Data breaches and scam risks – what you need to know

Scams cause breaches and breaches cause scams. They are two sides of the same coin.
Blocking calls and Do Not Call Registers only keep honest people out. Not scammers and criminals.
It costs a criminal nothing to make their phone number, text message or email address look like anyone or any organisation they want to.
Scams ARE a daily reality in Australia and New Zealand. IDCARE has responded to almost 100,000 engagements in 2024 from Australians and New Zealanders concerned about their cyber security.
Scammers don’t discriminate – IDCARE clients come from all age groups and community demographics.
Prevention and awareness are our best defence.

Don’t Let an Organisation’s Breach Become Your Scam!

Data breaches that involve criminals and include a person’s contact information can elevate a person’s risk of being targeted by scammers. Whilst the breached information may not have included high-value credentials, like driver licence information or account login details, if contact information has been breached we do ask that people pay closer attention to the communications they receive.

It’s really common for an organisation’s breach to start with a scam, and to end with a person or other organisation being scammed.

How Easy Can It Happen?

Scammers are actively targeting community members via the phone, text messaging, email and even social media messaging. If scams come through as emails (phishing) or SMS messaging and social media, we typically see criminals share links to websites designed to harvest more personal and financial information or distribute malware. The number of websites set up to support email and SMS scam activities each month globally is also skyrocketing. In the last quarter of 2024, more than 989,000 phishing websites were detected in operation globally to support such criminal endeavours.1

IDCARE supports thousands of scam victims every year. It’s common for them to feel very embarrassed about what’s happened and worthless. That’s the stigma. But we know that one of the key reasons scammers are successful is because their deception is plausible. Scammers knowing a little bit about a person, such as from information gleaned from data breaches, can make their deception very convincing! Just knowing someone’s name, a password, or even who they bank with and their account number, can be the difference between belief (and scam compliance) and disbelief (or scam avoidance).

‍

How Do I Know if a Scam Attempt is because of a Breach?

Given the enormity of scam communications happening every day, it is almost impossible to know whether an email, a message or a phone call from a scammer is because of a data breach. Once a phone is active or an email account is created, anyone is vulnerable to being contacted by a scammer. Enrolling in Government programs like “Do Not Call” does not work on criminals. They’re not genuine marketers who can be fined by the Government. They are criminals who don’t care what the rules are.

IDCARE has had some people say that a scam phone call or message they received must be because of the data breach they were notified about. But the weight of numbers and the volume of criminal activity each day also suggests that it could quite genuinely be a coincidence. Unless a breach involved quite specific information that the scammer could only have gotten from the breach, you will be hard pressed to prove the connection. We do see some breaches involving email accounts that proliferate scam messages to contacts and other email addresses found on the breached email account. The connection between the breach and the scam is a lot more concrete in these examples!

‍

So, what can you do to be Scam resilient?

People are contacted by scammers because the scammers need something from them. So if a data breach didn’t result in a criminal harvesting all the details they need, scamming will likely present as a continued risk. If not by the criminal responsible for the breach, then others willing to give it a go.

We’ve also seen scammers now target breach notifications. In other words, the moment a breach hits the news and gets publicity, too often now IDCARE sees scammers looking to impersonate the breached organisation by engaging people to inform them about the breach or impersonating business or government acting on behalf of the breached organisation (such as law enforcement).

If you have received notification that your details were exposed in a data breach and you receive a phone call, text message or email, remember the following:

Never feel pressured to respond to a communication: Scammers love pressure and getting people to act “now”. If this is happening in a conversation, it’s likely to be a scam. End the call or delete the email!
Never give a person remote access to your computer if they say they are calling to “check your security” in relation to a data breach incident. Scammers love remote access and there is very, very rarely a legitimate need to give a person control of your device.
Don’t fall for the “I’ll call you from your local police station” spoofing scam. Phone spoofing – where a scammer disguises the number they are calling or texting from by changing their caller ID – is common. The telephone number can even appear to be that of the listed number of your local police station. If a person tells you this will happen, end the call. It’s a scam.
Use the power of all that data for your purpose. Do your own investigating about a caller, an email or message and see what the Internet has to say. There is no shortage of people who are experiencing the same thing. The only reason why scammers succeed is because you don’t know what the scam is – so do your own research.
If it’s the breached organisation ask them to confirm specific details about the notification received or event if in doubt. Breached organisations will typically engage a person in a manner they normally would engage when conducting their business. But it’s never a problem to be a little more curious about the legitimacy of those reaching out to you.

‍

What to do if you think you have responded to a scam?

Let your bank know. Most scammers and cybercriminals are after money.

Think about what has been exposed to the scammer and work with the IDCARE team to build your own response. You can do this by calling IDCARE or booking a time with one of our Case Managers via our online Get Help Form.

‍

1. https://docs.apwg.org/reports/apwg_trends_report_q4_2024.pdf

For additional support or information, contact IDCARE by submitting a Get Help Form or call 1800 595 160 (Aus) or 0800 121 068 (NZ).

Disclaimer

Identity Care Australia & New Zealand Ltd (IDCARE) provides identity and cyber security incident response services (the Services) in accordance with the following disclaimer of service:

IDCARE is Australia and New Zealand’s national identity and cyber incident community support service. IDCARE is a not-for-profit and registered Australian charity.
The Services provided do not constitute legal advice. IDCARE recommends that you consult your own legal counsel in relation to your legal rights and obligations, including but not limited to your legal rights or obligations under Australian and international privacy and data protection laws.
While every effort has been made to ensure the accuracy of the content provided, to the maximum extent permitted by law all conditions, terms, representations, and warranties (in each case, whether express or implied) in connection with the provision of the Services which might otherwise be binding upon IDCARE are excluded.
IDCARE’S liability for any loss or damage suffered by any person or organisation (including, without limitation, any direct, indirect or consequential loss or damage) arising out of or in connection with the Services (including without limited liability for any negligent act or omission, or statement, representation or misrepresentation of any officers, employees, agents, contractors or consultants of IDCARE) shall be limited to the fees paid by you to IDCARE in respect of the Services. For the avoidance of doubt, this limitation of liability extends to any liability arising from any actions performed or not performed as a result of any recommendations made in the course of providing the Services.
If you would like to provide feedback please use our Feedback Form.