So, your personal details have been exposed in a data breach, and you're not sure what it all means? Or perhaps you consider yourself pretty tech savvy, but you're worried about your parents.
ACCC deputy chair Delia Rickard, AFP Superintendent Brad Marden, veteran cybersecurity journalist Jeremy Kirk, and triple j Hack reporter James Purtill stopped by with their top tips.
Catch up on the full Q&A below!
Key events
- There is some legal recourse for lost or exposed data, but it is 'mostly unsatisfying'
- The ACCC is constantly trawling through the data about scammers
- How to protect yourself in the wake of the Optus leak
- Have there been many cases of data breaches being used for coercive control?
- Is PayID a safe way to accept payment for items?
- If a scammer has enough information about you, they can open accounts in your name
- Scammers are sneaky — in fact, even the cybersecurity reporter was targeted
- Companies will often collect more data than they actually need
- A single digital ID service sounds nice, but it would also be an irresistible target for hackers
- Mystery purchases and dodgy texts — these are some of your scam stories
- What is the risk if a deceased person's data is hacked?
- Until companies invest in cyber security, we'll continue to see lapses
- Jeremy spoke to the purported Optus hacker. This is what he learned
- Scammers are capitalising on the Optus breach to try and get your personal details
- If you've been scammed before, you're definitely not alone
- It's easy to think technology is the solution to scams, but it's not quite that simple
- There are technologies to filter scam messages... but they're not perfect
- The cybercrime Superintendent's number one rule for staying safe online
- An expired drivers licence can still be used as ID
- Cyber criminals and hackers don't need to get creative if there's 'low-hanging fruit'
- There is no age group that isn't vulnerable to scams — but those over 65 lose the most money
- Ironically, companies that have had data breaches before may have stronger security practices
- If you're selling things online, it's best to stick to cash
- What's the most valuable piece of your personal information?
- These are the steps you should take if you think you've been scammed
- Meet the panel — James Purtill
- Meet the panel — Jeremy Kirk
- Meet the panel — Brad Marden
- Meet the panel — Delia Rickard
- What do you want to know about scams? Our panel is here to help
To leave a comment on the blog, please log in or sign up for an ABC account.
Live updates
By Bridget Judd
Have you been targeted by a scam? Tell us your story
Australians have lost millions of dollars to scams this year.
Have you been recently been targeted by or fallen victim to one?
We want to hear your story — follow the link below to our secure form.
By Bridget Judd
There are steps you can take right now to ensure you don't fall victim to scammers
This is where we'll have to leave things for this afternoon, but thanks for following along and for all of your wonderful questions.
And of course, a massive thank you to ACCC deputy chair Delia Rickard, AFP Superintendent Brad Marden, veteran cybersecurity journalist Jeremy Kirk, and triple j Hack reporter James Purtill for their insights.
We couldn't get to every single submission, but we hope you gained some tips and tricks that will help you better identify scams and how keep your personal data secure.
There are also some steps that you can take right now to ensure you don't fall victim.
- You can check out the top types of scams in Australia
- Find out how to get help if you think your information has been compromised
- Report a scam to the ACCC
Before you go, why not put all that newfound knowledge to the test with our quiz — are you smarter than a scammer?
By Bridget Judd
There is some legal recourse for lost or exposed data, but it is 'mostly unsatisfying'
Is there any legal recourse you can take for lost or exposed data?
Thanks for your question, here's Jeremy Kirk:
Jeremy: There are but they’re mostly unsatisfying. Those affected by data breaches can join class-action lawsuits. Those kinds of lawsuits usually end up in settlements that are reached several years later.
For example, credit bureau Equifax had a large breach affecting mostly US consumers that was discovered in 2017, but the settlement only became final this year. It included reimbursement for fraud, losses and fees associated with ID theft. But of course those costs for many people may have been borne upfront years earlier.
By Bridget Judd
The ACCC is constantly trawling through the data about scammers
How does the ACCC identify new and changing scams? Do you rely on people reporting them or do you proactively look for them?
Thanks for your question, here's Delia Rickard:
Delia: It is based on people coming forward and this is why the ACCC asks people who have been exposed to a scam — even if they didn't lose any money — to let us know via scamwatch.gov.au.
