News_

COVID, lockdowns, tax time: scammers pose triple threat

23 September 2021
Current conditions the perfect 'breeding ground' for scams
The pandemic, ongoing lockdowns and tax return time are leading to a perfect scam storm, says Dr Suranga Seneviratne from the School of Computer Science.

Dr Seneviratne.

Dr Suranga Seneviratne is a computer scientist and cybersecurity expert from the Faculty of Engineering who warns that conditions caused by the pandemic are leaving Australians vulnerable to a scam surge. He provides timely advice for on how to spot scams and avoid becoming a target.

“The COVID-19 pandemic has hit Australia again. Many of us were caught off guard and we have all had to quickly react and adjust. Changed work conditions – or lack thereof, home-schooling, social isolation and information overload are making many of us,even the tech savvy, vulnerable to scams,” said Dr Suranga Seneviratne.

“Scammers target vulnerability and thrive on disorder – current conditions are the perfect breeding ground for this type of nefarious activity.

“Now, more than ever, we should be on high alert for possible cyber-crime and scam activities targeting us.”

Lessons from lockdown 1.0

“Last year we witnessed several pandemic-specific scamming activities. The early days of the pandemic saw attempts to distribute malware using apps and websites disguised as providing COVID-19 information,” said Dr Seneviratne.

“There were also phone, SMS, and email campaigns around the world where the attackers targeted mobile users with convincing stories, such as pandemic relief packages, test results, information about travel restrictions, and early access to vaccination. During the same time, regular scam activities – such as romance scams and fake advertisements – also increased locally as well as globally.

“For example, according to the Australian Competition and Consumer Commission (ACCC)’s latest report [link?], losses from scam activities sky-rocketed in 2020 – increasing by a staggering 23 percent compared to 2019. The US Federal Trade Commission reported similar trends in the US.”

What’s happening this time around?

Fig 1. A message claiming to be from DHL which contains a link to a fake website. Clicking this link could infect your device with malware, spyware or a virus.

“While it remains to be seen whether scam activities have increased during the current outbreak, there’s evidence that attackers are “seizing the moment” with crafty stories designed to exploit people’s heightened vulnerability,” said Dr Seneviratne.

“Just last month, Australian mobile users were targeted by the ‘Flubot' scam. Targeted users received a seemingly innocuous SMS with a link to a supposed voice mail message. Once the link was clicked, users were asked to install a voicemail app, which was in fact malware. Some thought this message was related to their COVID test results.

“During the pandemic, people have been getting calls from unknown numbers for all sorts of reasons, and not all of them have been nefarious. This increased communication, coupled with many people being more preoccupied than usual, has caused many otherwise cautious people to absent-mindedly click malware links or answer calls from scammers.

“Business emails have also been compromised by scammers. Some businesses or individuals may be behind their payments due to the pandemic or dealing with challenging remote working conditions. Attackers have been pretending to be suppliers, trying to scam money from businesses.”

“Fake postage or logistic texts and emails, claiming to be DHL, Australia Post and Toll have been rife too, with scammers capitalising on the increase in orders and trade by post.”

“Now that we are in a new financial year, increasingly, scammers are posing as the Australian Taxation Office and are requesting large sums of money. There have also been instances where people have received voicemails telling them they have a warrant out for their arrest because of tax evasion.”

6 top tips for avoiding cyber scams

Fig 2. An email claiming to be Australia Post. Note the actual email address is “AustralianPost@azedf.z-mcit.org.uk”. Be sure to watch out for small details like this.

There are several easy, everyday actions we can all take that can protect us against cybercrime, such as: regularly updating our software; using antivirus solutions; creating secure passwords and; enabling multi-factor authentication.

There are also several scenarios in which you should proceed with caution:

  1. If you receive an unsolicited message with a link, don’t click it. Many text messages appear to be legitimate, but on closer inspection are not (see fig.2).
  2. If you receive a text alerting you to a voicemail, don’t click the link. Instead use your telco provider’s voicemail number to find out if you actually have received one.
  3. The same goes with the bank or other similar institutions. If you get a message, don’t click on it. Instead, directly log into the bank from your computer or the app. Many banks are now moving away from sending texts containing links. Rather they only send messages like “there was some suspicious activity in your account, please log in to your online banking portal and check”.
  4. Never give out your personal information over the phone on an unsolicited call. There are many occasions that we receive legitimate calls from unexpected numbers at unexpected times. However, if you give away personal information over the phone, it is strongly recommended that you first verify the identity of the other party. For example, if the person claims to be calling from the bank, ask for their name and enquire as to their request, then hang up and call the bank at a verified number and corroborate these details – the bank will be able to tell you if this was a legitimate request.
  5. Check email sender information.
    While email filtering solutions are doing a reasonable job in preventing bulk phishing attempts from entering your inbox, highly targeted phishing and scam attempts can still make it into your inbox. Always check the email address of the sender and do a verification of whether it is really coming from the person it claims to be. For example, if one of your work colleagues emails asking for an urgent financial favour, verify whether it is the correct email. These phishing attempts will often get the names and contact information correct and combine it with a plausible story, but if you inspect closely you will realise the email address is not the one you know. For example, a fake University of Sydney email address might read: john.Appleseed@sydney.au.edu or john.appleseed@sydney.co.

    Especially on mobile devices, attacks often manipulate sender names so you only see part of the sender name, such as “Australia Post”. But when you expand the actual email address, such emails will not have a valid Australia Post domain name (See Fig.2)
  6. Remember everyone is vulnerable to being scammed. While all of this may seem obvious and straightforward, many tech-savvy people have fallen victim to these simple tricks and heightened stress is making us all more susceptible.

Related news