There are some huge advantages to this approach; you can save a lot of time sending documents electronically, there’s a clear digital trail of your activities, and you can typically gather up your tax return – or sort out any lingering tax debts – in a fraction of the time that it might take to process a paper-based tax return.

However, sadly where there’s money at play, there are scammers out there looking to score access to your money and your valuable personal information.

A lot of scammers, in fact, with the ATO reporting that in February 2022, it received 1,815 reports of scammers pretending to be from the tax department.

That’s undoubtedly the tip of the iceberg, as most people won’t bother to report scams if they don’t fall foul of them. As Australians ready to prepare their tax returns, the pressure will only intensify, and that can be seen from last year’s figures, where reported scam activity absolutely peaked around the June and July timeframes.

Scammers will attempt to gather in your information via some rudimentary methods, mostly designed to make you panic around a supposed debt or evasion. When you’re flustered or worried, you’re less likely to question someone claiming to be in a position of supposed authority.

So, what can you do to keep yourself safe while readying your tax affairs?

Never log into ATO services via an email or SMS link

Scammers will try to get you to log into a page that looks exactly like the myGov login portal. It will use the same images; the login field will look identical… but it’s a fake. By the time you realise it, the scammers will have your login details and password.

So how can you tell the fake from the real thing? You can check the URL field – that’s the address bar at the top of your browser – but the smarter way to approach this kind of thing is to realise that the ATO never includes a login link in any email or SMS. If you’re sent that kind of link, ignore it. If you’re concerned, make your own way to the MyGov portal from a web browser and log in there. If there’s a legitimate issue with the ATO, it will sit in your messages inbox within the MyGov portal.

Ignore pre-recorded messages or threats of arrest

This is classic scammer territory because you can’t argue with a recorded message, and many people will panic at the thought of being arrested for a tax debt they didn’t realise they had – because of course they don’t!

Don’t hand over personal information via email, even if it’s for a “refund”

Another tax scam variant is to suggest that you’re due a refund, sometimes for a significant amount. All you have to do is “update your financial information” via a linked form in the email.

This just simply isn’t how the ATO works, but it’s a common enough scam that can lure in the unwary who get dazzled by the dollar signs dangling in front of their eyes.

Again, if you’re due a refund there will be a clear trail of it within your online MyGov account page. If in doubt, look up the ATO contact details online – don’t use those provided in an SMS, email or phone call – and check with them that way.

The ATO doesn’t really care about Apple Gift Cards

This scam is so widespread, and so common that it’s commonly highlighted in stores where gift cards are sold. Anecdotally, I’ve been in more than one store where someone buying high value gift cards was asked by store staff if it was to pay a fake ATO “debt”.

The ATO is of course an arm of the Federal Government, and they’ve got no interest in being paid in gift cards, cryptocurrency or via a direct deposit to a personal bank account. If somebody claiming to be from the ATO demands payment in any of these ways, it’s a 100% clear indication of a scam.

If you’re wondering why the scammers want gift cards, it’s not because they want to then be nice to their nannas. It’s that a registered gift card becomes (in effect) untraceable money that they can then sell online in bulk. Even if it costs them a little to send out the card details to unwitting genuine consumers, they’re still in profit, and you have no way of getting your money back.

If you’re concerned that you may have been the victim of a tax scam, you can report it online to the ATO by calling 1800 008 540, or by emailing to ReportEmailFraud@ato.gov.au

Worried about your online privacy and personal digital security? A Digital Security Check might be exactly what you’re looking for. This service will help protect your household against scammers, viruses and offers simple and affordable digital privacy solutions tailored for your needs. Book online today.

Everyone loves a bargain, and it can be very easy to score a superb discount shopping online, because it’s easier to quickly compare prices, models and features with the click of a mouse or a tap of a smartphone screen.

However, this same ease of use makes it a prime target for online shopping scams, where criminals try to get access to your money and information, giving nothing in return. The delight you feel at scoring a great bargain can very quickly turn into disgust and tears if you get ripped off online.

However, there are countless online merchants, with new ones popping up every day. If all you’re looking at is a web storefront, how can you tell the real deal from the sharks?

The first step is understanding how these scams work.

How do online shopping scams work?

The basis of an online shopping scam almost always revolves around bargains or scarcity, and sometimes both at once.

If there’s a hot item around – say a new shiny smartphone, for example – in short supply, then presenting one or more for sale at a discount price will seem very tempting to lots of people. Not only are you avoiding lengthy waits for new stock, but you’re saving money as well. Who wouldn’t like that?

There’s the rub, however, because all too often the products simply don’t exist – or in some cases they’re poorly made cheap fake versions of the real product instead, worth only a few dollars if that, rather than the hundreds you’ve paid.

Online shopping scams will also often ask you to set up store accounts with personal information. This makes sense if they’re going to ship you something of course, but the rub there is that this information can also be used for identity theft in some cases.

