The Cyber Sushi

(serving up the cold facts, with some phish bytes)

Welcome back! Here's what we are covering in this issue:

10,000 myGov and linked accounts misused due to identity theft and scams! 🫨

Here’s a staggering fact: In the last 12 months, more than 10,000 people have reported the misuse of their myGov and linked accounts (like the Australian Taxation Office) to IDCARE.

This is almost double the number of reports in 2023 and signals a global shift in the modus operandi of cyber criminals.

Of the 1,100 clients who disclosed the value of their fraudulent tax returns to IDCARE, they reported a combined $25.5 million in losses.

The person often only discovers the crime when they go to lodge their own tax return, and find someone else has done it for them. In other cases, a person discovers the identity theft because their Centrelink payments were affected because the criminal had redirected the funds.

How is this happening? The cyber threat landscape has changed significantly in recent years, with increasingly sophisticated and well-organised criminal groups using data breaches and scams to commit fraud.

In most cases (70%) of cases reported to IDCARE, the person whose identity is stolen doesn’t know why or how. They only know that a criminal was able to misuse their myGov account.

The vast amount of information available on the dark net from the multiple data breaches has given criminals a potential treasure trove of personal details which enable identity theft.

Phishing: IDCARE analysts have also detected a significant increase in ‘myGov’ phishing scams. In 2023, 50% of all phishing text scams reported to IDCARE featured Australia Post. In 2024, Australia Post was only represented in 16% of reports, whereas Commonwealth agencies were represented in 64% of reports.

What's being done about this? IDCARE has filed a comprehensive report to government agencies and related organisations to look at other ways to limit this stealing from the Commonwealth.

Our National Manager – Intelligence, Analysis & Assurance, Liz West, said the IDCARE report held compelling evidence that signaled a need for change.

Thankfully, a lot is already happening.

Services Australia, which administers myGov, has recognised the ongoing challenges of these increasingly sophisticated and numerous scams, identity theft and other cyber security threats. In 2023-24, the agency observed, analysed and responded to over 10,000 unique agency impersonation scams – 86% referenced myGov in some way.

Services Australia is working on a range of security enhancements to help protect people’s accounts from unauthorised access. For example, myGov was one of the first digital government services in the world to implement passkeys. Passkeys are simpler and more secure than passwords, which can be stolen through phishing scams and used to access your account.

Other security enhancements are being developed, including a security ‘dashboard’ in myGov that will prompt you to strengthen your sign in settings, and obscuring sensitive customer bank account details from being displayed in Services Australia's online accounts. Watch out for these features over the coming months!

But we all have a role to play. Here are steps you can take today:

1. Use a passkey and disable username and password: Passkeys are a more secure alternative to passwords. You also don’t have to worry about remembering them as they are linked to the security features on your phone, computer or tablet. Learn more here.

2. Link your Digital ID to myGov: A Digital ID is a secure way to prove who you are online and can be used to securely sign in to myGov. Using your myGovID (soon to be myID), with the highest identity strength where possible, is the most secure way to access ATO online services through myGov, making it harder for fraudsters to access your ATO account and help protect yourself against identity crime.

3. Install the myGov app: Use facial recognition or fingerprint to sign in quickly and securely, rather than your username and password. You can also set up myGov app push notifications, so you know your myGov message alerts are genuine.

4. Don’t click on links: myGov won't send you a text message or email with a link to access online services. If you receive an email or text from Services Australia or the ATO asking you to click on a link to access your account, it is a scam. Access your linked services by typing my.gov.au into your browser.

5. Make it a habit: Just like checking your bank account, you should check your myGov and online service accounts regularly. Make sure your contact details haven’t been changed and that there hasn’t been any fraudulent activity (check your myGov Inbox for letters, check account history and transactions, etc).

If you have been affected by a scam impersonating myGov, Centrelink, Medicare or Child Support, Services Australia can you. Learn more here. It includes how to contact IDCARE's National Case Management Centre 🙂

Our Small Business Cyber Resilience Service is live!

IDCARE has been providing support for small businesses since its opening in 2014. Now the service has been given a significant boost, with the Federal Government announcing us as the successful provider for the new $11.2 million Small Business Cyber Resilience Service.

The Service provides free, tailored one-on-one assistance to help small businesses navigate their cyber challenges, bolster their cyber resilience, and help them to recover from a cyber attack.

The Minister for Small Business, Julie Collins MP, officially launched the new initiative at our headquarters on 22 October.

“Cyber crimes can have devastating impacts for small businesses, with the average cost of a cyber incident around $46,000," she said.

“That’s why it’s a pleasure to launch the Albanese Labor Government’s new Small Business Cyber Resilience Service.

