IDCARE's learning centre is a key resource for visitors to learn how to prepare, prevent, detect and respond. This is where IDCARE prescribes and offers immediate treatment.
IDCARE has prepared Fact Sheets that you may find useful.
IDCARE has prepared "How to" YouTube videos that you may find useful.
Service providers are organisation that transact with your identity information. These organisations can be government or business, such as telecommunication providers, financial institutions, retail outlets, postal services, and document issuing organisations. Service providers can assist in understanding whether an error is actually identity misuse, how to protect your existing accounts, and if there has been misuse, what precise information about you was misused (for example the credentials used by the criminal). Put simply, they can be critical in understanding what has happened and how to protect and respond. Brace yourself; experiences can be highly variable.
Criminal exploitation of accounts and/or personal information can often present in ways that can look like a transaction or change of account details. It’s important to validate whether what’s experienced is actually a suspected crime or merely a mistake by the service provider. Here are some tips on engaging with service providers when trying to understand what is happening:
Note that not all service providers will give you an option to call. Technology companies are known for difficult customer engagement channels.
When requesting that a service provider assists in protecting you:
A credit reporting agency is a private company that collects data and maintains historical information on consumer and business credit records. Credit reporting agencies also provide consumers and credit providers with credit reports. A credit report is a point in time snapshot of what credit related transactions you have made where the provider of credit has checked your history. You are entitled to one free credit report every year. A credit history provides a ‘picture’ of how you use credit. If you have ever owned a credit card, taken out a loan, or applied for a mobile phone plan you will have a credit history. Your credit history may include information such as loan inquiries, current loans, defaults, bankruptcies, and details about whether you pay your bills on time. This ‘picture’ is used by credit providers when deciding whether or not to approve an application for credit.
A credit report is a means to assess whether someone has attempted to obtain credit in your name. A yearly credit report is also a way you may monitor your file to ensure no errors are on your report. Errors may look like enquiries organisations have made about your credit you can’t explain.
Note: If you request your credit report, your current contact details will then become available to any lenders, creditors or debt collectors who check your report.
Identity theft is a type of fraud that involves the compromise of identifying information that may or may not result in the misuse of such information by another person without authorisation. The theft of identifying information is also referred to as an “identity compromise”. The further usage of compromised information is also referred to as “identity misuse”. Identity theft can occur online or offline or a combination of both. Common information targeted include driver licences, passports, and account details.
Every case is different, but here's some general tips on what to do:
The most prolific form of identity compromise currently impacting the Australian and New Zealand communities are telephone scams. Most
scams originate from offshore. There are two common varieties -
Both the state and federal police exist in Australia and it can be difficult to determine which one is responsible for taking reports about the compromise of personal information. In most cases your local police station is the best place to start. If you believe your information may have been compromised or misused online, then the local police most likely will refer you to the Australian Cybercrime Online Reporting Network (ACORN). ACORN.gov.au is a national online police reporting tool where users can input key information about what they have experienced. From there, the report is distributed to the relevant law enforcement agency for review. The most important things ACORN providers individuals is a report number.
An ACORN Number (for online events) and a Police Report Number (for offline events) are critical for someone who believes their personal information is at risk. These numbers are relied upon throughout the response system by service providers and credit reporting agencies to assist them in progressing your protection and response requirements. In relation to police progressing your matter this will depend on a number of factors, least of which is the prospect of an investigative outcome.
Most Australians and New Zealanders in their ordinary lives have had little to do with police. When you experience the compromise of your information and/or its misuse, you not only have to respond to the event but work out which organisations you need to engage, how, why and what to expect. In IDCARE’s experience every police agency across Australia and New Zealand are slightly different on how they do things. In Australia, State and territory police have primary responsibility for progressing individual reports of identity and cybercrime. Accessing police report numbers can be at times difficult in some States and the physical copy of a report is something that you may have to pay for. Transnational crime is also largely responsible for what occurs in Australia and New Zealand when it comes to identity and cybercrime. One person’s report can be a critical contribution in building this picture.
Like any reported matter to the Police, an identity and cybercrime report from and individual or business will need to be assessed and prioritised against other matters. For local police this may be an assessment against reports of assault, abuse and disturbing the peace. For someone who experiences identity and cyber-related crimes the most critical part of your engagement with police is the reporting process and evidencing that the report has been made. The risks to individuals in most cases are much larger and require many more actions that don’t rely on police involvement. To explore these IDCARE provides clients with Response Plans that are tailored to your needs and are developed in a way that meets your priorities and capabilities. A key step in these plans we develop will almost always be to report your matter to police, because evidencing such reporting is a critical step in the broader response journey most people will confront.
Image exploitation is when an individual’s image is used without their knowledge or consent and then used to exploit the individual. Images that can be exploited are diverse and cover instances where leverage can be gained by a perpetrator, including intimate photos, private emails and text messages, and credential information. Images may also be fraudulently used on fake credentials and web sites that sell products and seek to exploit others, including consumers. The impact of image exploitation on a person can be very significant and can be influenced by their willingness to communicate and confide in others, their sense of helplessness, the perceived impacts to them and others, and the seriousness others take in assisting with their response.
