Placeholder Content Image

Hilarious reason dad couldn't be fooled by online scam

<p>One savvy dad has outwitted a scammer who posed as his daughter, after the scammer made one hilarious error. </p> <p>Ian Whitworth, a dad from Sydney, took to his LinkedIn page to share the message a scammer texted him in a classic phishing scam that targets parents. </p> <p>He shared the photo of what he thought was the "funniest phishing text any parent has ever received".</p> <p>The text read, "Hey dad, dropped my phone in the sink while doing the dishes. Its unresponsive this is my new number for now just text me here x."</p> <p>Despite the terrible grammar and punctuation that would immediately alert anyone to the possibility of a scam, it was something else that caught the dad's attention. </p> <p>Instead, Whitworth said it was the fact his daughter would never do the chore mentioned by the scammers.</p> <p>Still, he thought it was worth sharing a photo of the text in a bid to warn others, which he uploaded along with the comment, "Cybersecurity update. I just got this."</p> <p>"Perhaps the funniest phishing txt any parent has ever received. 'Doing the dishes', yeah, for sure."</p> <p>In a reply to one of the people who commented on his post, Whitworth joked that his daughter "at age four emerged from my parents' kitchen with a shocked look on her face. 'What's pop doing?'. He was washing up in the sink."</p> <p>Another commenter wrote, "Haha! There is NO WAY this is from my son or daughter, that's for sure."</p> <p>Another commenter said the giveaway that it wasn't from his own child was that they didn't immediately ask for money, to which Whitworth replied, "Ha, yeah, the phishers are like the seven step ladder of confidence before the money issue gets raised. Actual kids: MONEY NOW."</p> <p>According to the federal government's Scamwatch website run by the Australian Competition and Consumer Commission (ACCC), the "Friends/Family Hi Mum" impersonation scam was common.</p> <p>"Scammers send messages pretending to be a family member or a friend desperate for money," it said.</p> <p>"They say they have a new phone and they need you to pay money to help them out of a crisis."</p> <p>Scamwatch warns: "Don't assume a person you are dealing with is who they say they are" and offers the following advice.</p> <p>"If someone you know sends a message to say they have a new phone number, try to call them on the existing number you have for them, or message them on the new number with a question only they would know the answer to," it said.</p> <p>"That way you will know if they are who they say they are."</p> <p><em>Image credits: Getty Images / LinkedIn</em></p>

