MyCRA Specialist Credit Repair Lawyers

Tag: phishing scams

  • Facebook finally asks users to report phishing scams

    Most people have (or know someone who has) come across some type of scam via Facebook. They’re those dodgy posts that you shouldn’t click on that get sent from your friend’s accounts without them knowing; or those strange emails in your inbox; odd friend requests; or on rare occasions complete hacking of your account. Most savvy Facebook users take it as a given that this is going to occur and that no one can do a thing to stop it. They just count themselves lucky that they are not one of the users that falls for them. Well now Facebook has finally taken the bull by the horns and decided to get active in stamping out phishing scams. FB has set up an email address to report these attempts. We look at what this means for Facebook users, the potential identity theft risks from falling for a phishing scam which could endanger your credit file and how to spot one before you get caught out.

    By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and www.fixmybadcredit.com.au.

    Facebook’s security page requests that if its users spot phishing scams they should report them to Facebook and its eCrime team. The intention is to help hold scammers accountable and prevent identity theft and account hacking. Here’s an excerpt from their Security page:

    New Protections for Phishing.

    by Facebook Security on Thursday, August 9, 2012 at 7:31am •

    Today, Facebook is proud to announce the launch of phish@fb.com, an email address available to the public to report phishing attempts against Facebook. Phishing is any attempt to acquire personal information, such as username, password, or financial information via impersonation or spoofing.

    By providing Facebook with reports, we can investigate and request for browser blacklisting and site takedowns where appropriate. We will then work with our eCrime team to ensure we hold bad actors accountable. Additionally, in some cases, we’ll be able to identify victims, and secure their accounts.

    You might ask yourself how to spot suspected phishing emails. Our partners at the Anti-Phishing Working Group have put together some helpful tips to avoid being deceived by these messages:

    1.Be suspicious of any email with urgent requests for login or financial information, and remember, unless the email is digitally signed, you can’t be sure it wasn’t forged or ‘spoofed’

    2.Don’t use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don’t trust the sender, instead navigate to the website directly

    This new reporting channel will compliment internal systems we have in place to detect phishing sites attempting to steal Facebook user login information.  The internal systems notify our team, so we can gather information on the attack, take the phishing sites offline, and notify users.  Affected users will be prompted to change their password and provided education to better protect themselves in the future.

    While rare, we hope that you forward us any phishing attempts you encounter. Together we can help keep these sites off the web and hold the bad guys responsible. As a reminder, you can visit www.facebook.com/hacked if you think your account may be compromised.

    You can find out more about phishing in our Help Center. You can also forward phishing emails to any of the following: APWG (reportphishing@antiphishing.org), the FTC (spam@uce.gov), and the Internet Crime Compliant Center (www.ic3.gov).

    This is great news for FB Users, and as it may be just the impetus needed to both deter and attack these predators.

    Technology magazine ZD Net’s Eileen Brown is likewise pleased with this new response, but at the same time, questions the appropriateness of where Facebook has decided to report this information:

    The challenge is that Facebook has hidden this information in its Security notes. This is not an area where the average user is likely to visit. Facebook should place an alert at the top of the home page drawing user’s attention to the importance being vigilant and careful.

    Hiding this page away does not show the duty of care that Facebook should show to its users — especially if it wants to avoid the potential consequences of a password or account breach.

    It is only a matter of time before someone tries it… She says in the article Facebook creates new email address to fight phishing.

    Phishing scams should be a topic that every online user is familiar with, but as we reported recently in our post Identity theft risks high for pre-retirees, some sections of the community can be more vulnerable to phishing scams, and they aren’t necessarily screaming out “identity theft” – they can be well thought out scams that look like legitimate requests for information etc.

    On Facebook, both young and old can be at risk of phishing scams. One prevalent scam reported by the ACCC’s Scamwatch recently is the Facebook password scam email.

    “…the scam email enters inboxes looking as though it is an auto-generated email from the Facebook Team. It announces to subscribers that as a security measure their password has been changed and that this needs to be confirmed. Attached to the scam email are two documents with file names beginning with ‘facebook_password’  that are supposed to include the new password.

    SCAMwatch warns you not to open these attachments. If you do, you will activate a very nasty Trojan or malicious software called the Bredolab Trojan and your computer will be taken over for use by the scammers at their will.”

