But the more we do online, the greater the opportunities for criminals to steal money, information or identities: in 2015, Australians lost $229 million to scams.
Protecting yourself online has never been more important, and AARNet’s Director, Security, Louise Schuster says awareness should be the first line of defence.
Knowing about which threats are out there – and then implementing a few simple practices – is the best way to avoid online scams, theft, phishing, bullying and more.
Here, we share some of the advice the AARNet Security team produced for Stay Smart Online week, a national event to raise awareness about the ways people can protect themselves online.
Scams and extortion
Scams are direct attempts to relieve you of your money. All scams follow a similar pattern: someone will issue you a payment via one method, and ask you to make a payment via a different one.
Often this will look good, and the buyer will tell you that you have the money as soon as you see the funds available in your account.
Once you have access to the funds, they will ask you to transfer an amount of money; this could be via a wire transfer service, in cash, via a gift card or prepaid credit card, bitcoin, or another anonymous transfer.
In the days or weeks that follow, they will reverse their original transaction, leaving you without the cash and possibly owing additional fees to your bank for overdraft or fraudulent activity.
What can you do?
The primary defence against scams and extortion is awareness. Please share this information with those close to you, especially if they are isolated or vulnerable.
If you believe that you or someone you know has been the victim of a scam, or to learn more about these and other types of scams, please visit SCAMwatch.
You can also report the crime via the Australian Cybercrime Online Reporting Network, ACORN.
Privacy and identity theft
Australia’s losses from identify theft are estimated to be in the range of $2.2 billion for 2014-2015, and 4-5% of Australians incurring an average $3k in direct out-of-pocket expenses as a result of identity theft.
Tax file and driver’s license numbers are currently preferred by criminals. These allow fraudulent tax file returns, or the opening of bank accounts and lines of credit in your name.
But with as little information as your name, date of birth, and postcode, an identity thief can convince many companies to reveal more information about you, or allow access to your account.
The simple act of posting “today I turned 40!” on Facebook or Twitter, combined with your name, can be enough.
What can you do?
As with all cyber crimes, your primary defence against identity theft is awareness.
Be aware of the information banks, service providers and government agencies ask for in order to authenticate you. Don’t distribute these details without knowing who will have access to them and why.
Think about how you handle your personal information. Shred documents with personal information, avoid emailing personal details, and check whether websites are secure (https and a lock displayed in the browser) before submitting any personal data.
Check how locked down your social media is. Settings can change, exposing your details. Have an anonymous account, or a friend of a friend, check to see what details leak beyond the scope of those you explicitly authorize to view your details.
If you’re affected
If you think you are a victim of identity theft, it is important that you act quickly to limit the fraudulent use of your identity:
- Report the incident to the ACORN.
- Immediately inform your local police station. Ask for a copy of the police report or reference number because banks, financial institutions and government agencies may ask for it.
- Report the loss or theft of identity credentials to the issuing organisation.
- Alert your bank or financial institution.
- Get a copy of your credit report: contact a credit reporting agency to check for unauthorised transactions.
- Close all unauthorised accounts: contact the credit providers and businesses with which any unauthorised accounts have been opened in your name
- Close any fraudulent or breached online accounts.
Phishing is a tool used by cybercriminals to look to steal personal information and trick people into entering personal or confidential information.
This commonly happens with legitimate-looking emails from a trusted source, such as an energy company or a bank. These usually contain false links that ask for personal information, and they can be used in identity theft, credit card fraud, or stolen banking information.
What can you do?
Common sense is the best method. Double check website name and links. When providing personal information to a website, make sure the site is secure (using ‘https’ and with a lock displayed in the browser).
If you receive an email requesting personal information, stop and ask yourself: who is asking? Why would they ask for this? Why would they need it?
If it seems phishy … don’t trust it!
Lesson learned from the recent Equifax data breach
145 million US citizens have been impacted by the credit agency Equifax data breach, revealed in September 2017. The personal information of up to 44 million British citizens and 8,000 Canadian Citizens may also have been impacted…
How do I know if my records were stolen?
Equifax set up a website to let users check whether their records were part of the data breach.
What can I do if my records were stolen?
You can contact Equifax to set up credit monitoring, which will alert you when new credit is opened or changed under your name.
A number of class action lawsuits have been filed. You may wish to investigate participating.
Be extra vigilant of emails you receive regarding changes or opening of accounts. If you receive such a notification, be wary of the possibility of opportunistic phishing, do not trust contact details within the email.
What can we learn from this?
- Flat networks with little to no segmentation allow attackers to pivot between systems.
- Data poorly encrypted in transit and unencrypted at rest made the retrieval by hackers trivial.
- No intrusion detection or honeypots meant that the security team was unaware that a hostile party was at play within their security boundary.
- Defence in depth with correctly monitored systems (at both the boundary and within each segment) would have delayed the attackers while the IT security teams investigated and responded to the alerts.
- Equifax systems were not designed with security in mind. Security was an afterthought.
- Out of 250 staff, only one member was responsible for security patching. It’s often said that security starts at the top, but a better maxim is that security is everyone’s job.
- How you respond and notify customers matters. It took Equifax over a month to report the breach, and their response portal contained other vulnerabilities.
Stay Smart Online alerts
The Australian Government’s Stay Smart Online service has a helpful free alert service that explains recent threats online and how they can be managed. Sign up to the service on the Stay Smart Online website.