Data breaches that involve criminals and include a person’s contact information can elevate a person’s risk of being targeted by scammers. Whilst the breached information may not have included high-value credentials, like driver licence information or account login details, if contact information has been breached we do ask that people pay closer attention to the communications they receive.
It’s really common for an organisation’s breach to start with a scam, and to end with a person or other organisation being scammed.
Scammers are actively targeting community members via the phone, text messaging, email and even social media messaging. If scams come through as emails (phishing) or SMS messaging and social media, we typically see criminals share links to websites designed to harvest more personal and financial information or distribute malware. The number of websites set up to support email and SMS scam activities each month globally is also skyrocketing. In the last quarter of 2020, more than 630,000 phishing websites were detected in operation globally to support such criminal endeavours.6
IDCARE supports thousands of scam victims every year. It’s common for them to feel very embarrassed about what’s happened and worthless. That’s the stigma. But we know that one of the key reasons scammers are successful is because their deception is plausible. Scammers knowing a little bit about a person, such as from information gleaned from data breaches, can make their deception very convincing! Just knowing someone’s name, a password, or even who they bank with and their account number, can be the difference between belief (and scam compliance) and disbelief (or scam avoidance).
Given the enormity of scam communications happening every day, it is almost impossible to know whether an email, a message or a phone call from a scammer is because of a data breach. Once a phone is active or an email account created, anyone is vulnerable to being contacted by a scammer. Enrolling in Government programs like “Do Not Call” does not work on criminals. They’re not genuine marketers who can be fined by Government. They are criminals who don’t care what the rules are.
IDCARE has had some people say the phone call received must have been because of the breach I was just notified about. But the weight of numbers and the volume of criminal activity each day also suggests that it could quite genuinely be a coincidence. Unless a breach involved quite specific information that the scammer could only have gotten from the breach, you will be hard pressed to prove the connection. We do see some breaches involving email accounts that proliferate scam messages to contacts and other email addresses found on the breached email account. The connection between the breach and the scam is a lot more concrete in these examples!
People are contacted by scammers because the scammers need something from them. So if a data breach didn’t result in a criminal harvesting all the details they need, scamming will likely present as a continued risk. If not by the criminal responsible for the breach, then others willing to give it a go.
We’ve also seen scammers now target breach notifications. In other words, the moment a breach hits the news and gets publicity, too often now IDCARE sees scammers looking to impersonate the breached organisation by engaging people to inform them about the breach or impersonating business or government acting on behalf of the breached organisation (such as law enforcement).
If you have received notification your details were exposed in a data breach and you receive a phone call, text message or email, remember the following:
Let your bank know. Most scammers and cybercriminals are after money.
Think about what has been exposed to the scammer and work with the IDCARE team to build your own response. You can do this by calling IDCARE or booking a time with one of our Case Managers via our online Get Help Form.
2. https://www.privacy.org.nz/publications/corporate-reports/annual-report-of-the-privacy-commissioner-2000/ and https://www.oaic.gov.au/search/getSearchResults?Search=Breach+Report
3. Telstra’s Cleaner Pipes report advises https://exchange.telstra.com.au/five-ways-to-spot-a-scam-call/?dicbo=v1-ece6f3093f the telco is blocking around 6.5 million suspected scam calls a month and this doesn’t even include the other carriers or those across in New Zealand.
4. Anti-Phishing Working Group Report 2021 https://docs.apwg.org/reports/apwg_trends_report_q4_2020.pdf
5. https://www.campaignmonitor.com/blog/email-marketing/2019/05/shocking-truth-about-how-many-emails-sent/Anti-Phishing Working Group Report 2021
Identity Care Australia & New Zealand Ltd (IDCARE) provides identity and cyber security incident response services (the Services) in accordance with the following disclaimer of service:
IDCARE is Australia and New Zealand’s national identity and cyber incident community support service. We are a not-for-profit charity.
While every effort has been made to ensure the accuracy of the information in this alert, IDCARE disclaims any liability to any person in respect to any actions performed or not performed as a result of the contents of the the Services or any accompanying data provided. Wider dissemination may be permitted by authority in writing from IDCARE’s Managing Director. If you would like to provide feedback please use our Feedback Form.
IDCARE as a registered charity does not ask individuals to donate or pay for our front line services. We are not a charity that can receive tax deductible donations.
We rely on organisations that care enough about you to care about us to keep our charitable service going. Proudly these organisations are displayed above and on our Subscriber Organisations page.
If you are asked for payment from someone claiming to be from IDCARE, please report this to us using our Report Phishing email.
IDCARE has access to the Department of Social Services’ Free Interpreting Service, delivered by the Translating and Interpreting Service (TIS National). Access to the Free Interpreting Service is provided to assist you to communicate with non-English speaking people who hold a Medicare card. Please note that the service does not extend to New Zealand citizens or residents who do not hold an Australian Medicare card, or to tourists, overseas students or people on temporary work visas.
New Zealand Relay provides services to help Deaf, hearing impaired, speech impaired, Deafblind and standard phone users communicate with their peers.
A TTY user connects to New Zealand Relay via a toll-free number and types their conversation to a Relay Assistant (RA) who then reads out the typed message to a standard phone user (hearing person).
The RA relays the hearing person's spoken words by typing them back to the Textphone (TTY) User.
The National Relay Service (NRS) is an Australian government initiative that allows people who are deaf, hard of hearing and/or have a speech impairment to make and receive phone calls.
The NRS is available 24 hours a day, every day and relays more than a million calls each year throughout Australia.
ABN 84 164 038 966