Legal

Placeholder Content Image

How QR codes work and what makes them dangerous – a computer scientist explains

<p>Among the many changes brought about by the pandemic is the widespread use of QR codes, graphical representations of digital data that can be printed and later scanned by a smartphone or other device.</p> <p>QR codes have a <a href="https://www.forbes.com/sites/forbescommunicationscouncil/2021/03/25/how-the-pandemic-saved-the-qr-code-from-extinction/" target="_blank" rel="noopener">wide range of uses</a> that help people avoid contact with objects and close interactions with other people, including for sharing <a href="https://www.cnbc.com/2021/08/21/qr-codes-have-replaced-restaurant-menus-industry-experts-say-it-isnt-a-fad.html" target="_blank" rel="noopener">restaurant menus</a>, email list sign-ups, car and home sales information, and checking in and out of medical and professional appointments.</p> <p>QR codes are a close cousin of the bar codes on product packaging that cashiers scan with infrared scanners to let the checkout computer know what products are being purchased.</p> <p>Bar codes store information along one axis, horizontally. QR codes store information in both vertical and horizontal axes, which allows them to hold significantly more data. That extra amount of data is what makes QR codes so versatile.</p> <p><strong>Anatomy of a QR code</strong></p> <p>While it is easy for people to read Arabic numerals, it is hard for a computer. Bar codes encode alphanumeric data as a series of black and white lines of various widths. At the store, bar codes record the set of numbers that specify a product’s ID. Critically, data stored in bar codes is redundant. Even if part of the bar code is destroyed or obscured, it is still possible for a device to read the product ID.</p> <p>QR codes are designed to be scanned using a camera, such as those found on your smartphone. QR code scanning is built into many camera apps for Android and iOS. QR codes are most often used to store web links; however, they can store arbitrary data, such as text or images.</p> <p>When you scan a QR code, the QR reader in your phone’s camera deciphers the code, and the resulting information triggers an action on your phone. If the QR code holds a URL, your phone will present you with the URL. Tap it, and your phone’s default browser will open the webpage.</p> <p>QR codes are composed of several parts: data, position markers, quiet zone and optional logos.</p> <figure class="align-center zoomable"><em><a href="https://images.theconversation.com/files/451140/original/file-20220309-17-1jkfl5t.png?ixlib=rb-1.1.0&amp;q=45&amp;auto=format&amp;w=1000&amp;fit=clip"><img src="https://images.theconversation.com/files/451140/original/file-20220309-17-1jkfl5t.png?ixlib=rb-1.1.0&amp;q=45&amp;auto=format&amp;w=754&amp;fit=clip" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px" srcset="https://images.theconversation.com/files/451140/original/file-20220309-17-1jkfl5t.png?ixlib=rb-1.1.0&amp;q=45&amp;auto=format&amp;w=600&amp;h=372&amp;fit=crop&amp;dpr=1 600w, https://images.theconversation.com/files/451140/original/file-20220309-17-1jkfl5t.png?ixlib=rb-1.1.0&amp;q=30&amp;auto=format&amp;w=600&amp;h=372&amp;fit=crop&amp;dpr=2 1200w, https://images.theconversation.com/files/451140/original/file-20220309-17-1jkfl5t.png?ixlib=rb-1.1.0&amp;q=15&amp;auto=format&amp;w=600&amp;h=372&amp;fit=crop&amp;dpr=3 1800w, https://images.theconversation.com/files/451140/original/file-20220309-17-1jkfl5t.png?ixlib=rb-1.1.0&amp;q=45&amp;auto=format&amp;w=754&amp;h=467&amp;fit=crop&amp;dpr=1 754w, https://images.theconversation.com/files/451140/original/file-20220309-17-1jkfl5t.png?ixlib=rb-1.1.0&amp;q=30&amp;auto=format&amp;w=754&amp;h=467&amp;fit=crop&amp;dpr=2 1508w, https://images.theconversation.com/files/451140/original/file-20220309-17-1jkfl5t.png?ixlib=rb-1.1.0&amp;q=15&amp;auto=format&amp;w=754&amp;h=467&amp;fit=crop&amp;dpr=3 2262w" alt="a black-and-white pattern with four numerical markers attached to arrows pointing to portions of the pattern" /></a></em><figcaption><em><span class="caption">The QR code anatomy: data (1), position markers (2), quiet zone (3) and optional logos (4).</span> <span class="attribution"><span class="source">Scott Ruoti</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/" target="_blank" rel="noopener">CC BY-ND</a></span></em></figcaption></figure> <p>The data in a QR code is a series of dots in a square grid. Each dot represents a one and each blank a zero in binary code, and the patterns encode sets of numbers, letters or both, including URLs. At its smallest this grid is 21 rows by 21 columns, and at its largest it is 177 rows by 177 columns. In most cases, QR codes use black squares on a white background, making the dots easy to distinguish. However, this is not a strict requirement, and QR codes can use any color or shape for the dots and background.</p> <p>Position markers are squares placed in a QR code’s top-left, top-right, and bottom-left corners. These markers let a smartphone camera or other device orient the QR code when scanning it. QR codes are surrounded by blank space, the quiet zone, to help the computer determine where the QR code begins and ends. QR codes can include an optional logo in the middle.</p> <p>Like barcodes, QR codes are designed with data redundancy. Even if as much as 30% of the QR code is destroyed or difficult to read, <a href="https://www.businessinsider.com/what-is-a-qr-code?op=1" target="_blank" rel="noopener">the data can still be recovered</a>. In fact, logos are not actually part of the QR code; they cover up some of the QR code’s data. However, due to the QR code’s redundancy, the data represented by these missing dots can be recovered by looking at the remaining visible dots.</p> <p><strong>Are QR codes dangerous?</strong></p> <p>QR codes are not inherently dangerous. They are simply a way to store data. However, just as it can be hazardous to click links in emails, visiting URLs stored in QR codes can also be risky in several ways.</p> <p>The QR code’s URL can take you to a phishing website that tries to <a href="https://www.ic3.gov/Media/Y2022/PSA220118" target="_blank" rel="noopener">trick you</a> into entering your username or password for another website. The URL could take you to a legitimate website and trick that website into doing something harmful, such as giving an attacker access to your account. While such an attack requires a flaw in the website you are visiting, such vulnerabilities are <a href="https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting" target="_blank" rel="noopener">common on the internet</a>. The URL can take you to a malicious website that tricks another website you are logged into on the same device to take an unauthorized action.</p> <p>A malicious URL could open an application on your device and cause it to take some action. Maybe you’ve seen this behavior when you clicked a Zoom link, and the Zoom application opened and automatically joined a meeting. While such behavior is ordinarily benign, an attacker could use this to trick some apps into revealing your data.</p> <p>It is critical that when you open a link in a QR code, you ensure that the URL is safe and comes from a trusted source. Just because the QR code has a logo you recognize doesn’t mean you should click on the URL it contains.</p> <p>There is also a slight chance that the app used to scan the QR code could contain a vulnerability that allows <a href="https://www.lifewire.com/how-to-protect-yourself-from-malicious-qr-codes-2487772" target="_blank" rel="noopener">malicious QR codes to take over your device</a>. This attack would succeed by just scanning the QR code, even if you don’t click the link stored in it. To avoid this threat, you should use trusted apps provided by the device manufacturer to scan QR codes and avoid downloading custom QR code apps.<!-- Below is The Conversation's page counter tag. Please DO NOT REMOVE. --><img style="border: none !important; box-shadow: none !important; margin: 0 !important; max-height: 1px !important; max-width: 1px !important; min-height: 1px !important; min-width: 1px !important; opacity: 0 !important; outline: none !important; padding: 0 !important;" src="https://counter.theconversation.com/content/177217/count.gif?distributor=republish-lightbox-basic" alt="The Conversation" width="1" height="1" /><!-- End of code. If you don't see any code above, please get new code from the Advanced tab after you click the republish button. The page counter does not collect any personal data. More info: https://theconversation.com/republishing-guidelines --></p> <p><em><a href="https://theconversation.com/profiles/scott-ruoti-1318954" target="_blank" rel="noopener">Scott Ruoti</a>, Assistant Professor of Computer Science, <a href="https://theconversation.com/institutions/university-of-tennessee-688" target="_blank" rel="noopener">University of Tennessee</a></em></p> <p><em>This article is republished from <a href="https://theconversation.com" target="_blank" rel="noopener">The Conversation</a> under a Creative Commons license. Read the <a href="https://theconversation.com/how-qr-codes-work-and-what-makes-them-dangerous-a-computer-scientist-explains-177217" target="_blank" rel="noopener">original article</a>.</em></p> <p><em>Image: Getty Images</em></p>