Just in case you’re thinking that it must only be a few folks fooled, be aware that the ACCC’s Scamwatch service estimates that online shopping scams cost have Australians more than $5.2 million so far in 2022.

Bearing in mind that this is only for scams it’s informed about, that figure is undoubtedly higher.

How can I protect myself from online shopping scams?

There are some tell-tale signs that an online merchant may not be on the level to look out for.

Look for a lock

If you’re dealing with an online store that has its own web site, ensure at a bare minimum that the site itself is encrypted. The url should start with “https”, and there should be a resultant lock icon in the address window to show that it is indeed encrypted. That’s important simply to keep your personal and payment information secure.

Check the spelling

For brand name items if you think you’re buying from the official store, check that the URL spells the brand name correctly. Yes, it sounds stupid, but it very much can fool people into thinking that the discount Gucci bag they’re scoring is legit when the URL is actually for Guuccii instead.

Do your research

If you were going to a restaurant and a friend said that they’d got food poisoning there, you would think twice about that meal. In similar fashion, before laying down your cash, do a little research on the store, brand or seller to see if there are any notable complaints about it online. While many will try to “review stuff” by adding lots of positive sounding reviews to sites such as Amazon or eBay, if you see disgruntled customers a-plenty, there’s probably a reason.

Use as secure a payment method as possible

It’s possible to be fooled even on reputable store fronts such as Amazon, because they will allow third party merchants to sell through them. The advantage you have there is that if you use a standard payment method, you’ve typically got better recourse to a refund if it does go pear shaped.

If a merchant offers a discount for direct deposit or money transfer, it’s a good sign they may not have your best interests at heart – because those methods aren’t typically reversible.

Set a good password for a new site

Never, EVER use a password on an online shop that you’ve used elsewhere. If it’s run by crooks, they’re all but assured to use that email and password combination to see if they can get into your banking, social media and other accounts to steal even more money.

Think twice before hitting “pay”

If a desirable item is on sale for more than about 30% off, ask yourself why that might be. In some cases, it absolutely can be end of life stock of an item, but if it’s a desirable one, the merchant would almost always prefer to make as much out of it as possible. Lots of online shopping scams simply work on the premise that buyers will be dazzled by 80% discounts and little else. It’s rather easy to offer an 80% discount when you never intend to ship real products, after all.

More cyber security tips and tricks to help to keep you safe online:

• How to avoid a phishing attack
• How to prevent your passwords being hacked
• How to protect yourself against viruses and malware
• How to keep your identity safe online
• How to prevent catfishing

They used to be called “Computer Viruses”, back when most of that kind of software was more destructive than it was financially based, but these days you’re more likely to hear or read about malware.

Malware is short for “malicious software”, and it’s quite a broad term that covers any kind of application designed to harm a computer’s operation or the activities of its user. That can cover maliciously destroying or limiting access to files, hijacking computer resources for other purposes or spying on user activity on that computer.

What kinds of malware are there?

Malware is constantly evolving, so defining it is a tricky business. Some forms of malware can be used for a variety of attacks, so that if one avenue doesn’t work for the malware author, another one might. So, while malware can take in viruses, rootkits, worms and other forms, it’s really what the malware wants to do – or wants from you – that’s important here.

Malware can include:

Ransomware

This is software that encrypts your documents – and often the entire operating system of your computer – locking it down and demanding payment if you want access back to your computer

Spyware

Malware of this type watches, records and reports what you’re doing on your computer. It’s often used with keylogging applications that can then try to discern (for example) your login passwords for online banking services.

Adware

This kind of malware tries to serve up unwanted advertising – often quite a lot of it – in order to get money from advertising companies. If you open up your web browser and you’re hit with hundreds of pop-up windows, you could well be an adware victim. Note that just having ads present on a website isn’t absolute proof of adware being present

Botnets

Some malware isn’t so interested in you as it is your computer and its online capabilities. Botnet malware takes over some or all of the internet functions of your computer, often to then mass attack other online services. If you think of it like a road, if your car and thousands of others tried to get on the one stretch of highway, it would quickly slow to a crawl or stop completely. That’s the essence of what’s called a DDoS (Distributed Denial of Service) attack, and it relies on having thousands of botnet infected computers to call on.

How can I protect myself against Malware?

Keep your computer and devices up to date

A lot of malware relies on weaknesses and exploits that take advantage of code errors in operating systems and some file types. Making sure that you’re up to date with the latest operating system updates, security patches and firmware updates across your devices is a must to ensure that even if malware reaches your system, it can’t do any harm.

Use good anti-virus software

The battle between antivirus software vendors and malware writers is a constant cat-and-mouse game, and it’s been the case for decades now. Still, it’s worth being protected, because while AV software has both a financial cost and a small cost in terms of processing power, it beats having your system wiped or your bank accounts drained via malware. Bear in mind that you do also need to keep your AV software up to date via subscription. It’s not just enough to buy it once, sadly. Also, if you figure that malware’s only a problem for folks who visit dodgy websites (however you define dodgy), think again. It’s very common for malware writers to try to embed malware installs in flaws in reputable websites too.

