BTW As for the scamwatch stat the most amount of money was lost in investments, but the over 65’s lost (and reported) the biggest amount to scams…any scams.
1 Like
Were they always as successful and common?
There is a significant difference where the perpetrators today exist through digital manipulation. Their physical existence and location are difficult to determine. And more difficult to trace or legally capture. Reputed in some instances to have the support or acceptance of the states from which they operate.
Spotting a scam or con requires a different set of skills to that of the past. IE looking into the real eyes of the would be fraudster and judging it’s an honest face. No evidence that in the past we were individually any more adept at spotting a mistruth personally communicated. But were the authorised law enforcers more adept at catching up with the perpetrators and taking them out of circulation?
Consumers can better protect themselves by individual actions. In addition should we also ask what more should be done to bring the perpetrators to account? It’s a global issue - which needs an effective solution which is greater than any one nation.
To note there are two types of losses to consider. One is of currency/monetary. The other is of identity and personal/financial information. The second is not costed in the previously linked statistical reports. It has other uses including the creation of instability and uncertainty through targeted attacks to disrupt or confuse.
Indeed. When confronted with such a big scale problem like this the best we can do is start with ourselves, and watch out for the more vulnerable members of family and friends.
There is a lot of guidance published by the ACCC, Scamwatch, Cyber security, and also by private organisations such as banks etc.
Scams of different types still have a lot in common and the warning and tips offered are similar:
- Stop Think Check before you act
- Careful with links
- Secure personal info
- Stay informed on the latest Cyber threats
- Use strong passwords
- Keep software up to date
- Don’t give in to pressure, urgency to act
It is true that scams/theft has been around a long time, before the digital world there’d be theft of wallets (I’ve heard that there were warnings not to have a wallet sticking out of the back pocket of trousers for pickpockets to lift out) and hand-bag snatching, and fake big notes circulating…
1 Like
An age old problem, supposedly more likely to see one caught. A testimony to the tenacity of the British legal system and many of the recent arrivals to Australian shores. At least up until 9th January, 1868.
- Is todays analogy one should not use readily guessed passwords, or to reuse the same for important logins?
- A second may to not use readily guessed pins on mobile devices, to not lock the device after a few minutes of inactivity, and allow SMS and email notifications to display content on the Lock Screen?
- A more common concern may be failure to keep one’s mobile devices updated against vulnerabilities. Also a socio-economic factor with many relying on older or low cost devices which may be poorly supported and more readily broken into if lost. Leaving your device sitting on tables etc when out open to forgetfulness or the stresses of daily living.
Speaking of Adam and of scams going back a long time: according to the ancient origin narrative in the Book of Genesis, Adam and Eve were the victims of the biggest scam ever perpetrated.
Disregarding and doubting the value of all the warnings they had been given, they were instead captivated by the ultimate Influencer, the most cunning of all the animals: the serpent.
Desiring all that was being promised to them, they didn’t fully understand, they didn’t stop to think what they were doing.
And they lost Paradise.
4 Likes
This is a very simplistic solution. Do you think it’s only financial institutions and scammers sending links via SMS? People send friends links to websites, tradies send links to quotes and invoices, even my car repairer sent a link so I could upload photos of the damage to my car as a few examples. Saying they could be emailed instead doesn’t change the fact that a link needs to be shared in many instances for legitimate reasons.
1 Like
Should an alternative consider a means of authentication of the sender and the integrity of the content including links. Exactly how that might be done?
When we relied on the post (mail) it was generally accepted letters were not routinely being opened and personal details collected by scammers. The system had a built in level of security. Not perfect, but adequate in most instances.
The internet however is a more open environment.
1 Like
The suggestion by @Guitarfish is not as simplistic as you think. That suggestion is to ban financial institutions, not your friends and tradies, from including links in text messages.
1 Like
However the proposed mechanism for this to work is to train people not to click on any links, as learning to not click on selected links is the current situation which clearly doesn’t work.
For you this may not work, but for a significant chunk of the population it will. At the moment if people get a message, containing a link, from a bank some will wonder whether it is real or a scam and others will simply click on it because they have previously received legitimate messages containing a link. Even some in the first category will click that link if the message convinces them about the urgency to do so.
If banks are banned from including links there is a simple message for all. That is if you receive a message appear to be from a bank that message is definitely a scam. That one sentence message is is simple and will sink in more easily than more detailed messages. Remember that we are looking at mostly vulnerable people being exploited, so the simpler the message the better.
As we don’t live in utopia, no measure is likely to eliminate the risk. The aim of any measure is to reduce the risk, with the realisation that any measure doesn’t have to fully eliminate the risk to be considered beneficial.
1 Like
As I’ve written, numerous times here, I’m only talking about financial institutions.
Is it ‘simplistic’ to expect banks/Super companies not to send links to contact them, or open a new account, when the source of the email/SMS cannot be verified?
Some banks have already decided it is not ‘simplistic’ to cease the practice of sending links, because of the increased risk of someone clicking on a link in a message which appears to come from a bank (even in the same thread as previous legitimate messages from the bank) but is actually from a scammer.