Technology

Placeholder Content Image

An elaborate phishing scam targets rental applicants

<p><span style="font-weight: 400;">An elaborate phishing scam has left Australian rental applicants out of pocket, after real estate listing portal, Domain, was hit by a cyber attack.</span></p> <p><span style="font-weight: 400;">Domain CEO Jason Pellegrino confirmed in a statement that an unauthorised third party had gained access to the site’s administrative systems.</span></p> <p><span style="font-weight: 400;">This resulted in some users who had made rental enquiries being contacted by the scammers via email with requests to pay a deposit to secure their desired property.</span></p> <p><span style="font-weight: 400;">“We have identified a scam that used a phishing attack to gain access to Domain’s administrative systems to engage with people who have made rental property enquiries,” Pellegrino said.</span></p> <p><span style="font-weight: 400;">“We understand the scammers then contacted some of these people by email to suggest that they pay a ‘deposit’ to secure a rental property on a website nominated by the scammer.</span></p> <p><span style="font-weight: 400;">“While this is a serious matter, at this point our investigation shows only a small number of people may have engaged with the scam.</span></p> <p><span style="font-weight: 400;">“Clearly, people are becoming more aware of how to spot suspicious online behaviour and taking protective measures not to engage in such activity.</span></p> <p><span style="font-weight: 400;">“Unfortunately, since COVID, scams like these have been on the rise. It is disappointing for us to find out that after such a challenging past twelve months for many of us, some see this as an opportunity to take advantage of others.”</span></p> <p><span style="font-weight: 400;">Since the incident, Pellegrino said Domain had implemented “several additional security controls” and had “elevated our level of monitoring even further”.</span></p> <p><span style="font-weight: 400;">“We continue to implement further ways to identify and prevent phishing and have engaged external security consultants to provide further expertise in the management and prevention of online scams,” he said.</span></p> <p><span style="font-weight: 400;">Phishing scams attempt to trick individuals into sharing personal information such as bank account numbers, passwords, and credit card numbers with scammers.</span></p> <p><span style="font-weight: 400;">According to the Australian Competition &amp; Consumer Commission’s ScamWatcch, $227,872 had been lost to 4460 scams in April alone.</span></p>

Retirement Income

Placeholder Content Image

Woolies shoppers warn of major $250 voucher scam

<p>Woolworths customers are being warned to avoid a major scam email that can be easy to fall for.</p> <p>The email has made its way into the inboxes of many unsuspecting customers and appears to have the supermarket’s branding to inform customers that they have the opportunity to receive a $250 Woolies gift card for just $1.</p> <p>Customers are told the voucher will be delivered through mail in just three days, as long as a first name, last name, postcode, and credit card details are provided.</p> <p><img style="width: 500px; height: 281.25px;" src="https://oversixtydev.blob.core.windows.net/media/7841474/woolies-2.jpg" alt="" data-udi="umb://media/5c5ffdb3eb4e43209ae93bfc78741f96" /></p> <p>The phishing scam is just one of the latest that have been dropped into the inboxes of naïve, unsuspecting shoppers.</p> <p>Website criminals use highly sophisticated scams that trick customers into giving out personal information.</p> <p>Woolworths told <a href="https://au.news.yahoo.com/woolworths-shoppers-warned-over-250-voucher-scam-003535085.html"><em>Yahoo News Australia</em></a> the emails that claim to be offering the $250 voucher is not an authorised message from the supermarket.</p> <p>"As always, we encourage our customers to be vigilant of online and text phishing scams, which seek to imitate well-known brands to collect personal information," a spokesperson said in a statement.</p> <p>"We never ask customers for their personal or banking details in unsolicited communications."</p>

Caring

Placeholder Content Image

Warnings over Australia Post scam amid coronavirus delivery rush

<p>Australia Post has warned customers of online scams as the postal service continues to struggle with unprecedented demand during the coronavirus pandemic.</p> <p>A fraudulent email is circulating which prompts the recipients to click on a phishing link. The link leads to a fake Australia Post website, which requests personal and financial information.</p> <p>“The email claims that your parcel was unable to be delivered and overweight, and asks for a payment to retrieve your package,” the company said.</p> <p><iframe src="https://www.facebook.com/plugins/post.php?href=https%3A%2F%2Fwww.facebook.com%2Faustraliapost%2Fposts%2F10158359308595667&amp;show_text=true&amp;width=552&amp;height=482&amp;appId" width="552" height="482" style="border: none; overflow: hidden;" scrolling="no" frameborder="0" allowtransparency="true" allow="encrypted-media"></iframe></p> <p>A previous alert also warned customers against fake websites branded with the Post Billpay logo.</p> <p>“Please note that Australia Post will never email or text message you asking for personal information, financial information or a payment.”</p> <p>Australia Post advised customers who have sent any personal or financial information to a scam email address or website to call ID CARE on 1300 432 273.</p> <p>The scam alerts came as Australia Post continues to deal with increased parcel volumes. In late April, the postal company said its parcel deliveries had <a href="https://thenewdaily.com.au/finance/consumer/2020/04/22/australia-post-parcels-coronavirus/">doubled in the past month</a> as online department store purchases rose <a href="https://www.abc.net.au/news/2020-04-22/waiting-on-a-parcel-from-australia-post-why-its-taking-so-long/12172772">473 per cent</a>.</p> <p>Many Australians waiting for deliveries at home have seen their online orders delayed for weeks.</p> <p>“We are doing everything possible to keep delivering during the Coronavirus pandemic,” Australia Post said on its website.</p> <p>“The challenges presented by the pandemic mean there are delays as our business adopts additional safety measures to protect our people and customers.</p> <p>“Other factors contributing to delays include fewer domestic flights, international delays and increased volumes as more people start shopping online.”</p>

