Attempts to gain personal information

Your personal and private information is one of the most valuable things you possess. If it’s allowed to fall into the wrong hands then you could be handing over access to your computer, your online accounts and your banking accounts.

Protecting your personal and private information is therefore one of the most effective tools for keeping yourself safe from scammers.

Impersonation scams

Often known as ‘phishing’, impersonation scams try to make you believe that you’re receiving correspondence from a trusted organisation and trick you into providing confidential information.

This can be by asking you to click a link to an official-looking webpage that asks for your log-in details, or through an email attachment that installs malware on your device to uncover usernames and passwords by tracking your keystrokes.

The key to staying safe and not falling victim to impersonation scams is to be cautious of any incoming communication via text messages, emails or social media. If any message includes an attachment or a link to a website, don’t click it. Instead, go to the organisation’s website and log-in separately, bypassing the link.

How to prevent yourself falling victim:

• Know that organisations such as Qudos Bank or Government agencies will never ask you to click a link to provide personal information.
• Don’t open suspicious emails – delete them. If you’re unsure, call the alleged sender on the number provided on its official website to verify legitimacy.
• Always check the email address of emails you receive. If they don’t match the usual website address of that organisation, it’s likely they’re fake.
• Read all emails carefully. Phishing emails are often sent by people who don’t speak English as their first language. Spelling mistakes or unusual grammar can be giveaways that the email isn’t legitimate.

Remote access scams

Remote access (screen-sharing) scams try to convince you that you have a problem with your computer or internet service and you require assistance to fix the issue.

The scammer calls, usually pretending to be from a telecommunications company or the NBN, telling you that your device has been sending error messages that shows a hacker is trying to access your computer, or your device has a virus.

The scammer then requests remote access to your computer to ‘find out what the problem is’. The scammer will try to scare and reassure you into believing the services they provide will fix the issue.

The scammer will tell you that the work they are carrying out must be done in secret and not to notify your bank, family members or law enforcement or else the hacker(s) will find out and expose your personal details online.

They may ask you for your personal details, your bank or credit card details or to Log into your internet banking to make sure no funds were stolen by the hackers. While they still have access to your device they are able to see you type in your password and personal details.

The scammer may try to reassure you that they are close to catching the hacker and pretend to credit your account by moving funds from your sub account(s). They may ask you to set up a new payee to transfer funds to the alleged hacker and request for the Qsafe SMS that is sent to your registered device. It is common for the individual to state that the purpose of this is to trace and apprehend the hacker. Once the transfer is complete, the scammers will cut all communication and disappear leaving victims out of pocket.

How to prevent yourself falling victim:

• Never give an unsolicited caller remote access to your computer.
• Never give your personal, credit card or online account details over the phone unless you made the call and the phone number came from a trusted source.
• Immediately hang up if you receive a phone call about your computer and remote access is requested, even if they mention a reputable companies.

Business Email Compromise

Business email compromise (BEC), a variation on phishing, is where a cybercriminal impersonates a business representative or trusted person to trick you, into transferring money or sensitive information to them.

The scammer uses an email address that appears to be legitimate with a username or domain that is almost identical to the name of the trusted person’s company, this is also known as ’masquerading’.

BEC usually takes one of four forms:

1. Executive fraud: The cybercriminal successfully masquerades an executive's email address and then sends a message to staff in the business directing them to transfer funds to the scammer's account.
2. Legal impersonation: The cybercriminal masquerades as a lawyer or a legal firm representative requesting payment for an urgent and sensitive matter.
3. Invoice fraud: The cybercriminal masquerades as a trusted supplier and sends a fake invoice to the business or individual. In these scams, the cybercriminal often has control of the supplier's email account and can access legitimate invoices. The cybercriminal changes these invoices to include their own bank account details and then sends the invoices to customers from the supplier's email account.
4. Data theft: Instead of requesting funds, a cybercriminal may masquerade as a trusted person to request sensitive information. This information can then also be used as part of a larger and damaging scam.

These scams don't use malicious links or attachments and can get past anti-virus programs and spam filters. As they rely on social engineering, employees are the first line of defense against BEC.

Employees should be on the lookout for the following warning signs:

• The email was unexpected. For example, the invoice came from a supplier you haven't dealt with in a while, or the payment amount differs from previous amounts.
• The email asks for an urgent payment or threatens serious consequences if payment isn't made.
• The email was sent from someone in a position of authority, particularly someone who wouldn't normally send payment requests.
• The email address doesn't look quite right. For example, the domain name doesn't exactly match the supplier's company name. Double-check by looking at previous correspondence.
• The supplier has provided new bank account details.

If you spot any of these warning signs, you should contact the company using a phone number you've obtained from an alternative source, such as the company's website.

How do I recover from a business email compromise?

• If you've sent money or personal banking details to a scammer contact your bank immediately.
• If you receive a BEC attempt, notify the masqueraded sender so they can prevent further BEC attempts. Do not forward the malicious email, take a screenshot and send it to your IT team or manager so they can alert the affected parties, and secure the email account.
• If any of your email accounts have been compromised, notify your clients (or, at a minimum, your affected clients). You may also consider putting up a notice on your website to warn clients of the scam if the BEC is extensive.
• If personally identifiable information has been stolen, mandatory reporting to the Office of the Information Commissioner (OAIC) may be required under the reportable data breaches scheme.

If you have been targeted by a BEC scam, you can report it to the Australian Competition and Consumer Commission’s Scamwatch website or visit our webpage Reporting Scams to find out who to contact.