Are you a victim of an online scam or fraud? Not yet? Read on…
When you get directly impacted by cyber crime – it can feel very scary and unnerving. Knowing what to do, and how to protect yourself moving forward becomes critical – hence why I’ve shared this information. I know a lot of people who have been at the receiving end of a scam or fraud… so have a lot of stories and tips to share.
I’ve provided details to cover two scenarios – “victim response” info for those who are already a victim of a scam (focused on Australian victims specifically), and secondly info for those who have not yet been hit, but want to know more about some of the common techniques that hackers and fraudsters might use against you from a personal fraud / identity takeover perspective. I’ve tried to provide as much practical advice as possible, however feel free to contact me directly if you need more specific advice or guidance.
If you’re a victim – don’t feel embarrassed, or that you’re an idiot…. the reality these days is that the scammers are very slick, well rehearsed, and professional – and have these technique down to a fine art. They can convince the smartest of people into becoming victims of a number of social engineering tricks and cons.
This is the important bit…
by you understanding cyber criminal techniques, you will be able to better protect yourself, identify when an identity takeover or fraud is occurring, and most importantly know how best to respond in the event of an incident directly impacting you, your partner, or family. Information worth sharing with your family and friends, so make sure you use the social sharing buttons at the bottom of this page.
Indications of an identity takeover or fraud:
Online identity takeovers & related fraud is something that no one wants to go through. Let me reveal some indications that you are a victim, so that you can better prepare yourself. Some are obvious, some not so much. I’m not saying that all of these will be the case, however they are pretty good clues that you might be a victim already:
1. Friends and / or colleagues get in touch to let you know that they’ve received unusual emails from you, that contain links or attachments that you don’t know about. If you’re lucky enough to still have access to your compromised email account, you may find it weird that you can’t see any recent sent items, or any emails received. That’s because in some cases, the hackers have set up email ‘rules’ on your account to automatically delete, forward, or move messages sent & received so you can’t see what they’ve done or are doing.
2. You receive a phone call to your home phone number or mobile allegedly from Microsoft or another large IT organisation informing you that there’s an issue with your computer. They’ve been trying to contact you by email, and you computer needs sorting…. yeah right! After a few tricks on your machine to convince you that there’s an issue and that the call is authentic, they’ll trick you into giving them your credit card details, driving license, mobile phone details, and / or installing remote software to enable them to connect to “fix” your computer. They often scare victims by making out your machine has malware / or a virus. They might say that you’ve got some pirated software, or illegal movies (as many people do)! Some simple tricks include getting victims to confirm they are running Microsoft Windows, and then ask you to hit the Windows “home” button on the machine and type in the command ‘eventvwr’ – whereby they show you a number of highly technical error messages and warnings to trick you into thinking that the issue is real, and the caller is legit. This command runs an event viewer on every version of Windows, and all machines always have some error or warning messages even if your computer seems to be running just fine… it doesn’t mean that you have a problem! They might convince you to pay for some ‘security’ software using your credit card, and / or to confirm your details with a scan of your driving license. In some cases, they’ll get you to install common remote access tools such as Teamviewer, UltraVNC, or LogMeIn, so that they can remotely connect to your machine and search it for personal documents, scans of driving licenses or passports, or anything that they can use to defraud you. Microsoft and other large organisations will never contact you like this, so in future if you do receive a call like this just tell them that you know it’s a scam, and you’re reporting them to the police. They’ll move on to the next easier target.
3. You’re not able to access your online accounts, due to password changes you didn’t make. Gulp.
4. You receive messages or calls from your bank or credit card companies, requesting confirmation of unusual transactions that you are not aware of.
5. You receive a text message on your mobile phone informing you that your phone number is about to be “ported” to another service provider, and before you have a chance to do something about it, you can no longer make or receive mobile phone calls. What is going on?!?!… This is a common technique used by fraudsters, where they use your personal information to request a transfer of your mobile phone service to another provider’s SIM card, and mobile phone in their possession. Why?.. Once the port is complete, they then use your mobile phone number configured on their device to receive SMS codes you may have set up with your bank as a form of second factor (often used for new payee or funds transfers).
How did this happen in the first place?
So how do hackers compromise your account(s) or perform identity takeovers in the first place? There are lots of techniques used, such as traditional social engineering tricks via a phone call, dodgy emails with malicious links or attachments (phishing), use of malicious software that capture your keystrokes, “security questions” guessing, password guessing (e.g. brute-force automation)…. to name a few. However, let’s cover some of the most common tricks, so you can be one step ahead:
1. Stealing your physical mail
In some cases, it might be that the fraudsters have simply stolen physical letters delivered to your mailbox at your home, and used the details found to begin their process. The stolen post might include bank statements or other types of financial / account information. Combine this with other personal details easily found on social media accounts like Facebook – such as your mobile phone number, email address, date of birth or other personal info – it makes account takeovers and fraud much easier for them to do.
You should consider physically securing your mailbox(es), or alternatively arranging for your physical mail to be delivered to a secure mailbox or PO box through Australia Post. If you live in an apartment complex with standard mailboxes with post keys… these are easily got in to with a bump key or master key that can be purchased online. PO box it!
You should review what personal information you share online such as your date of birth, maiden name, mobile phone number, email address etc. Think birthday details revealed on Facebook, Instagram, LinkedIn etc.
