The Cyber Sushi

(serving up the cold facts, with some phish bytes)

Welcome back! Here's what we are covering in this issue:

The Year that was: A record year for financial losses to cybercrime
Going global: Regional and International Outreach and Small Business
The Emerging Scam trends to watch out for in 2025
The News and Views You Didn't Want to Miss
Ask Dr Lacey: "Can criminals in close proximity still skim my card and other personal information?"

The Year that was: A record year for financial losses to cybercrime

Welcome to this special end-of-year edition of the Cyber Sushi. And what a year it has been!

Unfortunately, not in a good way, especially when it comes to scams and cybercrime.

The year has seen unprecedented rise in reported financial losses to our case management service.

IDCARE addressed more than 91,000 cases and received 149,000 calls, helping individuals and businesses recover from significant financial harm. Reported personal losses to 1 December totalled in excess of $584 million across 16,500 cases, averaging $35,400 per case.

The top sources of compromise revealed notable patterns, with the most common being unknown to the client, followed by data breaches, online shopping scams, telephone phishing, and SMS phishing.

Cases attributed to "unknown sources" increased significantly, highlighting the growing challenge of pinpointing how personal information is being exploited.

Our client demographics showed 77% living in major cities, with 23% from regional or remote areas. While our clients spanned all age groups, the largest proportion (24%) were aged 35-44, closely followed by 25-34 (22%). Women made up 54% of those seeking help, compared to 46% of men.

"It's also important to remember that behind each statistic is a person—someone who never thought they would be scammed or impacted by cybercrime—until they were."

IDCARE's founder and group Chief Executive, Dr David Lacey, has shared a wrap for 2024 which highlights many of the key findings. You can watch it here.

Expanding Lasting Impact: Regional and International Outreach

GOING GLOBAL: IDCARE has been offering services in Australia and New Zealand for a decade. In 2024, we extended our reach across the Pacific.

IDCARE, in partnership with AusCert, secured a grant from the Australian Department of Foreign Affairs and Trade (DFAT) to focus on the needs of individuals and microbusinesses impacted by cybercrimes and online scams in Fiji and Papua New Guinea.

A team visited PNG and Fiji in August to meet with business and industry leaders to gain a better understanding of the cybercrime landscape and the protective measures that were in place.

In early 2025, we will be launching a free 10-month trial for individuals and small businesses, offering free cyber assessments and support services to enhance their resilience against cyber threats.

CREATING A LASTING IMPACT: In 2025, IDCARE will launch Cyber Resilience Outreach Clinics (CROC) Lasting Impact, expanding on its successful program to reach 15 vulnerable communities across Australia, including regional, remote, and metropolitan areas.

The program will focus on building local resilience against cybercrime and scams through collaboration with local champions and partners like ANZ, Westpac, Meta, and various local governments, libraries, and community networks.

INCREASING RESILIENCE FOR AUSTRALIAN SMALL BUSINESSES: IDCARE was proud to launch the Small Businesses Cyber Resilience Service in conjunction with the Australian Government in October. The goal of the Service is to provide small businesses with the free support they need to protect themselves from cybercrime. We have a team of Cyber Security Advisors who assist with requests for help from Australian businesses. If you own a small business (19 or fewer full-time employees) and are curious about your business's cyber maturity, learn how to book a Cyber Advisory session now and take the Health Check."

The Emerging Scam Trends to watch in 2025

Online shopping scams surged in 2024, making up 18% of all cases, often targeting under 25s via fake social media ads. These scams relied on trust tactics, like impersonation and driver license misuse, but only accounted for 2% of financial losses.

Investment scams caused the highest losses, totalling $259M, with an average victim loss of $93K. They affected all age groups, highlighting their sophistication rather than targeting specific demographics.

Sextortion scams also rose, driven by AI-enhanced tactics, with victims more concerned about reputational harm than financial loss. Meanwhile, fraudulent bank account creation surged in 2024 as cybercriminals continually adapted their methods to obtain myGov login credentials from unsuspecting community members.

Cybercriminals increasingly targeted myGov accounts, exploiting unsuspecting community members to gain login credentials. Once compromised, these accounts were used to redirect funds such as tax returns and Centrelink payments into fraudulent bank accounts, resulting in significant financial losses and widespread misuse.