    If via these scams, criminals are able to gain access to information like names, dates of birth and addresses then identity theft may occur. Fraudsters can build a profile with enough information to request duplicate identity documents – enabling them to have access to their victim’s good name through their credit rating meaning they could take out loans, credit cards, even mortgage properties in their victim’s name.

    Fraudsters are never so kind as to pay the credit back -meaning the identity theft victim is hit twice – financially ruined and then locked out of credit and with no ability to borrow for 5 to 7 years.

    How to spot a phishing scam

    Scamwatch has a great article on their website titled Phishing scams on social networking sites—don’t be tricked into giving your information away! Here’s what they suggest to look out for:

    Protect yourself

    Never send your online account details through an email and think carefully before you give away any personal or financial information.

    Never enter your personal information on a website if you are not certain it is genuine. Don’t click on the link provided in an email or call the phone number provided; instead, find the business’s contact details through a general internet search.

    Keep your computer updated with the latest anti-virus and anti-spy ware software, and use a good firewall.

    When using social networking websites:

    • Check the privacy settings and think about who you really want to have access to your personal information.
    • Be careful about what personal information you put on the internet, because scammers can use these details to guess your passwords or to commit fraud.
    • Check how much information about you is available on the internet—type your name into a search engine and see how many hits you get.
    • Don’t be lulled into a false sense of security—online ‘friends’ may not be who they say they are.
    • If you receive an email that appears to be from a family member or friend, look at the way the email is written and ask yourself whether the email sounds like it was written by that person.
    • If you receive an unexpected request for money from what appears to be a friend, try to contact that friend or their family or friends to verify the request. Do not use any of the contact details in the message.

    Great advice to take on board for any FB user – but it you or someone you know has fallen victim to one of these phishing scams – there are three things you may need to do immediately (among others):

    1. Change your passwords on your computer, bank, Facebook or any other relevant sites via a different computer. If you can’t because you have been ‘locked out’ of your accounts, you may need to contact your Creditors and Police immediately.

    2. Report the scam to the ACCC, and if you think you may be vulnerable to identity theft, it may be better to give them a call on ACCC Infocentre 1300 795 995 and they can direct you for further advice and possibly advise you to contact Police.

    3. Check your credit report. This is often the first way you might spot identity theft which has led to credit being taken out in your name. It is free to check every year from Australia’s credit reporting agencies and it will be peace of mind if it turns up clear. If there is anything on there you are not sure of, investigate and contact Police. If you confirm you have been a victim of identity theft, you can contact MyCRA Credit Rating Repairs to help with removing any bad credit which is darkening your name.

    Image 1: Pixomar/ www.FreeDigitalPhotos.net

    Image 2: Ambro/ www.FreeDigitalPhotos.net

  • Identity theft risks for Australian online banking customers: what you need to know

    Commbank’s customers have been warned about phishing scams which could threaten the financial safety of its customers, but this scam applies across the board to all merchants, and all customers should take care not to fall for the viscious emails designed to steal your money from and your good credit rating.

    By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and www.fixmybadcredit.com.au.

    In June, for Cyber Security Awareness Week 2012, we explored the prevalence of phishing scams in Australia – particularly around merchants – banks, credit cards and even Paypal.

    In the posts Experts say getting hooked by Australian Paypal or Amex phishing scams could result in identity theft and following on with Company Obligations on Phishing Scams we looked at both the ramifications of falling for phishing scams in terms of bad credit from identity theft on your credit file and the possible obligations of companies to inform their customers when the company name is being used to promote a phishing scam.

    Commonwealth Bank is the latest company to warn customers about these phishing scams which are hooking many people with their clever requests and look-alike websites.

    The emails are to do with account verification.

    The phishing email asks the customer to verify their details due to a high instance of fraudulent activity. Once they click on the link, they are diverted to the fake bank website, where they enter their personal details and banking information into the so-called “customer” database. At which point if people take the bait they are in reality leaving themselves at very high risk of not only bank fraud, but identity theft through revealing their personal information.