Be careful about what you install or open

That “free” copy of a big paid application you found online might not be so consequence-free if it’s riddled with malware. Likewise, malware writers have been known to hide their dodgy code within some file types, using specific application weaknesses to run their code in the background even if they appear to be a genuine file. If a file asks for extra permissions to run in a way that you didn’t expect, it may be unwise to allow it to run.

Back up your files regularly

If the worst happens, and you fall victim to ransomware or malware that wipes out your computer’s operating system, it’s usually possible to reinstall that computer back to a blank slate, like it was when you first purchased it. You’re back on deck… but all your own files are irretrievably gone. Gone, that is, unless you remembered to back them up on a regular basis. While backup can be a touch slow and a bit boring, you’ll thank yourself if you ever have to recover those files after a malware disaster.

More cyber security tips and tricks to help to keep you safe online:

• How to avoid a phishing attack
• How to prevent your passwords being hacked
• How to spot an online shopping scam
• How to keep your identity safe online
• How to prevent catfishing

Secure your small business from cyber threats with our tailored cyber security solutions – safeguard your data, protect your reputation, and ensure peace of mind.

Keep what’s yours safe online with our guide to how to stop password hackers in their tracks.

With so many services requiring complex passwords, it can be easy to get overwhelmed and scared by the possibilities. Online scams can and do cost Australians millions each year, and nobody wants that to happen to them.

So how do you manage all your password needs, and what should you look out for in terms of password hacks?

How do online criminals get my passwords anyway?

There’s a number of ways that your passwords could end up in the hands of cyber criminals.

In some cases, it’s because your account gets phished with a convincing looking fake.

In other cases, it’s because you’ve chosen a weak password and they’ve simply brute forcing their way through combinations of password types.

In some cases, malware that makes its way onto your computer can track keystrokes, including those into password fields through what are called keyloggers.

Those cases rely on faults on your end (along with a little manipulation of existing systems), but it’s also possible to have your passwords compromised through no fault of your own.

A password breach is what happens when a company’s own store of passwords – so your credentials with an online shop or service, for example – are compromised en masse.

In that case, you did nothing wrong and your password may have been very good, but you’re still in a potentially compromised position.

What to do to defend yourself against password attacks

There are a few simple things that you can do to maximise your security and minimise the risk of your passwords being compromised.

Use unique passwords for every service

Why it matters: If you have a password that you use for more than one service, it’s the equivalent of having just the one key to multiple safes. Most services pair your email address with a password, with that pair “proving” your identity.

If your password is compromised in any way, one of the first and most common attacks will be to apply that password and email combination against multiple services. Suddenly, you’re not just compromised on one site, but many.

Never use dictionary words (or number sequences) as your password

Why it matters: Every year, lists are published of the most commonly compromised passwords. Depressingly, year in, year out they’re nearly always topped by simple passwords such as “Password” or “123456”.

The simple reality here is that there isn’t a dictionary word that online criminals haven’t tried as a password combination at some time. Modern computing power means that they can cycle through those combinations at blistering speeds too.

The same is true for simple number sequences. There’s a famous scene in Mel Brooks’ movie “Spaceballs” where a character is derided for having a luggage lock combination of “12345”. Sure, it’s easy to remember – but it’s also easy to crack, which is why that scene is played for comedy. There’s nothing funny about having your online identity compromised or bank accounts drained, however.

This is why most password systems will tell you that your password must contain a mix of capital and lower case letters, numbers and symbols. It’s not because the programmers enjoy making you struggle to come up with them. It’s because they’re mathematically harder to crack.

Use a decent password manager

Why it matters: We’re increasingly being asked to create passwords for everything from government services to online banking, shopping, social media… the list goes on and on and on. To give this a personal context, I can tell you right now that I have a list of 398 different passwords that I might need. Sure, my own tech enthusiasm means I’m probably above the average by a wide margin, but there’s still no way I could remember 398 passwords anyway!

I don’t have to, because I use a password management app to both store them and to create them in the first place.

This is secured against a single, strong password used to unlock the entire vault of passwords which can synchronise across my phone, laptop and tablet devices for easy access.

There’s a number of players in this space, including well-regarded packages such as Dashlane, 1Password, LastPass, Keepass and others. If you’ve got anti-virus software on your PC, it may already contain a password manager module, too.

Use multi-factor authentication

Why it matters: If you’ve set up an account to deal with government services, you’ve all but certainly hit multi-factor authentication, where you enter your password and it then asks you to verify a code sent to you, typically via SMS.

Multi-factor authentication adds additional verification steps to ensure that you are indeed who you claim to be. Not every service supports multi-factor authentication (sometimes called “two factor authentication” if it’s only adding one extra step to the existing password), but if the services or sites you’re using do, it’s highly advisable to implement it.

