The Cyber Sushi

(serving up the cold facts, with some phish bytes)

Welcome back! Here's what we are covering in this issue:

Hijacked Connections: The reality of Phone Porting and SIM swap scams
CyberPsychology and CyberSecurity? The global conference coming to Sydney
This Valentine's Day, let's talk about sextortion
The News and Views You Don't Want to Miss
Ask Dr Lacey: "How can criminals make payments with my credit card when they didn't have my CVC number?"

Hijacked Connections: The Reality of Phone Porting and SIM swap scams

Imagine this: You’re relaxing at home when suddenly your phone drops to “SOS only.” Frustrating, right? But soon you realise the terrifying truth: You’ve fallen victim to a phone porting scam. A criminal now has access to your number and can intercept those two-factor authentication (2FA) codes, potentially infiltrating sensitive accounts like your bank or social media. And worst of all, you can’t even call anyone to report the problem.

These attacks typically happen in one of two ways:

Unauthorised Mobile Porting: Porting is a legitimate service allowing customers to transfer their mobile number between providers. In an unauthorised port, a criminal contacts a new provider, sets up an account, and requests to bring your number over from your current provider.

SIM Swapping: The criminal contacts your existing provider and requests a new SIM card activation using your number.

The Growing Threat

Phone porting and SIM swapping are on the rise. IDCARE has seen a 240% increase in cases of clients seeking assistance for phone porting and SIM swap fraud in 2024 compared to 2023. Alarmingly, 90% of these events occurred without the victim’s engagement.

While some clients noticed unusual activity—such as receiving unexpected “sorry to see you go” texts from their telco or multiple one-time passcodes (OTPs)—most were blindsided. The first indication that something was wrong was when their phone switched to “SOS-only” mode, leaving them unable to make or receive calls or texts.

Protecting Yourself From Phone Porting Scams

While these scams are sophisticated, there are steps you can take to reduce your risk:

Choose App-Based Two-Factor Authentication: Use app-based 2FA, like Google Authenticator or Authy, instead of SMS-based 2FA for critical accounts.
Monitor Account Activity: Keep an eye out for unusual account changes or notifications, and act quickly if something feels off.
Act Immediately if Your Phone Switches to SOS Mode: If your phone unexpectedly loses service, contact your provider immediately to check if your number has been ported without your consent.

CyberPsychology and CyberSecurity - the world conference

For the first time in its 28-year history, CyPsy28 – the premier international conference focused on advancing digital solutions in security, health, and society – will be held in Australia and IDCARE is proud to host this landmark event!

In collaboration with the Interactive Media Institute, Virtual Reality Media Centre and the Cyberpsychology Research Group at The University of Sydney, this conference offers a unique opportunity for researchers, clinicians, policymakers, government officials, and NGOs to connect, share knowledge, and discuss the latest advancements in Cyberpsychology and Cybersecurity.

The primary goal of CyPsy28 is to foster collaboration and facilitate the growth of multidisciplinary communities focused on developing evidence-based technological and human-centric solutions that will positively impact health and society. With a broad focus, the conference welcomes participants from any discipline dedicated to improving digital solutions for security, health, and the betterment of a rapidly evolving global society.

We are also thrilled to announce our first keynote speaker - Professor Monica Whitty, Head of the Department of Software Systems and Cybersecurity, Faculty of Information Technology at Monash University. Prof Whitty is the world’s leading expert on human factors in cybersecurity and has been called in as an expert witness in high-profile international cases involving romance scam victims.

There are also exciting opportunities for you to get involved! If you’re an academic, consider submitting an abstract to share your research and insights. You can view the call for abstracts here.

If your organisation is looking to be at the forefront of this transformative dialogue in cybersecurity, mental health, and human-tech interaction, find out how to become an industry partner here.

For more details on the conference, its convenors and what's happening, visit www.cypsy28.com.

This Valentines Day, Let's talk about Sextortion

Valentine’s Day, the most romantic day of the year, is fast approaching. While it’s a great time to celebrate love and connection, we also want to take a moment to address a serious issue: sextortion.

Over the past six months of 2024, cases of sextortion reported to IDCARE have surged by an alarming 64%, compared to the previous six months. What’s more troubling is the evolving tactics criminals are using—especially the rise of deepfake technology. This allows scammers to manipulate innocent photos and turn them into explicit images, making the victim feel violated and vulnerable. The impact can be especially devastating.

That’s why it’s so important to talk about sextortion. The more we understand it, the less power it has. In many cases, threats to share explicit content are just that—threats, with no follow-through. Criminals often move on because it’s more costly to continue pursuing a victim than to simply target someone else. However, if the victim complies and transfers money, they are likely to be targeted again and again.

Here are a few tips worth sharing with your family and friends:

1. Educate Yourself and Others

Stay informed about the latest online scams and the tactics criminals use and share this knowledge.
Encourage younger individuals in your life to be cautious and understand the risks of sharing intimate content, even with someone they trust online.

2. Review Privacy Settings

Regularly review the privacy settings on your social media and messaging platforms. Ensure only people you trust can view your posts and personal information.

3. Be Mindful of New Friendships

Be skeptical of online relationships, especially if someone quickly requests intimate images or videos. If someone is pressuring you for personal content, that’s a red flag.

And have a Happy Valentines Day! With💖 from us.

The News and Views You Don't Want to Miss

Scammers are creating Fake News Videos to Blackmail victims: Cybercriminals are taking extortion measures up a notch, with the creation of realistic looking "news" videos. See more.

The Brad Pitt Romance Scam: The story of Anne, a French woman in her 50s, was broadcast on French TV highlighting how she lost over a million dollars in a romance scam thinking Brad Pitt was in love with her. See more.

Singapore police look to restrict scam victims from accessing bank accounts: The controversial new bill was introduced by Singapore's Ministry of Home Affairs. See more.

What's happening at CyPsy 28? Have a listen to Dr. Andrew Campbell, the University of Sydney's head of the Cyberpsychology Research Group (and co-convenor at the conference) in discussion with cyberpsychologist Carolyn Freeman. Hear more

Have a Scam, Identity, or Cyber-Related Question? Ask Dr. David Lacey!

Having dealt with countless cases of scams, identity theft, and cybercrime, Dr. David Lacey is one of Australia’s most respected experts in the field. He is highly sought after by both government and industry for his unique insights into the online criminal environment. In this edition of The Cyber Sushi, Dr. Lacey is inviting you to submit your questions – and we (the Cyber Sushi team) will answer them. Send your questions to [email protected].

Our question today comes from Elaine

Hi Dr. Lacey,

I have recently had a fraudulent overseas transaction ($896 for an insinkerator from an American company) charged to my Mastercard and my bank questioned it when they tried the same transaction again. I hadn't used the card for months. It has all been investigated and refunded and I was told that they use a bot to randomly find a credit card number that will work. My question is, how does this happen when they wouldn't have the CVC number or expiry date? I thought all payments made by credit card had to have those details to proceed.

Kind regards

Elaine

Answer:

Dear Elaine,

Great question! Typically, for online transactions, you need the card number, CVC, and expiry date. In your case, the fraudster may have obtained your card number through a data breach but didn’t have the full details. They might have used bots to randomly guess or brute-force the CVC and expiry date. Sometimes, if you’ve used digital wallets, the card details might be tokenized or stored in a way that doesn't reveal the full information, allowing fraudsters to test transactions. It's lucky your bank caught it and refunded you!

Best regards,
The Cyber Sushi team