Superannuation scams also increased. Cybercriminals exploited vulnerabilities in Commonwealth Government services to access victims’ superannuation accounts. Using credentials obtained via ATO-linked services or past data breaches, criminals established fraudulent superannuation accounts in victims’ names. They then transferred funds to self-managed superannuation funds or applied for early release through hardship claims. The lack of safeguards to detect and prevent these fraudulent transfers has enabled this form of fraud to grow.

Phone porting scams, where criminals hijack a victim's mobile number to gain control of accounts linked to it, doubled in frequency in 2024, with financial losses averaging $23,000 per affected individual. Scammers often leverage credentials from data breaches or phishing scams to exploit telco verification weaknesses, highlighting the need for industry-wide protective measures.

The News and Views You Didn't Want to Miss

Criminals use AI-Generated videos of doctors to peddle supplements: In a scary new twist, criminals are creating AI-generated videos of Australian doctors to peddle supplements and harmful health advice. See more.

Smishing scams impact people everywhere, including in Macao: One of Macao's oldest phone scams is targeting new victims. Read IDCARE's comments on the scam. See more.

Fake North Korean IT workers infiltrate Australian businesses: A Google exec has warned of the complex multi-year scheme to commit money laundering and identity theft. See more.

How do scams impact vulnerable communities? Have a listen to IDCARE's chat on the subject with Cyber Voices, the Official AISA podcast. Hear more

Have a Scam, Identity, or Cyber-Related Question? Ask Dr. David Lacey!

Having dealt with countless cases of scams, identity theft, and cybercrime, Dr. David Lacey is one of Australia’s most respected experts in the field. He is highly sought after by both government and industry for his unique insights into the online criminal environment. In this edition of The Cyber Sushi, Dr. Lacey is inviting you to submit your questions – and we (the Cyber Sushi team) will answer them. Send your questions to [email protected].

Our question today comes from David

Hi Dr. Lacey,

My wife saw an advert or article on TV recently where the subject was an ID blocker for credit cards and by extension passports.

I have looked on the internet, and the general answer I am coming up with, is that they are not worth it, as technology that is now embedded into our cards and passports is encrypted and the scammers cannot get all the information, particularly the three digit CVC number printed on the reverse side of the card.

However, there are some articles that suggest that these ID Blockers are still effective.

The internet has any number of stores selling all manner of cards, wallets, and other goods proclaiming that they will protect your cards and passports, etc.

Can you please advise me if scammers operating in close proximity, can still access our card and other personal information?

Kind Regards
David

Answer:

Dear David,

This is always the time of year where people are looking for useful Christmas gifts - and an RFID wallet (which supposedly protects your credit card and passport) from being accessed) have for a long time been Christmas favourites. They're not too expensive and they could be useful, right?

Before answering your specific question, it may be useful to gain an understanding what RFID is and how it is supposed to protect your valuable information. RFID stands for "Radio Frequency Identification". It is a technology that allows machines to read signals implanted in passports and credit cards and is essential for contactless payments. An RFID blocker contains material that interferes with electromagnetic fields, preventing criminals from skimming your card and passport when in close proximity

It sounds like a no-brainer then. However, the reality is slightly different. Even if a criminal can scan your code when close up, they don't have the valuable details (such as your CCV code) that enables transactions. Further, the criminal would have to be very close to have any chance of success - and this increases their likelihood of being caught. There are too many variables involved for technology like this to be effective.

Similarly, the data available in passports is heavily encrypted and the ability of a criminal to gain access to it, just by scanning your passport when rubbing shoulders with you is unlikely.

To be honest, at IDCARE we searched our data across hundreds of thousands of cases - and we found 13 where "skimming" was reported. And of that 13, only one was a small maybe that it actually was skimming. It is much easier for a criminal to get your details off the dark net, or to steal it off you from phishing emails, than to go the effort of trying to skim it off you in close proximity.

In summary, the short answer to your questions on whether scammers operating in close proximity CAN access your card and personal information is "yes", technically they can. But logistically they won't.

Best regards,
The Cyber Sushi team