It does involve a little more time on your part, because you’ve got to wait for those extra login details to arrive, whether that’s through SMS, a checking email or via an authenticator app or physical authentication device. However, the security here relies on the fact that if your password were to be hacked, broken or leaked, your account itself would still be secure.

Here’s how this works: If I’m a bad guy and I get your password and email address through, say, a leak online of a badly secured database and you have MFA enabled, I’ll hit a barrier when I try to log in, because I won’t have that additional factor to use. What’s more, you’ll get sent that SMS, or email or whatever the factor is, alerting you to the fact that somebody’s trying to access your account.

One detail to be wary of here is that scammers have used this to try to get access to accounts by sending out “fake” warning notices with links to “check” your accounts, warning that they may be locked down if you don’t act immediately.

That’s classic phishing, but what you should do in every case is find the links yourself – not the ones in emails or SMS – and click through to your service in the usual way. If there’s a problem they’ll let you know that way.

More cyber security tips and tricks to help to keep you safe online:

• How to avoid a phishing attack
• How to protect yourself against viruses and malware
• How to spot an online shopping scam
• How to keep your identity safe online
• How to prevent catfishing

However, wherever there’s social activity, there’s money to be made, and that means scammers come flocking, by way of catfishing.

While it is about luring in in the unwary, this has little to do with sitting in boats trying to catch heavily whiskered water creatures. Instead, you’re the prey, and the catfisher is trying to lure you in with a false identity.

What is catfishing?

In the online sense, catfishing is most simply described as engaging with another person under some kind of false identity. It’s often tied into romance scams, where someone pretends to be your perfect match in order to fool you into providing intimate photos or personal details for financial gain, although it’s not exclusively to do with the pursuit of love.

If you’ve ever received one of those dodgy emails from a “Nigerian Prince” claiming to want your help to move millions of dollars, that’s catfishing too. It’s not very subtle of course, because there’s relatively little effort put into those scams. Just in case you didn’t know, African princes aren’t in the real-world habit of trying to sneak out billions just for you, and neither is Bill Gates. That scam has been around for decades now, but it still manages to lure in the unwary from time to time.

More modern catfishing scams try to fill in further details to appear authentic, offering up what appear to be genuine details, common interests or goals as your own in order to gain your trust.

Once you’ve decided that you trust the catfisher, that’s when they’ll start asking for more personal details, possibly for money or intimate photos. Catfishing scams are usually long tail scams, because it can take serious time to gain trust online. Just because you’ve been chatting online with your new “friend” for months or in some cases years doesn’t mean that they’re on the level.

How much of a problem is catfishing?

Catfishing is, sadly, quite lucrative for scammers. If you just look at romance scams, the ACCC’s Scamwatch reports that Australians have lost at least $19,434,745 to romance scammers alone, and that’s just based off the scams reported to them. It’s highly likely, given the personal nature of those scams that many victims might be too embarrassed to report them in the first place.

Unexpected money scams – like the Nigerian Prince scam mentioned above – also fall under catfishing a lot of the time, and Scamwatch reckons that’s another $3,184,716 lost already this year.

While it’s comforting for your own ego to think that you’d never be fooled that way, the reality is that this is something that happens to real people in Australia, all the time.

That’s why it’s wise to be careful online, because it absolutely could happen to you.

How can I protect myself from catfishing online? Is everyone fake?

To answer the second question first, no. The Internet works because billions of people use it every day. It’s absolutely possible to connect or reconnect with friends, loved ones and lovers in an online context.

However, you do need to be careful when interacting with anyone “new” online. It’s even wise to apply some of this thinking with folks you think you know in the real world, although that’s usually a case of an impersonation scam rather than catfishing.

So, what can you do in a practical sense?

1. Be careful what you share online, and where

Most catfishing victims report that social media is often where they first got contacted by their catfisher, who seemed to know a lot about them.

That’s often because there’s a trend – and sometimes social pressure – to share everything from photos to personal updates across social media services. If your service of choice isn’t carefully locked down for privacy, those are details that may be apparent to a wider range of folks than you realised.

2. Go slow with new online friends

It’s great to meet new people and expand your social circle, for sure. But if your new friend suggests that they’ve fallen madly in love with you after a short period of time, it’s a solid red flag that they might be less than 100% honest. If it is true, there’s plenty of time to let a relationship properly blossom – and for you to check and ensure that they’re actually a real person all along.

3. Beware the sob story

The Nigerian Prince scam works because it appeals to base greed, but the reverse of it is your new “friend” asking for money to deal with some kind of emergency. You don’t want to be heartless with your close friend or potential romantic prospect, so you wire across the money… and you’ve been scammed.

This is not to say that you can never help people out if that’s your style. It absolutely pays to do your research and check bona fides first. If your “friend” asks for pictures of you but never provides their own “because their camera is broken”, that’s an obvious red flag. Even if they do send you a picture, it’s wise to run it through Google’s reverse image search to see if it pops up elsewhere under a different name.

