Protect ourselves- scam phone calls, text messages, emails, including tax scams

I agree with @syncretic that enough people are either gullible enough or do not understand that clicking on links from organisations or supposed organisations is risky. It won’t matter if links are made illegal to add to emails or SMS. People will still click on links that lead them into dangerous outcomes. Predatory behaviour will not change. It is illegal now to scam people. Often the scam’s origin is outside of Australian jurisdiction, so almost impossible to control. Has that changed the amount of scams that occur, no it hasn’t as criminals don’t care about the laws unless they are caught. In fact even with all the reports in the media, with all the information being provided, even with all the scam reports being submitted, and even with many people knowing others who have been scammed, the scams continue to occur and even rise in number.

If the suggestion is to make it so email providers remove the links before someone receives them, well I have great concerns about that from a privacy viewpoint. That means they are going to read every email and SMS I receive (probably machine read) and then alter my email or SMS before I am aware what was sent. How will I know if and what was altered?

No Government agency, no financial institution, and almost all no risk savvy business I deal with includes links that require me to log in anywhere. They all ask me to go to their site manually and log in. But I receive almost innumerable amounts of spam ones that purport to come from these entities that do include links. That is the problem, no matter what legislation is in place to stop it.

MFA and 2FA only safely work if the login address is manually input into a browser, if someone uses a link that either captures traffic and redirects to a legitimate site or leads to a scam website will still deceive people. No amount of education will save everyone. I only click links that are generated in response to my requests e.g. password reset links that are generated by my input at the website, mostly un-needed as I use password managers but sometimes a site changes it’s processes and a new password has to be created as a result of their changes.

I am more of the opinion, that we need stronger protections about recovery of scammed funds for victims. How that “insurance” is implemented is the thing to get as right as possible, there will still be people who get hurt though. Nothing is as sure as the desire to get rich quick syndrome that some seem to suffer from, and this often leads to the get poor outcome just as quick. Nothing can protect everyone everytime.

I have a very different view, and this is based on some discussions with my other half who is a psychologist.

There is something called behaviour conditioning. This is when repeated actions result in a change in behaviour.

Currently there is no opportunity for conditioning. Some businesses provide links and other’s don’t, so there is an expectation that anything goes…providing the opportunity for scammer to exploit as they know that providing links will most likely result in it being clicked by some.

If all business don’t provide links to access accounts, then over time almost all users will become conditioned. Conditioned to the fact that they need to use their own methods to access the accounts for login. This may take no time at all for some to be conditioned, and possibly a lot longer for others. But over time, the natural response of this conditioning will be log into an online account using methods other than clicking on a link in a communication.

The conditioning can be supported in communications by wording such as ‘XYZ will never provide links to click on for accessing your account’. Some business we already deal with already provide such wording to reinforce that links are not to be used for logging in.

In the longer term, if one then receives a communication from what looks like XYZ but contains a link to access one’s account, one will know that this isn’t the method to access the account. It will most likely result in a recipient using non-link methods to access the account as this is what they have been conditioned to do.

Yes, there will still be some within the community which will still potentially click on the link, such as those with learning difficulties or with memory loss issues. But, these will be a minority to those who would otherwise currently click on a link in a communication (as conditioning doesn’t exist).

Removing links from communications won’t be a quick fix, but will reduce the likelihood of clicked links leading to theft of personal information through fraudulent websites (phishing). It won’t stop all clicking, but over time the numbers will be substantially less than what would be occurring today.

This is why such a measure possibly should be supported, but as I outlined above, it needs to be widespread across all businesses that have online account login access. Not being all inclusive means that the potential for behavioural conditioning won’t be effective.

It is also worth noting that no matter the best security systems that are in place, the weakest link is the end user. In the case of online accounts, this is the person sitting at their computer/on their phone accessing an account on the internet. Providing them with the tools (through conditioning) is better than relying on some technical solution in hope that the user will be fully compliant (which is currently the case).

That would work in a perfect no link situation. No such condition will exist while spam links continue to arrive in spam contacts, So there will still be confusion as legitimate emails and SMS will have no links but conversely the non genuine will continue to have links… So some people will still click links, thinking they have won $500,000 or got an inheritance, or been the beneficiary of some love interest and the list goes on.