Because we trawl through that data every day and whenever we see a new scam emerging, we're trying to get warnings out to people and look at what we can do. That may help stop the scam.
By Bridget Judd
How to protect yourself in the wake of the Optus leak
If you were compromised, you could get a new driver’s licence, passport or Medicare number and free credit monitoring. But those measures could take days or weeks to kick in.
Here's what to look out for while you're waiting.
By Bridget Judd
Have there been many cases of data breaches being used for coercive control?
Hi - A question for Brad please- Have you seen many cases of data breaches being used for coercive control?
- Claire
Thanks for your question Claire, I've put this one to Brad Marden for you:
Brad: I have not seen any cases where general data breaches involving large numbers of exposed personal details have been used for coercive control. Most people who access that type of data are doing it for financial gain. However, if someone is in a situation where they are at risk they should take particular care to follow any advice given to them in terms of remediating the data loss and if at risk, contact their local police.
By Bridget Judd
Is PayID a safe way to accept payment for items?
Is PayID a safe way to accept payment for items sold through Gumtree or Marketplace?
- Stacey L
Thanks for your question, Stacey. Here's Jeremy Kirk:
Jeremy: It is. But if you are a buyer, just remember that PayID transactions are instantaneous and a transaction could be tricky to reverse if the payment goes to the wrong PayID.
By Bridget Judd
If a scammer has enough information about you, they can open accounts in your name
What type of harm does identity theft cause?
Good question — we've put it to Delia Rickard.
Delia: It causes enormous harm and can be incredibly difficult to unravel. When a scammer, a criminal, has enough information about you they can open accounts in your name — bank accounts, credit accounts, running up debts in your name, telco and energy accounts, etc.
They might also be able to get enough information to be able to then try to access important accounts, be it myGov, your Apple ID, your bank account etc.
So it's incredibly important to safeguard your personal information, I don't think most people realise just quite how important it is.
By Bridget Judd
Australians are losing billions in scams — and there are calls for banks to pay them back
Bill Hall lost $26,000 in an invoice scam after an email from his builder was intercepted and resent with new payment information.
The fraudulent invoice looked exactly the same as one sent by Mr Hall's builder a couple of months earlier, except for the bank account number.
After transferring $26,345 to the Citibank account listed on the new invoice, Mr Hall thought his builder had been paid.
It took about three weeks for his financial institution Bendigo Bank and Citibank to tell him they thought he'd been scammed.
"I was shocked, I thought 'how can this happen?'," Mr Hall said.
Do you have a story you want to share? Hit the big blue button at the top of the page, or use our secure form.
By Bridget Judd
Scammers are sneaky — in fact, even the cybersecurity reporter was targeted
What’s the number one rule you live by when it comes to keeping your info safe?
Jeremy Kirk has jumped in to tackle this one:
Jeremy: We have to give up our data all of the time to interact in a modern economy. We don’t have a lot of choice or oversight when we give our data to companies and organizations. We’re taking them at their word when they say they’re secure. But we have no way to verify that.
I monitor my credit reports, as successful frauds may surface that way, such as the time someone ordered three iPhones and two Samsung phones in my name. The sad reality is that most people have been caught up in a data breach at one time or another.
I’d recommend signing up with Have I Been Pwned, a service designed by Australian data breach expert Troy Hunt that lets you know if your email address has turned up in a data breach. It sends an alert out when your email address has appeared in a new data leak. That way, you are at least aware of how frequently your data has been compromised.
Also, it’s important to be vigilant and ignore any text messages or emails asking for personal data, login credentials, etc. or try to get you to click on a dodgy link. If you have any doubt about the veracity of a communication, contact the service provider on a verified phone number and clarify if there is, for example, truly a problem with your account.
By Bridget Judd
Companies will often collect more data than they actually need
Some businesses request date of birth but it is not clear why they need it. Sometimes they just want to know how old you are. Actual date of birth is not necessary. Should I refuse to provide my date of birth if the business cannot explain how it will be used?
- Elizabeth Evans
Thanks for your question, Elizabeth, we've put it to Jeremy Kirk:
Jeremy: You can surely try. Companies will often collect more data than they actually need, which is of course risky if it is compromised. Asking questions about data collection practices may help companies more fully realise the level of concern people have about their personal data. Generally, data governance experts recommend that organisations collect no more data than is needed to provide a service and then delete it when it is no longer needed.