Some catfishing types will be bold enough to use photos of major celebrities – because they’re attractive people – hoping the victim won’t notice. Is it really likely that Brad Pitt needs you to send him $500 because his car exhaust is broken?

4. Be very careful with picture requests

In one sense, what consenting adults get up to in their own time and on their own devices is their own business, and that includes sending intimate pictures if that’s what you’re into.

However, it becomes far more complex when you’re talking about an online paramour, precisely because you’re giving over a lot of trust around images that you absolutely do lose full control of once they’re off your own phone. That’s why it’s absolutely paramount to ensure that whoever you’re sending that kind of content to is who they say they are.

5. Take screenshots

It might feel a bit like snooping, but it’s wise to keep a few records of any new online friends, especially if you’re starting to have doubts about them.

That’s because most social media services, online dating platforms and other places where you might be catfished typically have reporting mechanisms for this kind of activity. If you report a potential catfisher, it may limit their access to operate on that platform, potentially saving others from heartbreak or financial ruin. The odds are very good that the same fake identity is being used across many people at once, because it raises the scammer’s odds of making money along the way.

More cyber security tips and tricks to help to keep you safe online:

• How to avoid a phishing attack
• How to prevent your passwords being hacked
• How to protect yourself against viruses and malware
• How to spot an online shopping scam
• How to keep your identity safe online

Ensure robust cyber security for your small business – safeguard sensitive data, mitigate risks, and protect your company’s reputation with our tailored solutions.

Your online identity isn’t just the pictures you post to social media – and keeping it safe is paramount.

When we talk about online identity, a lot of people assume that it’s just to do with how you present yourself on social media services such as Facebook or Twitter.

However, your online identity is far wider than that. You probably do your banking online, you’ve almost certainly done some shopping online, and often the easiest way to deal with government services is using an online portal.

Sure, it’s not “easy” in that latter case, but the reality regardless is that all of these services use your online identity for verification and provision of services, whether you’re buying socks, doing your taxes or checking how much you’ve got left to pay on your mortgage.

Simply put, your online identity has real value, and if it’s “stolen” – not removed from your person but pilfered and copied – then the consequences for you can be devastating.

How big a problem is identity theft in Australia?

The losses that individuals can accrue can be massive. The ACCC’s Scamwatch unit estimates that in 2022, Australians have lost more than $4.5 million to identity theft scams, with $1.2 million pilfered in May 2022 alone.

How do criminals make money from my identity?

There’s a variety of ways that online criminals can make money from your personal details.

Financial scams are the most common, and often the simplest identity theft scams too. If you’ve ever called your bank, insurance company or other utility, you’ve probable been asked for your address and date of birth.

The company is doing this to verify that you are who you say you are. If a criminal gets those details, they can call up and change addresses for new credit cards, possibly transfer money or change online banking passwords. That can lead to not only financial loss, but also loss of access to your accounts.

With your personal details, it’s also feasible for criminal types to try to fraudulently get identity documents of their own or forge them using your credentials. That could lead to legal consequences for you down the track, or difficulty in getting your own documents verified or renewed.

Your identity can also be used to fool others, including close friends and family members.

It’s often called the “Hi Mum” scam, and it uses platforms such as WhatsApp or simple SMS messages to suggest that you’ve broken their phone – which is why they’re getting the message from an unknown number – but that you needs money to deal with a crisis.

How can I protect myself from identity theft?

1. Think about what you share online: Your information has value, but that means you have to be very careful about how and where you share it. Take for example a birthday celebration, something lots of people share on social media. If you don’t have your account locked down to private, those photos could be viewed by third parties. You might not care that criminals know what kind of cake you had, but if the photos also say that you’re celebrating your thirtieth birthday on that day, then they instantly can discern your birthdate. That’s the same birthdate your bank will ask for if you call them up.
2. Don’t click unknown links: If you get an email, SMS or other message out of the blue, be very careful about clicking on it. It’s a super common way to fool you into entering your details into what looks like an official website. What it’s actually doing is harvesting your information so that it can be used fraudulently.
3. Perform regular digital hygiene checks: If you’ve not used an online account for a while, it’s worth carefully logging in and checking activity every once in a while. If an account or service is compromised, you’ll see activity on that account that isn’t yours, whether it’s suspicious bank charges or orders for items you never bought.

What can I do if I’ve been a victim of identity theft?

If you fear you’ve been a victim of identity theft, the first thing you should do is contact the relevant company or agency – so that’s your bank, government departments and so on – through their regular communication channels. Never, ever use a link provided by a suspicious message; search it up online and use the contact form or details on the official site instead.

The Government also runs a free service called IDCARE that can help you work out specific solutions to identity theft crime. You’ll find them online at or over the phone on 1800 595 160.

The ACCC’s Scamwatch service can’t help resolve identity theft crime issues, but it’s also worth reporting to them at as well. Your information can help to educate others about scams, as well as help disrupt the activities of scammers on an ongoing basis.