“Australia’s small businesses are now able to contact the service by calling 1800 595 170, or by submitting a request through the online form at www.idcare.org/smallbusiness when they are looking to protect themselves from a cyber incident or recovering from one."

Our Managing Director, Dr David Lacey, was grateful to the Federal Government for providing the Service a boost which will allow it to reach more of Australia’s 2.5 million small businesses.

We even had former clients travelling from across the country to join us at the launch and we had several media crews in attendance.

Take a look at some of the fab coverage here!

Minister for Small Business, Julie Collins With IDCARE client - Gabrielle Andrews from Murchison River Swags

Behind the Mask: A Guide to New and Trending Scams

The WhatsApp Crypto coach

IDCARE analysts have detected an increase in investment scams which start as an offer of a Cryptocurrency coaching session on WhatsApp. The person is directed to a very real looking fake website which shows their investment growing. In most cases, the problem is only detected when the person attempts to withdraw funds.

OUR TIPS

Be very careful of messages on WhatsApp offering investment opportunities and do independent research before investing funds. Just because it looks real, doesn't mean that it is!

The "Anthony Albanese" and "Vergomarkets" investment scam

Our National Case Management Centre has received multiple reports of an investment scam which started on Facebook and appeared to be endorsed by the Australian Prime Minister, Anthony Albanese. Once the person registered their interest in the opportunity, they were contacted by a representative of "VergoMarkets" and they are directed to a fake website. Have a look at the example below Over $1,190 million in financial losses has been reported to this scam type since May!

OUR TIPS

If you see an investment opportunity endorsed by ANY current Australian politician, IT'S A SCAM. Be wary of any celebrity-endorsed investment opportunities shared on Facebook. We've partnered with Meta on a new "Legit or Leg It" campaign to help educate people on how to spot these scams. Take a look here.

The "Telstra discount" telephone scam and VicRoads accounts

In the past month, our case managers have also detected an increase in criminals exploiting VicRoads accounts, primarily through Telstra impersonations scams. The criminal will call offering a "Telstra subscription discount" and, to get it, all the person has to do is quote the one-time security code sent to their mobile phone. These codes are then used to access the person's email and VicRoads accounts.

OUR TIPS

Never share a one-time code to a person over the phone, even if they are telling you they will be sending one. Most codes begin with "DO NOT SHARE THIS WITH ANYONE". There is a reason for this!

The News and Views You Didn't Want to Miss

The risks of public Wi-Fi: Do you use public Wi-Fi? This article by an ethical hacker might make you think twice. See more.

Bank impersonation scams are on the rise. Have a read on how you can spot one and stay safe. See more.

The "hacker celebrity hotlist": The 10 international celebrities most targeted by malicious deepfake scams and dangerous search results (in Australia, our results are different with Gina Rinehart being the most impersonated celebrity this year so far). See more

And now for some good news. Australia launches Cyber Resilience Service for Small Businesses: The Federal Government announced the launch of a new Small Business Cyber Resilience Service. See more.

Have a Scam, Identity, or Cyber-Related Question? Ask Dr. David Lacey!

Having dealt with countless cases of scams, identity theft, and cybercrime, Dr. David Lacey is one of Australia’s most respected experts in the field. He is highly sought after by both government and industry for his unique insights into the online criminal environment. In this edition of Cyber Sushi, Dr. Lacey is inviting you to submit your questions – and we will answer them. Send your questions to [email protected].

Our question today comes from Sue

Dear Dr. Lacey,

I was at a pub on the Sunshine Coast recently and people were talking about banking in apps. I don't trust apps and only bank on websites as I've heard people are hacked through apps. What do you think?

Regards.
Sue

Answer:

Dear Sue,

A pub on the Sunshine Coast - lucky you! It really is a beautiful part of the world, and we consider ourselves very lucky to have our headquarters based there. But I have to ask Sue, why are you nervous about banking in the app? Apps are fantastic, and often the safest way to do any kind of commerce, whether it is banking or shopping. However, they are only safe if you download them through the Google Play (for Android) or Apple store. Any other app that comes from a link in a text or an email, or through social media or on websites cannot be trusted.

Banking apps are generally safer than the going through a website for a number of reasons. Firstly, they are generally protected by biometric-enabled login options for your phone and the app itself. These are a lot harder to hack than a username and password. Further, when you communicate with someone in the app, like your bank, you know you are communicating with someone within the organisation. The same can't be said if you receive a text message, email or phone call. These could be from anybody!

It's also important to remember to backup any apps you have regularly. Even better, set your device to automatic backups so it is done for you. This is to ensure that if any vulnerabilities are found in the app, and updates are made to fix them, you get the advantage of that upgrade. And sometimes you also get cool new features.

In short Sue, banking in the app is a great option. Get appy and give it a try.

Best regards,
Dr. Lacey