I have even seen malformed unsubscribe links that are designed to steal login credentials, and unsubscribe links are a mandated link to be included in genuine contacts from legit businesses.

I think continuing education, faster responses to scam problems, more international cooperation and enforcement against scammers, and more financial protections for those scammed are the most probable and best way forward. I wish that the no link for legit would work, and I have no issue with legislation that makes businesses send out emails and SMS with no links and I mean absolutely no links not even the currently mandated unsubscribe links. I still think enough will continue to be sucked into the pitfalls of clicking links until we are several generations of our populations into education, and universal international enforcement against scammers.

No that won’t be the case. Conditioning will prevent links in spam emails being clicked.

The key, as indicated above, it to ensure that no-link policy for logging into an account was universal for legitimate businesses and reinforced with statements/education. Conditioning takes time and can be extremely effective when done correctly.

It is a highly effective method used for both good and bad, and can be very effective when there is ‘noise’. Bad examples are brainwashing used in some regimes through to good such as conditioning to improve health outcomes.

The discussion wasn’t about removing all links from communications - this won’t be supported by the industry. It is about removing links for account logins, such as those outlined above.

Logging into a bank account, telco account, social media account, healthcare account, email account, insurance account and the list goes on.

It won’t prevent inheritance, romance, investment etc type scams where one actively participates in the scam. This is about inadvertently providing online account access to criminals, which can be used for criminal activities. Currently this is extremely easy as online users have not be conditioned on how to log into an online account - as anything goes.

I have not said I against legislation that removes links from communications. I do think it will make it much harder for us to enjoy news articles and other web based activities, but if it stops scammers then so be it. I think many will complain about it though and I honestly don’t think that it will stop the problem of links appearing in scam communications or scammers sucking victims in.

I have several financial institutions and many other types of accounts and none of them provide links to login and they warn about clicking links. I don’t need to provide my login details still I receive almost daily spam/scam emails that include links to login in to the financial institutions. People still click them.

It is a habit to click links, the web is full of links, we are conditioned by everyday interactions on the web and in our apps to click links. The problem is that not everyone is discerning of what is safe and what is suspect. You either remove all links from everything or you take other steps to protect those less discerning. So again I say I am happy for Governments go ahead and legislate to remove all links from every communication unless it is a link in response to a user interaction. Though it raises how does the whole system prove the link was in response to a user interaction . I suspect it will not remove the problem.

I think it might be helpful if I post screenshots of what I received from my Super company.
SMS:

IMG_7929640×889 99.6 KB

IMG_95011609×620 91.3 KB

Emails:

IMG_94761555×1368 414 KB

IMG_95031325×1150 182 KB

All of these were sent to me by Aware Super, asking me to follow the supplied links to take action to either update my account, or set up a new account. How am I to distinguish if they are truly genuine, or messages sent by a scammer directing me to a cloned website where I will then provide my login details and conveniently set up a new account for them?!

By contrast, I have communications from two banks stating they will never send links in emails or SMS, instead advising me to go to their website myself. The balance of my savings is in my Super account, as it will be for many people, and the risk is therefore that much higher, yet the company persists in sending links in their communications.

As phb says, people are capable of learning, but it will take time and repetition of the message. As long as some financial institutions continue the practice of sending links, people receive an inconsistent message. It would be better to cease this practice and have a consistent message to help drive it home.

My goodness, can’t believe how very similar to scams these notifications are!
No wonder scammers are having so much success, how are people to tell the difference? This are irresponsible practices which should be outlawed

I am not against the legislation, I just think we are so used to clicking links in all that we do that simply their removal will not cause all to stop using links in emails and SMS. I think it requires a lot more education, it also requires a lot more international cooperation to remove many of the bad players to reduce the risks. Australia and a number of other Countries have decent legislation in place about scamming, it still is a big issue here and in those other Countries. Some of it is domestic but I think the bulk comes from overseas jurisdictions that are either complicit with some of the fraud that goes on or are lax in efforts to control the fraud. Orbio World being an example of a scam, they are based in Lithuania and the authorities there know they are in existence, still their scams proliferate.