International Travel

Placeholder Content Image

Commonwealth Bank issues urgent warning over phishing scam

<p>Commonwealth Bank has issued an urgent warning telling customers of an email scam that has hit thousands of unsuspecting inboxes across Australia.</p> <p>The scam, which contains the words “CommBank” was detected on November 29 by anti-virus software company Mailguard.</p> <p>Customers have received an email asking them to verify recent transactions on their card.</p> <p> “We encourage our customers to stay vigilant and look out for fraud and scams,” a spokesperson told<a rel="noopener" href="https://7news.com.au/business/banks/commonwealth-bank-issues-urgent-warning-on-new-email-scam-hitting-inboxes-right-now-c-587199" target="_blank"> <em>7NEWS.com.au</em></a><em>.</em></p> <p>“We offer our customers the benefit from our 100 per cent guarantee against online fraud where they are not at fault.</p> <p>“Where there is fraudulent activity, our process is to fully reimburse our customers as quickly as possible to minimise inconvenience.”</p> <p><img style="width: 500px; height: 281.25px;" src="https://oversixtydev.blob.core.windows.net/media/7833028/commbank.jpg" alt="" data-udi="umb://media/881a4a09c8e34134bef991afd5b851ab" /></p> <p>A blog shared by Mailguard about the phishing scam gave clear signs customers can follow to check if their emails from banks are authentic or not.</p> <p>The blog warned to check for spelling errors, and be aware if it takes you to the actual bank website or not.</p> <p>“This is another reminder for those who utilise online banking, to pay close attention to the emails they receive from their banks,” the post read.</p> <p>“To best protect yourself, it is imperative that you do not click any link contained within an email, especially if it does not address you by name.”</p> <p>Anyone who believes they have been scammed is urged to contact Commonwealth Bank. </p>