    Commbank recently released a statement on its blog warning its customers about the prevalence of such scams in its post Alert: Identity theft targeting Australian consumers:

    The Commonwealth Bank of Australia is currently investigating a new identity theft scam which is targeting customers of financial institutions, including Australian banks. The scam aims to steal personally identifiable information such as your Internet Banking username and password, passport, driver’s licence, Medicare and birth certificate details.

    The scam manipulates consumers to believe they are using their bank’s normal Internet Banking website, when they are actually using a fake website controlled by the scammers.

    The fake website prompts the consumer to login with their username and password, upon which they are presented with a screen similar to below.

    The message states: “Due to recent frudulant[fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][sic] use of NetBank services we require an Electronic ID Check to verify your identity. This is a one-off process.”

    If you see this message, we recommend you:

    i) DO NOT enter your personal details;
    ii) Contact your financial institution immediately. NetBank customers should phone 13 22 21;
    iii) Install and run a trusted anti-virus program on your computer;
    iv) Importantly, you may need to reset or reconfigure your Internet modem or router. We recommend contacting your Internet Service Provider to verify your modem or router has the correct DNS settings.
    v) In your web browser, enter the full address of your Internet Banking website beginning with https:// (for example, https://www.netbank.commbank.com.au). Entering the ‘s’ in https:// makes it is easier to tell whether or not you are interacting with the legitimate Internet Banking website. If you receive security warnings, or no response, it may be an indication you are affected by the scam.

    Commbank reports that these quite legitimate looking emails have not only been asking for account information, but even more alarmingly – identifiable personal information such as a copy of the customer’s birth certificate, copy of passport and copy of driver’s licence.

    This kind of information in the wrong hands is going to land someone in a whole lot of hot water with unpaid debts, and in turn threaten the clearness of their credit file. Not to mention the risk involved in just clicking on any attachment – opening the customer up for Trojan viruses and other cyber-nasties.

    If the fraudster is able to construct a fake identity from the personal information they have gained, it means they have access to their victim’s good name through their credit rating.

    The fraudster can potentially run up credit all over town in the victim’s name. If the crime is fairly sophisticated, most victims don’t know about it until they have a string of defaults weighing heavy against their name, and the obligation then to prove it was not them that instigated the credit in the first place.

    And so ensues a pretty stressful, difficult time for the victim. With this type of fraud they have not only lost money from their accounts, but are staring down the barrel of credit refusal for 5 years with a string of defaults they’re not responsible for. It’s not always easy to prove your innocence – sometimes people don’t know how identity theft has occurred and often the crooks are working from overseas syndicates and are difficult to trace.

    So here’s what the screen might look like – avoid it and avoid identity theft and its evil twin, bad credit.

    But if you have clicked on a link like this – I would recommend thinking about changing your passwords anyway before using any merchant from that computer again – just in case you’ve downloaded malware with your attachment.

    If you think you are the victim of identity theft, you should immediately contact Police. Also, if want to fix your bad credit after identity theft, talk to our Credit Repair Advisors at MyCRA Credit Rating Repairs about your situation and they can help you make the right moves to restore your good name. Call 1300 667 218.

    Image identity theft: chanpipat/ www.FreeDigitalPhotos.net

    Image screen shot phishing scam: courtesy Commbank blog site: http://blog.commbank.com.au/your-bank/alert-identity-theft-targeting-australian-consumers/[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

  • Company obligations on phishing scams

    What is the obligation or responsibility of companies to educate consumers on phishing scams? Yesterday, we blogged about the prevalence of phishing scams. Phishing scams are designed to extract personal details and financial data either directly from the user or by way of a computer virus. We look further into this issue and look at what companies are doing to educate their customers, and whether they should be obliged to do so and go further in preventing financial loss, identity theft and a damaged credit rating. This post was written for National Cyber Security Awareness Week 2012, of which MyCRA is a partner.

    By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and www.fixmybadcredit.com.au.

    After the blog post went up yesterday, a staff member read it and told me he had received such a phishing email just the day before. It was meant to be from one of the major banks, of which he is a customer. The email requested his bank account name, account number and PIN number to verify his online banking – as according to the email, the bank was having security issues.

    Working at MyCRA and dealing with these issues for our clients, my staff member, Luke was pretty hip to the scam. But we got to talking about how many people could potentially fall victim to this kind of email. After all, Luke did actually have an account with the bank, and the email looked quite legitimate.