More cyber security tips and tricks to help to keep you safe online:

• How to avoid a phishing attack
• How to prevent your passwords being hacked
• How to protect yourself against viruses and malware
• How to spot an online shopping scam
• How to prevent catfishing

Secure your small business from cyber threats with our tailored cyber security solutions – safeguard your data, protect your reputation, and ensure peace of mind.

What is phishing?

Phishing (pronounced fishing) covers a broad range of online criminal activities, all centered around fooling people into giving up personal details (bank details, addresses, dates of birth, etc.), or business details (login information, credit card numbers, customer data, etc.)

Phishing falls under what’s usually called “social engineering”, because unlike software-based hacks that might take advantage of bugs in a password form or flaws in an online interface, the weak link in a phishing chain is, essentially, you.

How does phishing work?

Phishing attacks are impersonation attacks, where a criminal pretends to be some kind of authority or prominent business – for example, your bank, or the Australian Tax Office.

A phishing attack could involve you getting an email or a text that appears to be legitimate, asking you to log in to your service to verify that it’s yours, or trying to panic you into doing so by threatening to lock down your account. You wouldn’t want your bank account frozen, now, would you?

This is the phisher’s trap, because the links in emails or phone numbers in SMS aren’t in any way legitimate. Click on them, and you’ll land on a web page that might look identical to the one you’re expecting, with a password field waiting for you to enter your details.

Do so, and the scammers have those details, which they can then enter your real bank’s site to siphon away funds. Or if it’s a form that needs personal details, then they’ve got those details for identity theft purposes, whether that’s to then call up other institutions to reset passwords, gain access to accounts or generate false identity documents with your details in place.

Needless to say, you don’t want that, but it’s a big problem. Scams in general cost Australians more than $2 billion in 2021 according to the ACCC. That’s a huge – but not good – industry all by itself!

How did the scammers get my email or phone number in the first place?

There’s a myriad of ways that your supposedly “private” details may have fallen into their hands. In some cases, if you’ve used those details to sign up for services, they may have been sold on to marketers more widely, which that may have been in the very fine print you didn’t read at the time. 

That’s a rather direct way, but the other avenue for harvesting email addresses and phone numbers relies on database leaks from legitimate services you may already use.

Often those services will prioritise securing credit card numbers and the like, which does make a degree of sense, but once your number is out there online, it can be virtually impossible to scrub away its presence.

How can I protect myself from phishing?

The single best weapon you have against phishing attacks isn’t a fancy piece of software, or even a hardware device you place between your computer and the Internet.

It’s the chunk of meat between your ears known as your brain. That’s because phishing attacks very much rely on inducing panic, or at least a sense of urgency that would make you want to click on a dodgy link from an incoming email. When and if you do get an email that looks like it’s from your bank, the government, the police or other authorities, the single best thing you can do is stop and think.

The message may look legitimate, but that doesn’t mean it is. Most big businesses have largely stopped using email because of the possibility of it being faked this way.

There are some technical steps you can take to check if an email is legitimate. On a laptop or desktop, hover your mouse – without clicking – over any web site links or email addresses. Scammers often use disposable email accounts, because they don’t want to be tracked by law enforcement, but there’s no way that your bank would send you a message from a Hotmail or Gmail account, for example.

Likewise, while the URL that pops up when you hover over a message might <em>end</em> in a legitimate looking address, look at the whole URL string. While I’ve just invented it for the purposes of illustration, the difference between “www.legitimatebank.com.au” and “www.wewillstealyourmoney.legitimatebank.com.au” is that one would lead to the legitimate bank website and the other wouldn’t, and could redirect anywhere at all. There are vectors where scammers may send you to the legit login page for services, relying on scripting code that also activates to hoover up details on the way.

This is why your best bet if you get an email that alarms you is to ignore any and all links and contact details within it. Open a fresh web browser and go to that service’s web page yourself to find login details or phone numbers. Contact that institution to see if the email or SMS was legitimate. Chances are that it wasn’t, but that way you can be more assured that you’re keeping yourself safe. Also, delete the phishing email because who needs dodgy digital junk mail?

Another really important step here is to use multi factor authentication – at least two factor – but more is better. This is where you have your usual email and password, but also a secondary login factor.

That could be an SMS your bank sends you, or an authentication app you install on your smartphone, or a biometric measure like a fingerprint or FaceID scan.

This matters especially if you do get fooled by a phishing email. If you’d entered your details into what you thought was the legit bank site and didn’t have multi factor authentication in place, the scammers have a full key to access your details.

If you have that secondary factor, they can’t get in, but also, you’ll then get that alert – an SMS or other factor – when and if they try. That will let you know of a potential breach, and you can then contact your institution over the phone to properly sort out your account and set a new password, while keeping yourself safe.

What if I think I’ve been a victim of phishing?

There’s a couple of key steps you should take here. First and foremost, contact whatever institution it was that was faked – your bank, the ATO or whatever – to secure your account as quickly as possible.

