call the legit number, after the install the malware ensures that it redirects to another number. The malware as seen in Korea redirected a number of banking numbers to the scammers. So yes, the security of calling the phone book number has been voided.

If an Android universe there is a weakness in the WebAPK that allows silent installs of malware. I’m not sure that a similar weakness exists in iPhones, it is possible though it could.

Keyloggers can present other difficulties for the coders of malware, including the sending of trapped data to servers. Simple redirects of numbers can be easier to implement and can avoid some of the detection routines.

3 Likes

Not possible on Android phones to do it easily and unknowingly. The factory default is apk files can’t be installed. If one wants to install apk files, special access needs to be granted through the phone settings to allow apk files from unknown locations to be installed.

No only does one need to have an apk file from an unknown source, one also needs to specifically change phone settings to allow its installation. Both these are flashing red flags.

1 Like

No, WebAPK allows bypassing of sideloads. It is a fairly newish technique.

Even as far back as 2010 there has been proof of concept around silent installs without user knowledge.

In the case reported on, the “approval” may have been by clicking the get quote button, if they used their phone to do so. If the browser had been on a PC, I don’t see how the phone would have been spoofed or hacked. It only makes sense if the phone was the device used to click the get quote button or was the victim of a drive by infection.

1 Like

Wasn’t aware of WebAPK, but appears basic malware scanner, including Google Play Protect, provides protection against this vulnerability.

It would mean one has disabled or removed default/preinstalled malware protection (and any post purchase malware protection if installed) to allow malware installation via webAPK.

2 Likes