If you get any links (login, informational, or promotional) from your Financial Institutions then complain to them to remove them, cite the problems of identification of genuine Vs scams. No link is a “safe” link if you want to condition users to not clicking links. That is one step you can take now without any legislation in place. You can get other members of the fund to similarly respond by posting about the issue on the Social Media pages of the business. I still think that for some time if not “forever” there will be some who even after all links are removed by genuine businesses, will continue to click links in pages (emails and SMS) they receive from scammers.

For us to be active in educating others about hygienic practices with emails and SMS is another way of helping curb the scam issues that we can all do. I believe that even with removal of links by genuine contacts that there will still be those who out of link clicking habit, will click links that are sent by scammers… Even the problems being raised here will give some new light on the problem and will educate some about how to be safer. Now if anyone thinks I am against legislation that forbids including links in emails by businesses because I wrote “If the suggestion is to make it so email providers remove the links before someone receives them, well I have great concerns about that from a privacy viewpoint”, then perhaps they have misread it. I did not say removal by the businesses sending out the links, I said that I think it is dangerous to let Email service providers to alter any emails before we receive them, they can pre-filter them into junk folders for us but alteration of the content comes with the risk of what level of the altering the emails is taking place and that we will not be aware of.

I still think the greater outcomes will come from education about safe practices when it comes to using links even on the web, greater protection for those victims of scams. and better enforcement across all Countries rather than a hit and miss approach. There will be some pariah Countries such as Nth Korea where actions are State based and are a means to siphon money into State coffers, these will be more difficult to control. There will be some Countries where corruption will remain an issue when it comes to enforcement within their borders. It will take a lot of time to turn the current tech usage patterns we have around, to safer usage of our tech. Early start to education is one key element we seem to be missing. Parents need to reinforce good practices with their children, as does the education systems when teaching about and having children use IT.

So I agree with @syncretic there are, and will still be, people who regardless of their skills and/or gullibility that will continue to click on the offers presented in scam emails and SMS.

Thank you for your considered response; you make some good points. Naturally we cannot ‘remove the bad players’ from overseas and control all attempts at scamming consumers; rather I am focussing on what is within the powers of Australian regulators - our financial institutions.

I did complain to Aware exactly as you advise - my first comment near the top of this thread is about how receptive they were to my feedback. I also explored the option of going public on their social media posts, however their posts have been too few and far between for me to post relevant comments.

I absolutely agree with you regarding the dangers of email providers removing links - that would in no way be desirable, for all the reasons you state. I have only ever put forward the suggestion that Australian financial companies should be required to adhere to a code of practice or regulations banning them from sending links. Many already have ceased this practice, yet others, like Aware Super, despite claiming otherwise (again, see my first comment above) choose not to.

I also agree that the most benefit will come from repeated consumer education. Our own home-grown financial institutions have a large role to play in this, and ensuring they all practise what they preach would be a good place to start. As long as some continue to send out links, they’re giving mixed messages and making it very hard for consumers to tell what’s genuine from a scam. There is no way for me to verify the source of those links I was sent - much better for them to have sent me the messages without the links, forcing me to find the website myself rather than trusting the source (which is of course what I did, before complaining to them).

A good hygiene practice.

My response about the legislation was because it seems to me that some may have thought I was against it, I am not against it. I think no link should be in an email from a business. If they want me to attend their site then just make sure to tell me how to get there, don’t give me a potentially dangerous shortcut, those shortcuts, even from what are or seems a genuine business can be malformed and lead to bad outcomes.

Ebay and a number of other selling/buying sites e.g. Petbarn still provide links to items they think will interest me. I never click them, they are binned as a matter of course, there are no ifs, buts or maybes when it comes to that type of link. My filters are pretty tight on those issues and I don’t need to check the results. Any site that has the potential for money exchanging hands, must not be able to send actual links to items, sure they can add a picture (though risks are in that as well) and a description, but no links.

Also my thoughts, however including links with emails appears to be the norm. Even for corporates with high profiles consumers may be well attached to.

EG.
Electricity/Gas supplier - also of sporting shoes and ….!

IMG_15581143×572 93.7 KB

Choice and a survey … Is this the only way?

IMG_15571228×1384 227 KB

A frequently remarked upon CC provider. Tap on the respective action.