Technology

Placeholder Content Image

PayID data breaches show that Aussie banks need to be more vigilant

<p>When we think of a bank robbery, we might imagine a safe with the door blown open. But nowadays it might be more accurate to picture criminals accessing our bank account online from another country. Bank robbers don’t need balaclavas and shotguns anymore.</p> <p>Australian banks have long provided convenient ways for customers to transfer funds. But the process of remembering and entering BSB and account numbers is prone to human error. Enter <a href="https://payid.com.au/">PayID</a>.</p> <p>PayID allows customers to attach their mobile phone number or email address to their bank account. They can then simply provide these details to other people, providing a convenient way to receive payments.</p> <p>It can only be used for incoming payments, rather than outgoing ones. So you might think that makes it less of a tempting target for hackers. But that’s not necessarily the case.</p> <p><a href="https://www.nppa.com.au/wp-content/uploads/2018/12/New-Payments-Platform-Financial-Services-Media-Release.pdf">Launched in February 2018</a> by <a href="https://www.nppa.com.au/the-company/">New Payments Platform Australia</a>, an alliance of 13 banks, PayID is reportedly available to <a href="https://www.nppa.com.au/wp-content/uploads/2019/02/NPP-One-year-on.pdf">more than 52 million account holders</a> across almost all major financial institutions. By February 2019, some 2.5 million PayID identifiers had been created, and 90 million transactions totalling more than A$75 billion had been processed.</p> <p>When entering a PayID mobile phone number to make a payment, the full name of the account holder is displayed, so the person making the payment can ensure they are sending it to the right PayID account.</p> <p>Shortly after the service launched, Twitter users began pointing out that this means you can enter random phone numbers and, if that number has been linked to a PayID account, the account holder’s name will show up – rather like a phone book in reverse.</p> <p><a href="https://images.theconversation.com/files/292436/original/file-20190913-8687-1rizahf.png?ixlib=rb-1.1.0&amp;q=45&amp;auto=format&amp;w=1000&amp;fit=clip"><img src="https://images.theconversation.com/files/292436/original/file-20190913-8687-1rizahf.png?ixlib=rb-1.1.0&amp;q=45&amp;auto=format&amp;w=754&amp;fit=clip" alt="" /></a> <span class="caption">Twitter posting of PayID details.</span> <span class="attribution"><span class="source">@anthonycr0</span></span></p> <p>The following day, on February 17, 2018, NPP Australia acknowledged this issue in a <a href="https://www.nppa.com.au/wp-content/uploads/2018/12/PayID-privacy-statement.pdf">media release</a>, but effectively dismissed users’ concerns:</p> <blockquote> <p>While unfortunate for the individuals involved, the discussion highlights the choice and benefits to be considered by users when they opt in to create a PayID.</p> </blockquote> <p>This is not exactly reassuring for bank customers whose details were publicly posted. And developments this year suggest that the underlying problems persist.</p> <p><strong>Better luck next time?</strong></p> <p>In June 2019, around <a href="https://www.businessinsider.com.au/100000-australians-reportedly-at-risk-of-fraud-as-hackers-attack-westpacs-payid-platform-2019-6">98,000 PayID details were obtained</a> after hackers used several online bank accounts to carry out <a href="https://www.smh.com.au/business/banking-and-finance/australians-private-details-exposed-in-attack-on-westpac-s-payid-20190603-p51u2u.html">more than 600,000 PayID lookups over the course of six weeks</a>, reportedly by simply entering phone numbers in sequential order.</p> <p>It is not clear who was to blame, although there are allegations of a <a href="https://www.theage.com.au/business/banking-and-finance/australians-private-details-exposed-in-attack-on-westpac-s-payid-20190603-p51u2u.html">leaked memo pointing the finger at US-based fraudsters</a>.</p> <p>The exact motive is unclear, but any personal data has value in the underground economy. In this case, the data could potentially be used as part of a more complex phishing scam designed to steal further information from account holders.</p> <p>Although this is clearly a very simple attack involving nothing more sophisticated than simple trial and error, it appears the PayID system did not detect the large number of lookups – an average of 14,000 per account – or the speed with which they were undertaken.</p> <p>To give a real-world example, it would be like going into your bank 14,000 times and handing over a different piece of identification each time.</p> <p>This high volume of lookups should have raised significant security concerns. While legitimate users could be forgiven for needing a couple of tries to punch in the right number, no one should need thousands of attempts.</p> <p>It should have been a simple security step to add lookup limits and to identify this as highly abnormal behaviour. Yet neither the bank concerned nor NPP Australia had implemented mechanisms to detect or prevent this form of misuse.</p> <p>After a security breach this size, the banks might reasonably be expected to take urgent steps to prevent it happening again. But it did happen again, two months later.</p> <p>In August 2019, a further <a href="https://www.canstar.com.au/online-banking/payid-hack-which-bank-accounts-hit/">92,000 PayIDs were exposed</a>. In this case, it was reported that the breach happened <a href="https://www.nppa.com.au/uplifting-cybersecurity-controls/">within the systems of a financial institution connected to the NPP Australia systems</a>. Worryingly, this breach reportedly revealed users’ full name, BSB and account number.</p> <p>Banks were quick to <a href="https://www.nppa.com.au/uplifting-cybersecurity-controls/">reassure customers</a> that this does not allow transactions to be undertaken. However, it did deliver yet more valuable information into the hands of cyber criminals – further enabling phishing opportunities.</p> <p>While affected customers have been contacted, the only option to remove this risk is to stop using PayID. This is easily done but removes the convenience factor for most bank customers.</p> <p>What’s the real risk?</p> <p>Because the system enables payments <em>into</em> accounts, rather than authorising withdrawals <em>from</em> them, the risk may seem minor. Indeed, many in the banking sector have dismissed it as so. But there is a deeper risk.</p> <p><a href="https://theconversation.com/phishing-scams-are-becoming-ever-more-sophisticated-and-firms-are-struggling-to-keep-up-73934">Phishing</a> is a form of cyber crime in which victims are tricked into revealing confidential information through convincing-looking emails or SMS messages. Unfortunately, there are already examples of this in relation to PayID.</p> <p><em><img src="https://images.theconversation.com/files/292438/original/file-20190913-8674-1cbmg07.png?ixlib=rb-1.1.0&amp;q=45&amp;auto=format&amp;w=754&amp;fit=clip" alt="" /> <span class="caption">Real examples of PayID-related SMS phishing messages.</span> <span class="attribution"><span class="source">canstar.com</span></span></em></p> <p>The approach depicted above is not particularly sophisticated. But imagine a more tailored email message quoting examples of identifiable information (PayID, full name) or, as with the most recent breach, BSB and account number.</p> <p>Coupled with the correct branding and reassuring words of your bank, it would be easy to convince an unsuspecting user of the need to “login to change your PayID for security reasons”. Just a few minutes of creativity on a computer can produce convincing results.</p> <p>The image shown below was created to show how easy this process is. It uses genuine branding, but the “login” button could easily be set to direct users to a website designed to steal login credentials.</p> <p><em><img src="https://images.theconversation.com/files/292440/original/file-20190913-8701-1nq3pl8.png?ixlib=rb-1.1.0&amp;q=45&amp;auto=format&amp;w=754&amp;fit=clip" alt="" /> <span class="caption">Mock-up of a potential PayID-related phishing email.</span></em></p> <p>With the <a href="https://www.mebank.com.au/news/household-financial-comfort-report/">ME Household Financial Comfort Report</a> indicating that almost 50% of households have at least A$10,000 in savings, there is a clear incentive for cyber criminals to target our bank accounts. As with any phishing attack, it only takes a few people to succumb to make the enterprise worthwhile.</p> <p>Although bank customers can do little more than think twice before responding to messages, the real power is with the banks. Simply being alert to unusual patterns of behaviour would have prevented these security breaches.</p> <p>This is not new territory for financial institutions, who routinely look for <a href="https://www.cnbc.com/id/46907307">unusual patterns in credit card transactions</a>. Perhaps it is time to apply these same concepts in other scenarios and better protect Australia’s banking customers.<!-- Below is The Conversation's page counter tag. Please DO NOT REMOVE. --><img style="border: none !important; box-shadow: none !important; margin: 0 !important; max-height: 1px !important; max-width: 1px !important; min-height: 1px !important; min-width: 1px !important; opacity: 0 !important; outline: none !important; padding: 0 !important; text-shadow: none !important;" src="https://counter.theconversation.com/content/123529/count.gif?distributor=republish-lightbox-basic" alt="The Conversation" width="1" height="1" /><!-- End of code. If you don't see any code above, please get new code from the Advanced tab after you click the republish button. The page counter does not collect any personal data. More info: http://theconversation.com/republishing-guidelines --></p> <p><em><a href="https://theconversation.com/profiles/paul-haskell-dowland-382903">Paul Haskell-Dowland</a>, Associate Dean (Computing and Security), <a href="http://theconversation.com/institutions/edith-cowan-university-720">Edith Cowan University</a></em></p> <p><em>This article is republished from <a href="http://theconversation.com">The Conversation</a> under a Creative Commons license. Read the <a href="https://theconversation.com/payid-data-breaches-show-australias-banks-need-to-be-more-vigilant-to-hacking-123529">original article</a>.</em></p>