2. Password re-use to gain access to your online accounts
This is very common technique, hence worth covering in detail. Due to the large number of data compromises over the past couple of years – such as Dropbox, LinkedIn, Adobe, and various other popular sites, it’s increasingly easy for hackers to obtain your existing user name and password credentials from previous compromised security breaches. If you are someone who reuses the same password across multiple online sites and services – all the hackers have to do is re-use your compromised credentials to gain access to your other accounts. So if you use the same password for your web based email account, they get access.
Once into your email account, attackers can use the account to reset your passwords on other sites or services. They then pillage through your accounts to find any useful documents or images such as your personal documents, financial applications, passports, driving license, and then use this information to perform an identity take-over, such as open new businesses or request loans etc. In some cases they might port your mobile phone number to another mobile service provider so they can get through your SMS confirmation provided by your bank.
Tip: The best and quickest way to check that your online accounts haven’t already been compromised, is to use https://www.haveibeenpwned.com/, and enter your email addresses / accounts. Ensure you have changed your password on any exposed account listed, or accounts that you used the original password.
3. Just plain bad luck
Online fraudsters will keep trying until they get a hit. It might be as simple as working their way through a public list of home phone numbers, where they keep trying until they find someone who falls for a social engineering trick. Microsoft / Apple support, or tax returns are a common theme used. They are often very slick, professional, and have a script that they run through to convince you that they are legit! Don’t fall for it! Microsoft will never call you!
Victim response – what should you do if you’ve been a victim of identity takeover or fraud?
If you believe that you have been a potential victim of an online scam or fraud, it’s best to take action really quickly. The faster the response, the better the chance of minimising the damage & impact to you:
- Contact your bank(s) and financial institution(s) asap to inform them that you think you may be the victim of fraud / identity take-over, and ensure you set up a 2nd form of identification or security question for future contact with them.
- If your personal computer has potentially been infected, or you were convinced by the scammer to allow them to remotely connect to your computer, or install software under their instruction, then stop using that computer completely. Ensure you disconnect it from your home network, and prevent it from connecting to the internet asap. You will need to keep the potentially infected machine isolated off your home network, and will need to re-install the operating system before using again. See the malware clean up section below.
- Change the passwords of ALL your online accounts (and do so only on another device which you’re confident is malware free, fully patched, running up-to-date security software) ensuring you don’t re-use an old password…. sorry to be an inconvenience, however this includes ALL of your accounts…. so your online web mail accounts, your banking and financial accounts, your social media accounts…. etc. Consider using a password manager, to create unique, strong complex passwords.
- Report your incident to the Australian Cyber-crime Online Reporting Network (ACORN): https://report.acorn.gov.au/ This is a secure reporting and referral service for cyber-crime and online incidents in Australia.
- In Australia, you can also report the incident to the ACCC. https://www.scamwatch.gov.au/report-a-scam
- When possible, provide a written statement at your local police station.
- Physically secure your mailbox at home, or alternatively arrange for your mail to be delivered to a secure mailbox or PO box through Australia Post. Fraudsters will try to get hold of utility bills, bank statements, super details so that they have enough info to gain access to your accounts to transfer money out, or to set up new bank accounts, loans, credit cards etc in your name.
- Set up strong multi-factor for all of your key accounts -preferably stronger than SMS.
- Contact IDCARE to assess your risks and build a tailored response plan. IDCare has a wealth of information that can assist Australian and New Zealand victims of identity theft: https://www.idcare.org
Cleaning up your infected computer?
If you’re computer has been infected with malware, or you installed software under the direction of a scammer, don’t bother trying to clean up after the event. You need a fresh install of your computer’s operating system. No other option ensures that your computer is clean. A hard fact to swallow – however be aware that your favorite security software cannot detect every type of malware out there. You cannot rely on it to completely clean your machine… re-installing the operating system is the only way.
Not so painful these days if you’re running Windows 10 or OSX, however is a vital step to take if you are a victim. Scanning for viruses and cleaning up is not a guaranteed way of removing everything. Disconnect your computer from your home network, or just switch off your internet router to cut all connections, and perform a full operating system reset, and rebuild. This guarantees that your machine is free from infection. Windows re-install instructions are here, and Apple OSX instructions are here. Ensure you install your security software as soon as you have a clean version of the operating system installed, and ensure all patches are installed on your Windows 10 device, or Apple OSX computer before use.
Summary of proactive steps to protect yourself from future identity takeovers & fraud:
- Ensure you use unique and strong complex passwords for all of your online accounts. Consider using a password manager to do this easily for you. Here’s an article covering the best password managers out there.
- Don’t share any of your user credentials.
- Make use of strong multi-factor authentication for your key accounts, so that even if your account is compromised, the fraudster will not be able to circumvent this additional protection in place.
- Contact your mobile phone service provider, and ask them to confirm that they have blocked the option to port your mobile phone to another provider.
- Consider using a PO box or secure mailbox so that your physical mail cannot be easily stolen.
- Don’t store or send scans / photos of your driving license, credit cards, passport etc in your email account(s). Never provide your driving license, birth certificate etc to anyone.
- Ensure you have set up a 2nd validation / security password with your banks and financial institutions, so that if a fraudster gets hold of your personal & account details, you are still protected.
- Many frauds often start with a phishing email. Remember that banks and financial institutions will never send you an email asking you to click on a link and confirm your bank details. Learn how to spot and report a phishing email if you receive one.
- Look into your security “hygiene” at home – make sure all of your personal computers and mobile devices are always up-to-date, fully patched, and that you’re running up-to-date antivirus software in order to minimise the potential for malware infection. You also might want to consider what you do to securely back up your important documents and files, and store them offline (e.g. a handful of USB drive that aren’t plugged in to your machine).
Feel free to contact me directly if you have any issues, or need more help.