    Luke called the bank in question and explained the email he had received.

    “Yeah of course that is a dodgy email,” the bank’s worker says, sounding a little surprised that someone would call to verify this.

    The customer service operator’s standard advice was that the bank would never request personal details via email. He said they have the details, but if they did need them, they would be requested during the general banking process, rather than emailing the customer.

    This is a good general rule to remember for most company emails. They will never ask for your details – they already have them.

    But what about the attitude that people need to just assume these days that they will have a phishing scam tried on them? That is dangerous ground for companies.

    I bet if you ask most older Australians if they know about phishing, they will say, “yep – but I don’t get to throw the rod in much these days.” Many people – and not just older Australians are left vulnerable to scams when using internet banking and all the other myriad of things that need to be done online in today’s society.

    When I looked at the bank’s website, there’s a pretty extensive section on banking security, as well as lots of information on scams. This is great stuff. But what could be even better, is some direct warnings to their customers about the prevalence of specific scams when they involve the company, and what to do should they come across them. This would go a long way to preventing their customers from falling for phishing scams in the first place.

    The Computerworld article I featured yesterday PayPal, Amex phishing: What you need to know also talked a bit about company obligations. Here is an excerpt from that story:

    IDC Australia senior market analyst ,Vern Hue, said that companies needed to be extra vigilant with security as the emails could prove to be an opportunity for cyber-criminals to deceive people into believing that emails and other communications came from a legitimate source…

    He recommended that organisations put in place formal business communication policies and guidelines around acceptable use of social media and financial services.

    “The onus is also on the organisation to better secure its perimeters by putting in place network and content management protection technology, such as the next generation intrusion prevention systems [fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][IPS], which offer a better capability in detecting threats from social media.”

    PayPal, American Express lessons

    Credit card and financial institutions need to secure their weakest link–the human–according to Hue. Organisations should also begin to educate their users on the importance of being vigilant on the internet and educate them on the potential damages one could potentially face if they should fall victim to such attacks.

    “Financial institution need to spearhead the move to inform their users on the need of proper patching and upgrades in order to keep them safe from these attacks and to also educate them that if ever in doubt, users should call and notify the financial institution to verify the origin and authenticity of the communication,” Hue said.

    A blog post late last year by Dynamic Business writer Hamish Anderson titled Financial institutions, social responsibility & phishing scams pleads with big business whose identities are borrowed for the purposes of scams to take an active approach to educating consumers. Here is an excerpt:

    “Big organizations all decry their credential about social responsibility, or environmental sustainability, or corporate ethics, but how many of these social stances encompass combating phishing or alerting the public?

    As the saying goes, forewarned is to be forearmed. With the large purses that these companies have, surely there is a strong argument for these companies to inform people when they know there is a scam focusing on them as a brand. I recognize that many of these brands Tweet about scams as they become apparent, but it often appears that accounts from the Government (such as @SCAMWatch) are more aggressive, are dedicated to scams and more responsive.

    There thus exists a gap to for business to be more socially responsible and to help the public not fall prey to the various scams which exist,” Mr Anderson writes.

    Here here! With the former Attorney-General’s statistics of a staggering 1 in 6 Australians falling victim, or knowing someone who is a victim of identity theft – this ‘social responsibility’ towards informing customers of potential scams to befall their computers in the company’s name seems to be well overdue.

    The implications for identity theft and the difficulty a victim may face to not only recover their financial losses, but to remove bad credit history after full-blown identity theft does warrant a very active approach to stamp out the constant attempts fraudsters make to steal money and identities.

    Let’s promote cyber security awareness amongst all sections of the community, and stamp out phishing scams. If no one fell for these scams, they wouldn’t exist.

    Above image: noomhh/ www.FreeDigitalPhotos.net

    [/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

  • Experts say getting hooked by Australian Paypal or Amex phishing scams could result in identity theft

    Security experts warn of the potential severity of falling for phishing scams, claiming the data pilfered from these scams can not only result in financial loss, but in stolen personal information. This loss of financial data and or personal information can lead to identity theft and ultimately a whole heap of bad credit history for the victim. We have featured this topic in aid of National Cyber Security Awareness Week 2012.

    By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and www.fixmybadcredit.com.au.