The process of detecting if an image has been exploited can at times be quite difficult. Reverse Images search programs (e.g. tineye.com) can be used to search the web for duplications of an image. Other instances of image exploitation can be more direct, particularly if a perpetrator engages direct with an individual with a view to leveraging their situation for some form of ransom.
Here’s a number of practical measures to consider in reducing the risk of image exploitation:
Phishing emails are emails that encourage a recipient to click on a link, download an attachment or perform some action on the pretext of being legitimate. Phishing emails can come from scammers who claim to be from someone or something you know.
Spoofing emails are emails that encourage a recipient to click on a link, download an attachment or perform some other action on the pretext of being legitimate just like other phishing emails. The big difference is that the sender address is the genuine address.
How can Spoofing impact you?
How do you know if you have received a spoofed email?
We all have rights in relation to the protection of personal information. Privacy legislation in Australia and New Zealand requires regulated entities to protect your information that identifies you. It is important to understand these rights, particularly when they are threatened by identity compromise and misuse, including data breach events. The Privacy Commissioner websites in Australia and New Zealand are the best sources of information on these rights. This Fact Sheet introduces the basics and provides some tips if your identity information is compromised.
In most cases privacy legislation and related rules allows individuals to:
It is important to take steps to maintain the safety of your privacy:
Facebook is a free social networking website supporting over 1 billion individual users, groups and businesses worldwide. Users can send and receive written messages, share photos or videos, link posts to news or other content, stream videos and play games. Facebook also supports interactive, real time online chat. Facebook has the benefit of being more open and social than traditional communication tools, but usage does not come without its risks. By reviewing your Facebook security settings and being conscious of how you use Facebook you can mitigate risks to your account and personal information.
Facebook give users the option to enable email or login notifications that alert users whenever their account is logged into. Facebook also allows users to check their security settings to ensure they are the only person logged into the account.
If you receive an unusual message from friends or family, do not respond or click on links provided; rather confirm its validity by reaching out to them via other communication methods. Request that friends and family do the same if they are feeling unsure about a message or request. A potential complication with some online accounts is that when established they may have relied on an existing Facebook account. This can lead to uncertainty as to what is compromised.
LinkedIn is a social networking tool for individuals interested in developing their professional network and find new opportunities to grow their careers. LinkedIn operates similar to other social media platforms. You invite “connections” and converse via private messages. However, instead of sharing photos you display your professional experience and achievements on your profile. While LinkedIn facilitates great opportunities to connect it may also be used as a tool to facilitate social engineering by online criminals.
Emails and related contact details are accessible on LinkedIn. This may be influenced by the level of access afforded to users – for example, premium service recipients are able to send messages direct to a certain number of prospective connections. Here are some of a few instances of abuse reported to IDCARE from users of LinkedIn:
Instagram is a social networking app made for sharing photos and videos from a smartphone. Similar to Facebook or Twitter, everyone who creates an Instagram account has a profile and a news feed. When you post a photo or video on Instagram, it will be displayed on your profile. Other users who follow you will see your posts in their own feed. Due to the increased popularity of Instagram. Instagram is a greater networking tool, but can be exploited to access private photos, geo-locate, delete photos, edit comments and post new photos.
Twitter: is a virtual and public forum used by individuals, groups and businesses. This social media platform is designed for users to be able to share and discuss opinions and events referred to as ‘tweets’. Tweets are short and succinct, allowing for informal collaboration and quick information sharing. Twitter Profiles are often public, allowing the world to see this information with few restrictions. It’s important to understand how to use Twitter safely, what to look for if things go wrong, and how to respond in these cases.
Ransomware is a form of malware (a virus) that encrypts files, or denies the user the ability to access their device, or both. There are many forms of ransomware, but they all lead to a demand for payment of a ransom for access to be allowed. Attacks typically come in the form of phishing emails, downloading free software, and remote access scams (someone being provided access to another person’s device and installing ransomware whilst in control). Once the ransomware has been executed, such as by clicking on links or attachments, the criminals have largely automated their whole process. Pop-ups or other screen messaging will alert the user to “a virus” or “encryption” or “computer being locked”. A contact point will be provided, typically with a short timeframe to respond to the ransom demand.
There are two ways to detect ransomware: (1) prior to executing the malware and (2) after executing the malware. The best way of detecting it before it’s executed is through anti-virus. Make sure you run anti-virus on all devices frequently. The other way is when it’s been executed and a demand is made.
There are hundreds of ransomware types, but unfortunately most cannot be decrypted. Ransomware encrypts and the criminals using it have the tools to decrypt. Before you think about paying, you may want to try the following:
Debt collectors work to collect debts on the behalf of business and government. Debt collectors include organisations that are collecting debt on behalf of organisations money is owed or organisations that have “bought” the debt from another organisations and will retain all money collected. Irrespective of the type of debt collector, you have protections under consumer law and privacy codes. For individuals experiencing identity theft, debt collection notices may be the first sign that an identity has been misused to obtain credit.
Generally speaking, under Australian and New Zealand debt collectors cannot:
This applies to yourself, your spouse, your family, or others who may be connected to you. If a debt collector mistreats you, you can make a formal complaint the relevant authority (Aust is ACCC and NZ is Consumer Protection).