Money & Banking

Placeholder Content Image

How to stop hackers from attacking your mobile phone while online shopping

<p><span style="font-weight: 400;">In new research revealed by Norton’s cyber safety insight report, about 30 per cent of shoppers have fallen victim to cybercrime in the past year at a cost of a shocking $1.3 billion.</span></p> <p><span style="font-weight: 400;">The report noted that 21 per cent of smartphone users had no idea that their device was able to be hacked.</span></p> <p><span style="font-weight: 400;">Cybercrime expert Julian Plummer agrees that users are laxer about mobile security compared to their laptops.</span></p> <p><span style="font-weight: 400;">“As mobile becomes increasingly de rigueur the security risk to consumers will only rise,” said Mr Plummer, who is the managing director of Midwinter Financial Services in Sydney.</span></p> <p><span style="font-weight: 400;">There are two ways that your smartphone is able to be hacked, which is phishing and over public wi-fi networks.</span></p> <p><span style="font-weight: 400;">As hackers are only getting smarter at duping their victims when it comes to phishing, sophisticated criminals are now impersonating big-name brands, including banks and other institutions.</span></p> <p><span style="font-weight: 400;">“It used to be that seeing a padlock in the URL bar meant that the site was safe, but now hackers are ‘securing’ their sites using cheap security certificates to provide a false sense of security,” Mr Plummer warned to </span><a href="https://thenewdaily.com.au/life/tech/2019/05/29/mobile-phone-cybercrime-safety/"><span style="font-weight: 400;"><em>The New Daily</em></span></a><span style="font-weight: 400;">.</span></p> <p><span style="font-weight: 400;">The second way is via public Wi-Fi networks, which is surprisingly sophisticated.</span></p> <p><span style="font-weight: 400;">“Hackers use a ‘Wi-Fi pineapple’ to mimic a public wi-fi access point,” he explained.</span></p> <p><span style="font-weight: 400;">“Unfortunately, logging on to these malicious wi-fi access points allows hackers to intercept any unencrypted personal data. Always be very wary when connecting to an untrusted wi-fi network – especially overseas.”</span></p> <p><span style="font-weight: 400;">It’s easy to protect yourself from hackers though, according to Mr Plummer.</span></p> <p><span style="font-weight: 400;">“The crucial thing for mobile phone users is to stop reusing passwords,” Mr Plummer said.</span></p> <p><span style="font-weight: 400;">“With a major security breach happening almost on a monthly basis, if hackers were to get your password from one shopping website, they then have access to all your online accounts if you re-use your password.”</span></p> <p><span style="font-weight: 400;">The second way to keep your information safe might be tedious, but it’ll be worth it in the long run. It involves keeping your phone’s operating system up to date.</span></p> <p><span style="font-weight: 400;">“The main reason manufacturers provide updates is to close off security loopholes within their device,” Mr Plummer said.</span></p> <p><span style="font-weight: 400;">“Hackers are well versed in any security bugs in your mobile device, so make sure you have automatic updates turned on for your mobile phone.”</span></p>

Technology

Placeholder Content Image

Were you affected? Sophisticated scam targets NAB customers

<p><span style="font-weight: 400;">Customers who bank with NAB, one of Australia’s big four banks, have been impacted by a sophisticated phishing scam.</span></p> <p><span style="font-weight: 400;">The bank has been targeted by online scammers who are hoping to get confidential details from users.</span></p> <p><span style="font-weight: 400;">Email security company MailGuard discovered the scam, according to </span><a href="https://finance.nine.com.au/small-business/nab-scam-fake-bpay-transaction-attempts-to-steal-personal-information/b1f47fe3-2b15-4aa8-8ee3-cec6078545ac"><span style="font-weight: 400;">Nine Finance</span></a><span style="font-weight: 400;">.</span><span style="font-weight: 400;"> It has been sent from several compromised accounts pretending to be NAB.</span></p> <p><span style="font-weight: 400;">Customers receive an email that looks like an official correspondence from NAB, explaining that their last BPAY was put on hold. It invites victims to click on a provided link to check their transaction history.</span></p> <p><span style="font-weight: 400;">Once victims click the link, they are taken to a page that looks like the official NAB login page, but is a sophisticated copy.</span></p> <p><span style="font-weight: 400;">“Unsuspecting recipients who click on the link to check their BPAY Payment status are led to a convincing-looking copy of the NAB login page. This is actually a phishing page,” explained MailGuard.</span></p> <p><span style="font-weight: 400;">Once information has been entered, it is then harvested by the criminals before redirecting them to the actual NAB website.</span></p> <p><span style="font-weight: 400;">“Cybercriminals have taken great pains to replicate official landing pages from NAB – including incorporating the bank’s branding and logo using high-quality graphical elements. All this is done in an attempt to trick the users into thinking the scam is legitimate,” explained MailGaurd.</span></p>