    Tech publication, Computerworld warned readers this week of the growing threat of very clever phishing scams currently out there, threatening the personal information of PayPal Australia and American Express Australia customers. The four-month email phishing campaign has been targeting those customers with legitimate looking emails and one click could leave them vulnerable to identity theft. The article, PayPal, Amex phishing: What you need to know reveals some advice from top security experts on what this could mean for consumers. But before we delve into what the experts say, let’s look clarify how phishing scams work.

    The ins and outs of phishing scams

    Phishing scams are generally emails or text messages which impersonate genuine companies in the hope of tricking victims into giving out their personal and financial information. They can appear to come from banks, big companies and in the most recent cases, PayPal and Amex.

    The aim of phishing is to steal information like bank and credit account numbers, passwords, and other crucial personal data.

    The ACCC’s Scamwatch website warns that phishing emails are not easily distinguishable from genuine corporate communication:

    “Phishing emails often look genuine and use what look to be genuine internet addresses—in fact, they often copy an institution’s logo and message format, which is very easy to do. It is also common for phishing messages to contain links to websites that are convincing fakes of real companies’ home pages.

    The website that the scammer’s email links to will have an address (URL) that is similar to but not the same as a real bank’s or financial institution’s site. For example, if the genuine site is at ‘www.realbank.com.au’, the scammer may use an address like ‘www.realbank.com.au.log107.biz’ or ‘www.phoneybank.com/realbank.com.au/login’.”

    What happens if people fall for a phishing scam?

    In the Computerworld article, Doctor Jon Oliver, Trend Micro Australia global threat researcher warns that phishing scams were designed to infect computers through virus-containing links in the emails.

    “If a user gets infected then they may suffer direct economic loss because the malicious payload of these phishing-like schemes is to infect the user with financial Trojans and information stealers,”…

    Aside from potentially gaining access to credit card details, Oliver said the BlackHole exploit kit spam runs were infecting users with malware, leaving the users and companies open to ongoing damage until the systems were cleaned or re-imaged…

    “The types of damage can include stolen usernames / passwords, fake anti-virus attacks or data theft,” Mr Oliver said.

    The article also features warnings from IDC Australia senior market analyst , Vern Hue. He said that companies needed to be extra vigilant with security as the emails could prove to be an opportunity for cyber-criminals to deceive people into believing that emails and other communications came from a legitimate source.

    “However, once they click on a link, users will then be transported into a link that is hosted by malicious actors for the purpose of either stealing information, installing malware or duping users to part with their money,” Hue said.

    “We need to be cognisant of the fact that cyber-criminal are crafting very authentic looking email communications.”

    He recommended that organisations put in place formal business communication policies and guidelines around acceptable use of social media and financial services.

    So aside from potentially having credit card details stolen, these scams can invade all the personal data on a person’s computer. What would such a virus find on most computers? Probably a whole lot of personal and financial information – enough for a clever and determined cybercrook to go about stealing the victim’s identity. A fake identity means fraudsters have access to their victim’s good name through their credit rating, and it means the victim has a whole host of difficulties in recovering their ability to obtain credit.

    Vigilance against phishing scams

    The Scamwatch website provides these tips for steering clear of phishing scams:

    • NEVER send money or give credit card or online account details to anyone you do not know and trust.
    • Do not give out your personal, credit card or online account details over the phone unless you made the call and  know that the phone number came from a trusted source.
    • Do not open suspicious or unsolicited emails (spam)—ignore them. You can report spam to Australian  Communications and Media Authority. If you do not wish to report the message, delete it.
    • Do not click on any links in a spam email or open any files attached to them.
    • Never call a telephone number that you see in a spam email or SMS.
    • If you want to access an internet account website, use a bookmarked link or type the address in yourself—NEVER  follow a link in an email.
    • Check the website address carefully. Scammers often set up fake websites with very similar addresses.
    • Never enter your personal, credit card or online account information on a website if you are not certain it is genuine.
    • Never send your personal, credit card or online account details through an email

    For help with recovering a damaged credit rating following identity theft, contact MyCRA Credit Rating Repairs directly on 1300 667 218 or visit the main website www.mycra.com.au.

    Image above: David Castillo Dominici/ www.FreeDigitalPhotos.net