You’ll need your identity documents to hand to prove that you are who you say you are. Under NO CIRCUMSTANCES use phone numbers in the phishing email you got; look them up online or from any paperwork you may have got from that business or government department, and double check to be sure. It is sometimes possible to recover lost funds from phishing attacks.

Depending on the nature of the information disclosed, you may also need to contact family, friends, or business associates, because personal information can sometimes be used to try to impersonate you to others to perpetuate the scam.

The Australian government’s Scamwatch site has an excellent array of resources to cover most phishing and scam related activity, and it’s worth reporting to them as well; while they can’t recover funds for you, they can point you to other services that can assist, and giving them a wider picture of activity also assists in cracking down on phishing crime in a more general way.

More cyber security tips and tricks to help to keep you safe online:

• How to prevent your passwords being hacked
• How to protect yourself against viruses and malware
• How to spot an online shopping scam
• How to keep your identity safe online
• How to prevent catfishing

Ensure the safety of your small business with robust cyber security solutions tailored to your specific needs – protect your sensitive data and keep your operations secure.

You’re probably aware of the type of call I’m talking about, where a “representative” of a big tech company – the likes of Microsoft, Telstra, sometimes the ATO are frequently cited – calls you up with dire news of a problem with your computer, billing or accounts in some way.

Those quote marks are there because (again, just in case it wasn’t clear) it’s a scam. They’re after either money, personal information or a way to compromise your computer to either lock it down (and demand money) or use its capabilities as part of a bot network. Nasty stuff any way you look at it.

However, the reason I bring up my phone line is that I got rid of it some time ago, and there’s some expectation that “everyone” knows about these kinds of scams, and why you have to be wary in phone and online interactions as a result. But just how wary are we?

New research from Microsoft suggests that, sadly, these kinds of scams are still proliferating on a global scale.

Here in Australia, for example, Microsoft’s research suggests that 68% of Australians have encountered a tech support scam over the past 12 months. That’s actually higher than the global average of 59%, which suggests that Australians are seen as easier targets than most. Either way it’s not good.

Microsoft’s research suggests that men are more likely to continue with a scammer in some way with 61% of respondents indicating that they’d done more than just hang up or delete a suspicious email or social media message, compared to 39% of women.

There’s also something of a perception that these are scams that largely target and work best on the elderly, but Microsoft’s research suggests that it goes wider than that, especially in terms of success. What grabbed my interest was that Microsoft’s research suggests that more millennials and Gen X users were likely to continue interacting with scammers, with 31% of millennials and 30% of Gen X Microsoft users reporting that way. Realistically, it’s a cross-generational problem, and one that can cost you dearly.

Not everyone continuing to engage with a scammer will automatically lose money, but it’s not a risk worth taking in any case. Scamwatch reports that this kind of tech support/remote access scam has cost Australians more than $8,000,000 in 2021 so far, with phone by far the most prevalent way scammers engage with us, followed distantly by direct Internet connections.

So what should you do if you’re concerned about this kind of contact? Be aware that the likes of Microsoft, Apple, Telstra or any other big tech company is virtually never going to contact you over the phone. You should never install an application that someone over the phone (or via a banner ad, or email) asks you to. They’re also never going to be asking to be paid via gift cards or cryptocurrency.

Microsoft has some good guidelines specific to its products that you can check here in terms of this scam, while Scamwatch has a good rundown of how remote access scams work here.

Sadly, the folks who would prey on the susceptibility of people to be conned aren’t taking a break at all. The ACCC has noted a serious spike in reports of scammers using fear around the COVID-19 Coronavirus to take advantage of people. Those are scams that – in this day and age – are much less likely to take the form of someone knocking on your front door but are far more likely to be delivered online.

“We’ve had a wide variety of scams reported to us, including fake online stores selling products claiming to be a vaccine or cure for coronavirus, and stores selling products such as face masks and not providing the goods” said ACCC Deputy Chair Delia Rickard in a statement.

“Scammers are impersonating official organisations such as the World Health Organization and the Department of Health or legitimate businesses such as travel agents and telecommunications companies” Ms Rickard said.

That’s astonishingly horrible business, but then scammers never really cared about the impact they were making on their victims, aside from the financial toll they could extract from them.

So how can you really tell that the information that you’re getting is legitimate? There’s the fairly obvious stuff, like anyone offering to sell you a “cure”, for a start, or someone sharing a Facebook post of “tips” for beating the virus that also ask for money, but some scams can go deeper than that with impersonation of credible bodies.

As government stimulus packages start to kick in, it doesn’t take too much crystal ball gazing to see that being a popular scammer’s target, offering you ‘stimulus funds’ in return for giving across your details. Before you know it, you’ve compromised not only your personal identity details, which are valuable in themselves, but also potentially your bank account too.

The ACCC also notes that it’s seen a rise in scams relating to “investment opportunities” around the pandemic, or retailers insisting on direct payment or funds transfer for goods. Then there’s the classics of the genre around pretending to be from your ISP or Microsoft – while those trade in different “viruses”, with so many more folks working from home or in isolation there’s all too much possibility of them being hit by these kinds of scams too.