By Bridget Judd
A single digital ID service sounds nice, but it would also be an irresistible target for hackers
Is there any valid requirement for Telcos to store so much data? Considering that the government already have the MyGovID, surely Telco's could be granted limited read-only access to the database and have access to only first, last name, town of residence? Additionally wouldn't it be possible for the government to produce security keys (similar to Yubikey) for those without mobile phones or skills to use apps etc?
- Steve
Thanks for your question, Steve. Here's James Purtill:
James: This is exactly the idea recently proposed by government. After the Optus hack , the federal government said it was considering whether to develop a single digital identification service that business could use, instead of each company separately storing millions of people’s data.
And it said MyGovID would be the “natural home”, as it has millions of users already.
So yes, it could happen relatively soon, although federal governments have a patchy record with big tech projects (COVIDSafe) and centralising data storage like this would introduce further problems.
Having all the data in one place would be an irresistible target for hackers. And if the nation’s store of MyGovID numbers were somehow compromised, everyone would need to get a new one.
By Bridget Judd
Mystery purchases and dodgy texts — these are some of your scam stories
Australians have lost millions of dollars to scams this year. Have you been recently been targeted by or fallen victim to one?
We'll return to our Q&A shortly, but first, we want to hear from you.
Merrowyn: I'd like an easier way to report scams. We lost 1,000 American dollars once on a Visa card that my husband had. I found the 2 transactions, when going through the statement. The bank had no idea. We'd NEVER shopped at Walmarr. Visa itself was brilliant!!! Cancelled the card straight away. Also whoever keeps saying that cash is dead, I wish they would stop. And as for cryptocurrencies. Good grief 😔. It's just all glorified gambling. If it looks too good a deal, it's probably pretty ordinary. It's been very interesting. Thanks all you experts, and especially for the quiz. I got 8/10 so reasonably aware of personal scam problems. Thank heaven.
Jenny: Just got a text from Telstra with a link saying they need to verify billing details. It felt dodgy so rang Telstra who confirmed it wasn’t them
Anne: Recently I tried to purchase shoes online. I was jet lagged and awake in the wee hours. Probably not my sharpest. I found the shoes I liked on a social media site. I then googled the brand and then the Australian version of that website presented itself. I always ‘feel’ safer buying from an Aussie site. Maybe I’m not the only one, maybe the scammers know that about me! It’s over a month ago now. I received a pair of sunglasses from the ‘shop’ which I didn’t order (in replacement of the shoe order?). We alerted our bank. Then realised I had made another purchase for a different pair of shoes from the same scammer. There was also an amount of money that wasn’t related to any purchase. All in all about $600. The investigation is continuing. Was I the perfect sitting duck: jetlagged, Aussie stockist preferred? Not paying attention! They’re clever!
By Bridget Judd
What is the risk if a deceased person's data is hacked?
What is the risk if a deceased person’s data is hacked
- Julie
Thanks for your question, Julie. We've put it to Jeremy Kirk and Brad Marden:
Jeremy: On the bright side that person doesn’t have to worry about footing the bill for fraud. Joking aside, the use of the personal information for deceased people is nothing new.
But it is a risk to banks or other service providers, which might unwittingly not detect the ruse and grant credit to a fraudster who is impersonating someone else, dead or alive.
Brad: All data breaches can have direct and indirect consequences. Criminals can potentially use the data to establish bank accounts or other instruments, such as Australian Business Numbers or registering company names, in the name of the deceased person.
By Bridget Judd
It's not just the Optus data breach that scammers are capitalising on
They're also taking advantage of supply shortages within the agriculture industry, leading to a loss of more than $1.2 million for farmers, according to the ACCC.
Almost 300 reports of fraudulent sales of tractors and other farm machinery have been made to the ACCC's Scamwatch between January and August this year — a 21 per cent increase in reports made for the same period in 2021.
By Bridget Judd
Until companies invest in cyber security, we'll continue to see lapses
Is protecting yourself likely to get easier or harder in the future?