IMG_15561432×870 103 KB

And finally - do I need some more tools or car wash and wax?

IMG_15551440×755 160 KB

Convenience is one can be directed to the web page one requires directly from the email. Depending on email preferences attachments can display within an email. How many know how to expose the web address behind each link or even bother to check? How effective are the extensions to the more popular AV and internet security packages at detecting and blocking links which cannot be trusted?

Doesn’t it make sense and isn’t it about time to stop such practices?

From Cyber.gov.au:

What is phishing?

Phishing is a way cyber criminals trick you into giving them personal information. They send you fraudulent emails or text messages often pretending to be from large organisations you know or trust. They may try to steal your online banking logins, credit card details or passwords. Phishing can result in the loss of information, money or identity theft.
Spear-phishing is when these emails and text messages are highly targeted to the recipient.

See if you can spot a phishing scam.

Spotting phishing attempts can be harder than you think. Take the quiz now to see how you do.

     ——————————————————————————

IMG_09951975×1502 168 KB

Links are an intrinsic way of presenting information. To remove links would mean going back to the days before the WWW and Hyper text. That would be 35 years ago.

A bit ironic that in a post about the dangers of clicking on links, there is a link to click on to take a quiz

…And yet the Commonwealth Bank and the ATO can communicate very well without them.

I wouldn’t be too sure of that. They may well claim that they will never provide links that lead to pages that request user details, and maybe provide the full URL to direct one to their official site, but I would bet there are other hyper text fields on an email. Like contact us, privacy policy, unsubscribe, and others.

Have a close look at anything that could be clicked on.

Things are a lot more basic on SMS, but there are still links hidden in hyper text.

You have changed your tune from the above post to the more recent one.
Anyway, what we are talking about are links in emails and SMS to log-in our accounts in banks, corporations, etc which could be fake emails, SMS and lead to phishing scams of bank accounts numbers, bank card numbers etc.
This is what we are advocating: No to links to log-in, Yes to notifications. Up to the customers to do the next step.
This is just very simply put, there’s many good and informative posts above in the thread worthy of a good look.
Also any positive suggestions are always welcome, and no worries if we are not all in full agreement

I thought the idea was to ban all hyperlinks so that people would become conditioned not to use them. If you ban only some then we are in the same position as we are now requiring people to make a judgment about what is safe and what is not.

As I said previously, I have seen malformed unsubscribe links in emails. They were designed to capture logins and some to capture payment details. It would not be any surprise and even an expected outcome that some will be to introduce drive by malware loads. No link is safe, you are always having to judge if the email is genuine or not. Even some emails from trusted sources have been compromised by hackers.

If links exist in an SMS or an email, then the call to remove some but not others is not going to condition users into not clicking. Elephant in the room is that scammers don’t care and will continue to send emails and SMS that will contain links and some people will still click them. It needs to be a combined campaign of change and education to overcome the habits (for some almost lifetime habits) of clicking links.

Another really good thread and enjoyed reading about how some people are “conditioned” into their responding, eg. threatened that they need to respond urgently and can’t see it is a scam.

Ok, a crazy idea. We all had to start driving with L plates, then P plates before we became fully licensed drivers. How about we create a similar system for internet users? If you are a new “XYZ” mail user, then you need to complete extra steps before your clicks on email links are processed. Maybe that involves a trusted friend or family member providng a “two factor” approval.

Similar setup for message apps on phones.

Of course you could opt out at any time but then you accept all responsibility.

Am thinking family members would like for their older relatives who don’t have internet street smarts and can’t tell whether an email is a scam or not?

Sure not for everyone but we need more protections in place for our vulnerable. We do it for driving why not internet access?

Not so crazy in my view. Not sure how it could work in emails, SMS, or social media, but would be a good start in Internet banking. Whilst some scams are only about getting personal details about one, most are about extracting money.

When one first starts out, on ‘L plates’ so to speak, one does not get any money transfer option. Money could be transferred between linked accounts, bills payed using Bpay or card, but no ‘pay anyone’ facility. If for some reason it was required, one would have to apply to get it and then the daily limit would be low. Not too dissimilar to credit cards.

That could help prevent many from being able to transfer many thousands of dollars to scammers.