If the debt is legal and reasonable, a debt collector should only contact you when it is necessary to do so. Reasons may include:
Visits to your home will only ever happen if there is no other way the debt collector can contact you, or if you ask or agree to a home visit. If poor conduct occurs that results in assaults or threats of violence, then the collector should be reported to immediately.
Seven steps are really key when you suspect a debt collection is a sign that your identity has been misused by someone to obtain credit in your name without repayment:
Ransomware is software designed to infiltrate and remotely lock your device or network until your pay a fee. Small businesses can be particularly susceptible to ransomware attacks. Small businesses are rightly focused on building and sustaining their operations. They typically don’t have dedicated information technology and security staff, and for a large number are family operations that can blur boundaries between “business” and “personal” technologies and online accounts. Business pressures, resource constraints and blurring of information environments can all heighten the risk for small businesses to ransomware attacks.
Ransomware will generally present itself clearly, in that your device will be unusable and there will be a message demanding payment.
It is best to detect ransomware before an attack by using an up-to-date anti-virus program.
Ransomware may occur via phishing emails, online “pop-ups”, or even covertly through older versions of operating systems that have not been updated. Phishing emails and pop-ups look to inspire action by clicking on links, attachments or making phone calls. Always think before you act and ask someone if you or your staff are not sure.
You can minimise your susceptibility to ransomware attacks by:
Seven steps are really key when you suspect a debt collection is a sign that your identity has been misused by someone to obtain credit in your name without repayment:
A patch is a piece of software designed to update a computer program or it’s supporting data to enhance performance and/or address vulnerabilities. Security vulnerabilities, commonly called bug fixes or bug fixes, is a key outcome for most patches.
By not applying a patch you might be leaving the door open for a malware attack, including ransomware. Malware exploits flaws in a system in order to do its work. Unpatched defects in software may allow malicious websites, etc. to infect or compromise your computer with no action on your part.
These vulnerabilities and weaknesses make your network susceptible to hackers and scammers looking to take advantage of unaddressed vulnerabilities and weaknesses.
Cryptocurrencies such as Bitcoin or Ethereum are digital currencies in which ‘coins’ are exchanged for goods and services via the internet. Cryptocurrencies maintain legitimate benefits as an alternative to traditional currencies such as no banking fees, instantaneous transfer of funds, and privacy of your personal data. However, a lack of oversight from regulators and the increasingly preferred use of crypto or virtual currencies by criminals has meant that cryptocurrencies have become synonymous with cybercrime. Just like many other payment systems and platforms, cryptocurrencies are not immune from scams.
Online shopping has made the shopping experience more efficient and more accessible. Unfortunately, some websites are not as genuine as others. You may find you have been charged for a product you never receive, or that the vendor is asking you for identity documents in exchange for receiving your purchase. This fact sheet will provide some tips on how to safely shop online, and steps you can take if something goes wrong.
If you suspect your identity has been compromised, or if you have sent money to a scammer, there are steps you can take to limit damages:
Employment Scams are designed to recruit unsuspecting individuals to launder money for criminal organisations. These scams are typified by job advertisements posted online, or emails sent to random addresses, promising quick commissions in return for receiving and transferring money or goods elsewhere. These criminals often use online chat rooms, social networking sites, hoax websites and fake profiles to furnish the scam to convince the recruit. New recruits are usually found using resumes published by hopeful job-seekers to job websites. The recruitment process is usually quick, with little to no training required. Most ‘jobs’ offered are work-from-home situations and relatively easy, but promise high-return commissions. Often it is not until the victim is alerted by their bank or money transfer service that they will leave the scam. This scam will also typically gain access to victims’ passports, driver licence and tax information under the ruse that they are applying for a legitimate job.
Detecting an Employment Scam: If you believe you may be involved in an employment scam, keep track of the following warning signs: 1) The contact is offering you a guaranteed income or job 2) They claim that you can make a lot of money for little effort using your personal computer 3) The message is not addressed to you personally 4) They ask you to provide your personal credentials before you know all the job details 5) The job entails facilitating transactions or reimbursements 6) Referee are not checked 7) You never have visual contact with the person asking you to work for them 8) They are an overseas company wanting to transfer money through Australia.
If you believe you have been a victim of an employment scam, there are a few steps you can take to limit the damage:
iPhones are commonly viewed as being more secure than Android devices when it comes to hacking and viruses. When it comes to cyber security, it’s quite risky to say “never”. The operating system that Apple products use is called iOS. One indicator that iPhones, just like Androids, are vulnerable to exploitation is the ongoing advancements and updating of its iOS. This Fact Sheet gives users of iPhones some basic tips on how to improve your device security.
Cyberbullying and cyberstalking is the exploitation of the online environment to harass, intimidate or threaten someone. Whilst there is some debate as to the nuances in definition between bullying and stalking online, common characteristics include false accusations, monitoring, threats, and online defamation. All forms are unacceptable and this fact sheet provide some tips on how to protect, detect and respond for individuals concerned about cyberbullying and cyberstalking.