Money & Banking

Placeholder Content Image

Watch out! Scammers are now targeting you using Google Calendar

<p><span style="font-weight: 400;">Experts from international security firm Kaspersky have discovered calendar apps are being targeting in a new type of phishing scam.</span></p> <p><span style="font-weight: 400;">A phishing scam is one that attempts to trick you into giving out your personal information, which includes your bank account numbers, passwords and credit card numbers.</span></p> <p><span style="font-weight: 400;">The new scam exploits a default feature which gives the ability to add invitations and events automatically to calendar apps unless it is turned off manually.</span></p> <p><span style="font-weight: 400;">Kaspersky security researcher Maria Vergelis said scammers hope the “calendar phishing” technique will catch unsuspecting victims off guard, according to </span><a href="https://finance.nine.com.au/personal-finance/google-calendar-scam-google-calendar-scam-kaspersky-discover-new-phishing-attack/0d3e39a1-4132-4dd4-90da-30c4a3b2977d"><span style="font-weight: 400;">Nine Finance</span></a><span style="font-weight: 400;">.</span></p> <p><span style="font-weight: 400;">“The ‘calendar scam’ is a very effective scheme as currently people have more or less gotten used to receiving spam messages from emails or messengers and do not immediately trust them,” she explained.</span></p> <p><span style="font-weight: 400;">“This may not be the case when it comes to the Calendar app, which has a main purpose to organise information rather than transfer it.”</span></p> <p><strong>How the scam works</strong></p> <p><span style="font-weight: 400;">The scam sends a pop-up notification of an invitation to the victim’s smartphone and the recipient is encouraged to click on a link.</span></p> <p><span style="font-weight: 400;">Once the user clicks on the link, it redirects you to a website that features a simple questionnaire with prize money on offer. In order to receive the prize, they are asked to enter personal information, such as credit card number, name, phone number and address.</span></p> <p><span style="font-weight: 400;">This information goes straight to the scammers who exploit this information for money. </span></p> <p>How to disable automatic invites</p> <p><span style="font-weight: 400;">“So far, the sample we’ve seen contains text displaying an obviously weird offer, but as It happens, every simple scheme becomes more elaborate and trickier with time,” Vergelis warned.</span></p> <p><span style="font-weight: 400;">“The good news is one also doesn’t need any sophisticated precautions to avoid such scam - the feature that enables it can be easily turned off in the calendar settings.”</span></p> <p><span style="font-weight: 400;">Disabling the “automatic invites” feature is easy enough.</span></p> <ul> <li style="font-weight: 400;"><span style="font-weight: 400;">Open Google Calendar</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Click the settings Gear Icon</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Click “Event Settings”</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Click on the drop-down menu and select: “No, only show invitations to which I've responded”</span></li> </ul> <p><span style="font-weight: 400;">Google are well aware of this scam, but stopping all spam is not an easy task.</span></p> <p><span style="font-weight: 400;">“Combating spam is a never-ending battle, and while we've made great progress, sometimes spam gets through,” Google said in a statement.</span></p> <p><span style="font-weight: 400;">“We remain deeply committed to protecting all of our users from spam: We scan content on Photos for spam and provide users the ability to report spam in Calendar, Forms, Google Drive, and Google Photos, as well as block spammers from contacting them on Hangouts.”</span></p>

Technology

Placeholder Content Image

New scam warning for ANZ bank customers – beware of this email

<p>ANZ are warning customers of a new email scam that’s targeting their internet banking login details.</p> <p>This is a sophisticated email scam, as the email address that’s being used looks similar to ANZ’s support email. The scam email address is: @anzsupport.cf. </p> <p>The body of the ANZ-branded email goes into detail, explaining that the bank will be introducing “challenge questions” to protect customers and add an extra layer of security.</p> <blockquote class="twitter-tweet" data-lang="en"> <p dir="ltr">Warning: Be wary of this <a href="https://twitter.com/hashtag/phishing?src=hash&amp;ref_src=twsrc%5Etfw">#phishing</a> <a href="https://twitter.com/hashtag/email?src=hash&amp;ref_src=twsrc%5Etfw">#email</a> scam mimicking <a href="https://twitter.com/ANZ_AU?ref_src=twsrc%5Etfw">@ANZ_AU</a> . Directing users to confirm their ‘challenge questions’, the emails look legitimate, complete with the bank’s branding &amp; logos. Don’t click on any <a href="https://twitter.com/hashtag/links?src=hash&amp;ref_src=twsrc%5Etfw">#links</a>. More details in our blog soon <a href="https://twitter.com/hashtag/fastbreak?src=hash&amp;ref_src=twsrc%5Etfw">#fastbreak</a> <a href="https://twitter.com/hashtag/zeroday?src=hash&amp;ref_src=twsrc%5Etfw">#zeroday</a> <a href="https://twitter.com/hashtag/hacked?src=hash&amp;ref_src=twsrc%5Etfw">#hacked</a> <a href="https://t.co/TOLJvzVUr9">pic.twitter.com/TOLJvzVUr9</a></p> — MailGuard (@MailGuard) <a href="https://twitter.com/MailGuard/status/1103064693629845505?ref_src=twsrc%5Etfw">March 5, 2019</a></blockquote> <p>Once you click on the link to confirm your challenge questions, customers are taken to an authentic ANZ login page, which asks for your customer registration number and password.</p> <p>Naturally, once you enter these details in, the hackers have your internet banking login details and the sensitive information is handed over.</p> <p>Once the details are entered, customers are then taken to a page where you can choose your three challenge questions and provide answers.</p> <p>Once you’re finished with the questions, you’re taken back to the official ANZ AU page, which makes the scam even more convincing to customers due to the consistent ANZ branding all the way through.</p> <p>Email security firm <a rel="noopener" href="https://www.mailguard.com.au/blog/warning-anz-bank-impersonated-in-phishing-email-that-asks-users-to-confirm-challenge-questions" target="_blank">MailGuard</a> explains why the criminals have gone into such great detail.</p> <p>“Cybercriminals have taken great pains to replicate official landing pages from ANZ – including incorporating the bank’s branding and logo using high-quality graphical elements.</p> <p>“If you tell the scammers your security question, it allows them to attempt other fraudulent actions, such as calling them back and trying to access your accounts.”</p> <p>ANZ have advised their customers to be on the lookout, as they do not send emails asking for personal information or security credentials.</p> <p>If you’ve received an ANZ scam email, here’s some steps you can take</p> <ul> <li>Do not open any attachments or enter in any personal information.</li> <li>Forward the suspicious email to <a rel="noopener" href="mailto:hoax@cybersecurity.anz.com" target="_blank">hoax@cybersecurity.anz.com</a>.</li> <li>Delete the message from your inbox.   </li> </ul> <p>Have you received this scam ANZ email? Let us know in the comments.</p>