That’s where it pays to do your own research and stay on top of the current understanding around COVID-19, not relying on what a random social media post might say. I’ve seen everything from the suggestion that drinking silver (no, really) or bleach (again, it sounds incredulous, but still) might protect you. They won’t, and there’s a lot of hucksterism around them.

“There is no known vaccine or cure for coronavirus and a vaccine isn’t expected to be available for 18 months. Do not buy any products that claim to prevent or cure you of COVID-19. They simply don’t exist” said Ms Rickard.

The Federal Department of Health has excellent and scientifically credible resources around the ways you can keep yourself safe and help stop the spread of the coronavirus, and that’s a great one-stop shop for details that are locally relevant. If you want a more global outlook, the World Health Organisation has detailed information on the effect it’s having across the planet.

Like most online scams, there’s a lot of use of fear to motivate decisions in all of these scams, and it’s entirely understandable that people are frightened in these times. However, it’s very important – as with any decision you make relating to this particular crisis – to stop, calm yourself and do your own research. Contact companies independently to check any claims, don’t respond to any unsolicited messages that ask for your financial information, and if you do fear you’ve been the victim of a scam, contact your financial institution directly and rapidly.

It’s a different kind of staying safe from isolation and handwashing, but one that’s also very important.

A friend of mine recently went through an issue with his Facebook account. Unbeknownst to him, it was posting links to dodgy “investment” opportunities seemingly promoted by major Australian celebrities.

Quick tip: If you see an investment “opportunity” on Facebook, run a mile. Maybe two or more, because they’re ALL scams, and, sadly enough they’re wildly profitable for the scammers. According to the ACCC’s figures, investment scams are the most prevalent way that Australians are defrauded, with more than double the losses of the next most common scam type, relating around romance and dating.

Now, this friend had changed his password a few times, so I advised him to carefully check the apps that he’d given posting access to in Facebook. If you’re curious, the easiest way is to go into the settings section of Facebook, select apps, and you’ll be told exactly which apps and services have access. In his case, the best approach was to deny access to everything, and then only permit access on a needs basis.

But it was his comment about passwords that got me intrigued. He said he was “running out” of passwords, which suggested to me that he wasn’t really thinking that hard about new password combinations.

Which is a big mistake, but it’s one that many of us fall victim to.

Each year, security firm Splashdata releases its list of the worst passwords revealed through leaks and breaches that are still in common circulation.

You can probably guess what some of them are outright, and any password that a human can easily guess isn’t a security measure at all. Let alone one that any kind of computer might be pointed towards, because the technology there can scan through literally billions of combinations in near no time at all.

Here’s the list for 2021 – if you see one of your passwords on here, change is ASAP.

Top 10 worst passwords in 2021

1. 123456
2. 123456789
3. qwerty
4. password
5. 1234567
6. 12345678
7. 12345
8. iloveyou
9. 111111
10. 123123

Mind you, if you find your password anywhere in the top 100, or in any dictionary, you’re also running a huge risk of being compromised online in some way. That could be with your Facebook account posting dodgy ads in the guise of your personal recommendation – or the loss of access to your own bank accounts.

So, what’s the solution here? Use strong passwords, preferably secured behind an encrypted password manager, because that way you only have to remember one strong password, not many of them. Use two factor authentication when it’s offered, because while it does introduce a layer of difficulty while you procure your secondary authentication code, it also enhances the security of any account you add it to.

Tips for making a strong password

Make it long – the more characters, the harder it is for a hacker to guess it.

Don’t use single regular words – there’s such as “dictionary attacks”, which quickly attempts to crack your password by trialing every word in the dictionary at once.

Mix up letters, numbers, and symbols – this makes for a more potent password, and a random string is hard to guess.

Don’t use a keyboard pattern – like “qwerty” or “zxcvb” or “123456”. Be original!

Avoid substituting common symbols and letters – the password “p@ssw0rd” is just as easy for a hacker to crack as they’re well versed in these common substitutions.

Try using full sentences – as mentioned, the longer the better, so try out the sentence method. Think of a long sentence like “Geeks2U are my favourite company in Australia”, and grab the first 2-3 characters of each sentence so you have “Gee2UArMyFavCoInAu”. You can easily remember the sentence, and to hackers that’s just a random string of characters.

Use full words that have meaning to you – do you love a certain book series, movie or video game? You can use locations, people, items, and more to make strong and unique passwords. HermioneTheBurrowFireboltSnape is hard to guess but if you love Harry Potter should be a cinch to remember!

It’s 2022. It’s far past time we got past simple to use but simple to remember passwords. It’s a little more work to keep yourself safe online, but with so many of our activities, from simple social media to online banking to just about everything else being secured this way, it’s vital that we all take it much more seriously than using a password such as “123456”.

If you have concerns about your internet or network security, give Geeks2U a call today.