Good question. We've put this one to Jeremy Kirk:
Jeremy: I think what’s most frustrating for people about data breaches is the realisation that once you give away your data, it’s gone. And you have to do that in order to use services. And then there’s the sick feeling when your name, address, phone number and other data suddenly just turns up on the Dark Web, as what happened with Optus.
I think until the regulatory landscape matches what consumers expect – that companies will invest in appropriate cyber security controls and adopt best practices that protect personal data or else there will be big fines – we will continue to see lapses.
By Bridget Judd
Being scammed can be traumatic — especially when romance is involved
When you hear from people who have been scammed, are there any commonalities?
Thanks for your question, we've put it to Delia Rickard.
Delia: Many people are quite traumatised by being scammed, particularly romance scam victims, they are most traumatised of all.
The emotions range from anger, to despair, but it also inevitably involves a loss of trust in the online world.
By Bridget Judd
Jeremy spoke to the purported Optus hacker. This is what he learned
What did you learn about the purported Optus “hacker” from having spoken to them? Does it give you any insights into who some of these people are and why they do it?
Good question! Here's Jeremy Kirk:
Jeremy: I chat with malicious hackers fairly frequently. I approach it like any other interview, with full disclosure of who I am and asking neutral questions such as, “How did you break in their systems?” The Optus hacker told me how they obtained the data (the unauthenticated API), which confirmed what a second, separate source had told me and also what an Optus executive anonymously told the ABC.
Soon afterwards, however, the person withdrew the ransom demand and stopped logging into the forum under that nickname. The goal for that person was to make money via extortion, but when the Optus situation became just a huge news story, I reckon the person thought it might be best to try to quietly slip away.
We’ll see how the police go in the next few weeks and if they can track the person down. The motivations for attacks can include money, notoriety or political aims.
By Bridget Judd
Scammers are capitalising on the Optus breach to try and get your personal details
How do I protect myself without spending hours of time, money and mental load?
Good question! Here's Delia Rickard:
Delia: First of all, you need to be constantly aware that scams are out there. You should have strong antivirus software on all your devices and strong passwords. I know people hate that, but that is important.
Remember that you can never really know who you're dealing with online — by which I mean social media, SMS phone calls, emails. So you do need to be on guard and remember that scammers will almost always pretend to be a trusted entity, a government agency, a bank or major retailer, or they will be tapping in on current events.
So we're seeing scams and scammers at the moment call and have an excuse that they're calling because of the Optus breach. It's essential not to give people personal information, or banking details or money, or remote access to your computer — and never click on any links in texts or emails.
If you think something's real, then don't use the contact information in the communication. Do a Google search, contact the company, go to their website, and tell them about the call and that communication and say 'Is this real or not?' And you'll nearly always find is going to be a scam.
By Bridget Judd
If you've been scammed before, you're definitely not alone
Recently I tried to purchase shoes online. I was jet lagged and awake in the wee hours. Probably not my sharpest. I found the shoes I liked on a social media site. I then googled the brand and then the Australian version of that website presented itself. I always ‘feel’ safer buying from an Aussie site. Maybe I’m not the only one, maybe the scammers know that about me! It’s over a month ago now. I received a pair of sunglasses from the ‘shop’ which I didn’t order (in replacement of the shoe order?). We alerted our bank. Then realised I had made another purchase for a different pair of shoes from the same scammer. There was also an amount of money that wasn’t related to any purchase. All in all about $600. The investigation is continuing. Was I the perfect sitting duck: jetlagged, Aussie stockist preferred? Not paying attention! They’re clever!
- Anne
Thanks for writing in, Anne! Here's James Purtill:
James: That’s very clever! Sounds like a classic online shopping scam.
If it’s any consolation, you’re definitely not alone in getting scammed this way.
I just looked up the latest figures on Scamwatch: There have been more than 11,000 reported online shopping scams this year, totalling close to $6 million in losses.
Scamwatch (which is run by the ACCC) has some tips for how to protect yourself:
-
Check the refunds or returns policies
-
Try to find out if it’s an Australian company (not just an Australian website), as you have a better chance of getting your money back
-
When making the online payment, look for “https” in the URL - and a closed padlock symbol
James: I’d add — Google the site and find if others have had issues. Also, if you think you’ve been scammed, call your bank right away and they may be able to stop the transaction.