Legal

Placeholder Content Image

The new Aussie Netflix scam you need to be aware of

<p>Aussie Netflix users are being warned to take extreme caution after it was found a sophisticated email scam has been sent across Australia.</p> <p>The high-quality email is being sent to unsuspecting Australians, one that tricks users into believing the scam emails come from the legitimate streaming platform.</p> <p>The scam looks to steal information from Netflix users by telling them their beloved online watching has been “temporarily suspeneded (sic),” only to be returned to them after their personal information is given to “verify” their details.</p> <p>The phishing email claims the user’s account has been “suspeneded (sic)” due to “issues in the automatic verification process”.</p> <p>“For this reason we suspended your account, until you verify all required informations (sic) and update your payment method,” the email explains.</p> <p>Despite the spelling errors and high intelligence of technology users, experts are warning people to be aware.</p> <p>MailGuard, an email security company, claims the email scam was alerted first on Monday evening.</p> <p>“Sent via a malicious sender, the emails use a display name of “NETFLlX” with a lower case ‘L’ character to replace the ‘i’,” the statement said.</p> <blockquote class="twitter-tweet" data-lang="en"> <p dir="ltr">Marie Kondo your inbox by tidying up your emails and discarding anything like this, because this scam will not spark joy. ✨🙅🏻‍♀️<br /><br />Beware of a fake Netflix email scam that’s going around. If you get this email do not click on links or enter personal data.<br /><br />Image courtesy of 9 News. <a href="https://t.co/YyBA0Liq9c">pic.twitter.com/YyBA0Liq9c</a></p> — NSW Police Force (@nswpolice) <a href="https://twitter.com/nswpolice/status/1090103603165970432?ref_src=twsrc%5Etfw">January 29, 2019</a></blockquote> <p>Clicking the “UPDATE YOUR DETAILS” link takes users to a fake Netflix login page that is incredibly similar to the official login by the streaming service.</p> <p>If an unlucky user is to put their details into the page, cyber criminals are then given access to information by victims. The information can be used for identity theft and fraud.</p> <p>MailGuard warns there are several indications that the email they might receive from ‘Netflix’ could be fake.</p> <p>“There are several grammatical and spelling errors within the body, such as the bolded ‘suspended’.</p> <p>“Spacing errors are also present throughout the email.”</p> <p>A Netflix spokesperson said the security regarding member accounts are taken under extreme safety measures, ensuring the company “employs numerous proactive measures to detect fraudulent activity.”</p> <p>If you receive an email like the one above, users are encouraged to delete it immediately.</p> <p>SEE MORE: <a href="https://www.oversixty.com.au/entertainment/technology/are-you-too-smart-to-fall-for-an-online-scam-take-this-quiz">Are you too smart to fall for an online scam? Take this quiz</a></p> <p> </p>

Technology

Placeholder Content Image

Are you too smart to fall for an online scam? Take this quiz

<p>Millions of people fall for scam emails every day. To respond to this problem, Google has launched a new quiz to test your ability to identify phishing emails.</p> <p>Phishing – or attempts to steal your sensitive information such as passwords, account numbers and credit cards – is “the most common form of cyberattack”, according to Google’s Jigsaw product manager Justin Henck. “One percent of emails sent today are phishing attempts.”</p> <p>To raise awareness about phishing and cyber security, Google’s technology incubator Jigsaw created the quiz with the help of about 10,000 journalists, activists and political leaders across the world.</p> <p>The questions were designed to teach people to spot the techniques that hackers use to trick them as well as the telltale signs of phishing emails.</p> <p><img style="width: 500px; height: 210.9375px;" src="https://oversixtydev.blob.core.windows.net/media/7822956/jigsawgoogle.png" alt="" data-udi="umb://media/a8fc76888e0c46a2b25768e69c87b13a" /></p> <p>Below are the tips that the quiz shares:</p> <ul> <li>Be cautious about attachments and hyperlinks, including URLs designed to look like popular websites, which may send you to fraudulent login pages.</li> <li>Read the sender’s email domain carefully to make sure the email comes from a legitimate/official source.</li> <li>When opening PDF attachments, make sure you trust the sender and use a browser or an online service to open them safely.</li> <li>Approve account access requests only if you trust the developer. You can check this by evaluating the domain that is displayed and clicking on it for more details.</li> </ul> <p>Apart from knowing the signs, Henck also recommended enabling two-step verification on your account. </p> <p>“When you have two-factor authentication enabled, even if an attacker successfully steals your password, they won’t be able to access your account,” said Henck.</p> <p>Take the quiz <a rel="noopener" href="https://phishingquiz.withgoogle.com/" target="_blank">here</a>.</p> <p>Have you been the victim of any email scams? Share your story in the comments.</p>

Technology

Our Partners