2 Likes
Got an email from Apple Market Research this morning to participate in a survey of Apple devices. My antennas went up. I would usually just bin such messages, but this morning I remembered the advice to check on the URL. Tapped on it and ‘Verification’ came up:
I don’t participate in surveys anyway but I’m wondering if this is all legit or could it be all spoofed?
PS ‘Learn more’ says that Apple mail supports Brand Indicators for Message Identification (BIMI).
2 Likes
Looks like it could be a possible phishing attempt - especially being unsolicited contact. I never complete surveys, as many are scams or phishing (are called ‘survey scams’). It is a way that criminals can gain more or missing information. Example being, your information may have been subject of a hack. Scammers/criminals use ‘surveys’ to fill in the missing pieces to make identify thefts or targeted scams more successful.
Noway hosay from me.
3 Likes
Like @phb, I’d treat it as a phishing attempt. Among other things, if it was something “your email provider” has verified, wouldn’t the popup message be FROM that provider?
2 Likes
Is the following just vested interest talking? If there’s a chance it can be spoofed what’s the use?
From postmarkapp.com
Why is BIMI so important for marketers?
BIMI is valuable for both senders and mailbox providers largely because of improved security. Of course, the added benefit of standing out in an inbox is nice, too. Seth Blank, AuthIndicator Working Group’s chair, noted that “BIMI is an exciting case where marketers and security professionals are aligned.”
Here are the three main reasons your brand would want to get on board with BIMI.
- It leverages behind-the-scenes security updates
You can’t have BIMI without DMARC implementation. That means that if you want to display your logo in participating inbox providers automatically, you need to make some behind-the-scenes changes. In the end, you protect your brand reputation and ensure nobody is impersonating your domain.
- It helps subscribers avoid phishing attempts
There’s an argument that BIMI better trains your customers to recognize messages from you, so you’re protecting them by making it easier to identify messages that aren’t legitimate. The BIMI framework has protections against illegitimate senders spoofing logos. This makes BIMI especially powerful for more at-risk businesses like banks, social media platforms, and major retailers.
From Redsift.com
What does BIMI do?
BIMI inserts a trademarked logo alongside emails of participating providers. It doesn’t stop phishing/spoofing - that’s DMARC’s job - however, if someone tried to spoof you when you have BIMI in place, your logo won’t appear, and depending on your policy, the email may not even arrive.
1 Like
I have found that if you hover over the spam links, at the bottom of the screen, will show the targeted web address. I have been getting plenty from “Telstra” with web addresses ending in “typedream.app” All of which I send to acma for their assessment.
2 Likes
This recent scam campaign is aimed at users of the LastPass and BitWarden password managers. Email alerts claim to be from those entities, say they’ve been hacked, and instruct recipients to go to a provided link to download a ‘more secure’ version of the password manager.
Of course, what would be downloaded is a remote management tool that gives the hackers full control over that PC.
Bleeping Computer gives good advice about avoiding such scams (my emphasis):
Users of password management tools should ignore such alerts and always login to the provider’s official website to check for any [genuine] security alerts pending review.
Important security incidents like those claimed in the emails are also broadly communicated across the companies’ blogs and via press releases, so double-checking on official channels is always a good practice.
It is also worth remembering that [password manager] companies won’t ever ask for the master password to your [password] vaults.
1 Like
Glad I stuck with my old unpopular password app which stores your stuff on your device.
2 Likes
Warning to LastPass users: there’s another LastPass-targeting phishing scam on the loose. This one’s telling users they need to back up their password vaults because of upcoming system maintenance.
LastPass explicitly confirms it never requests customer master passwords or demands immediate vault backups via email.
2 Likes
A growing scam … financial institution identity re-confirmation scam.
In the last few days, my email server has received quite a few emails that purport to be from financial institutions indicating that the government is requiring all customers to re-confirm their identity and, before that, emails about expired W-8BEN (US tax form).
Like all good scams, it has a kernel of truth and hence is somewhat credible. As part of the extra-judicial punishments arising out of the Banking Royal Commission, all instos were required to re-confirm the identity of all their customers, at least that’s what my bank manager said when I was doing exactly that in response to a real such email. I think the deadline for the banks is soon - and the email will contain threats of losing access to your bank account if you don’t comply.
The emails that I have trapped so far are very poor e.g. From: randomletters.com (or worse) but scammers usually get better over time.
So this combines two good elements of scam: believability and urgency. And if someone actually clicks on a link and re-confirms their identity then this is scammer’s gold.
Hence as always: if you receive such an email either delete it or, using information that is independent of what you just received (a recent printed statement is always good), locate a phone number for the institution, and call them to see whether the demand is legitimate.
Random internet discussion: https://www.etairosfinance.com.au/single-post/why-your-bank-is-asking-to-re-verify-your-identity-even-if-you-ve-been-a-customer-for-years and Customers wary as banks send identification emails that look like scams - ABC News
(and, yeah, I had a go at the bank above in question for sending an email that for all the world looked like a scam)
3 Likes
