How scammers use phishing attacks to 'socially engineer' their way into your savings
A message from an unrecognised email address or phone number. An urgent call to action. A suspicious-looking web link. A landing page where personal details must be entered.
These are the telltale signs of phishing, the most commonly reported scam in Australia.
Tens of millions of dollars are lost to phishing scams each year, and authorities say that figure is only increasing.
Here's how scammers use "social engineering" to steal the savings of thousands of Australians every single year.
Unlike scams such as the now-famous "Hi Mum", phishing does not usually involve overt requests for money to be sent to an account.
Instead, a scammer will use subterfuge, doctored websites and carefully calibrated software scripts to persuade someone to give up their personal information.
In the cybersecurity space, this technique is known as "social engineering" because it relies on people's typical emotions and behaviours.
The scam may be an email or text message that appears to be from an official company or organisation, like the Australian Tax Office or Netflix.
Victims will be urged to act quickly to fix a problem with their account, or reconfirm their contact details, being directed to a page that looks remarkably similar to one used by the company.
These are fake websites, and scammers will pay anywhere from $10 to $1,000 for phishing kits containing the HTML assets and scripts needed to set them up.
Craig McDonald, founder of Australian cybersecurity firm MailGuard, says phishing has evolved into its own underground industry.
"The availability of phishing and ransomware kits is one of the drivers behind the explosion in scams," he says.
"These are very sophisticated businesses. They recruit qualified coders and developers and support staff from across the globe, and offer 24/7 support for customers, because they're selling a service at the end of the day, albeit an illegal one."
The fake webpages will require victims to enter personal information such as bank account details or email passwords.
This information is then used to access bank accounts, where the scammer can transfer money to themselves at will.
The latest figures reveal phishing is a practice that is only becoming more and more widespread.
Phishing was the most reported scam to Scamwatch in 2022, with the government website recording 74,573 complaints — a 4.6 per cent increase on the previous year.
In 2022, the total financial losses from phishing reported to Scamwatch and the Australian Financial Crimes Exchange totalled $157.6 million.
The financial complaints authority appears to have made inconsistent rulings on whether to give customers refunds after phishing scams, based on whether customers admit to clicking dodgy links.
Advances in machine learning and AI have made it harder to detect phishing scams.
"One of the easiest ways to spot a scam is by looking for typos and grammatical errors," Mr McDonald says.
"Now with ChatGPT or any one of hundreds of AI copywriting services, you can draft an email with perfect English.
"Plus, you can use the AI to check your code, and for loads of other skilled tasks that were previously a barrier to someone wanting to perpetrate a cybercrime attack."
But despite the widespread financial toll on Australians, scams remain significantly under-reported nationally.
According to the Australian Competition and Consumer Commission, just 13 per cent of scam losses are reported to Scamwatch, while roughly a third are not reported to any organisations at all.
It means that the $157.6 million lost to phishing scams last year is likely a vast underestimation.
Do you know more about this story? Email wong.leanne@abc.net.au. If you're sharing sensitive information, read our tips on how to contact us confidentially.
Stephanie Tonkin, CEO of the Consumer Action Law Centre, says the organisation regularly encounters customers who are reluctant to report their losses due to shame and embarrassment.
"A lot of the narrative we're hearing is that people need to be more careful — which of course is part of the solution — but there's a lot of victim blaming going on," Ms Tonkin says.
"Even in education campaigns, we hear: 'Don't click on links, you shouldn't do this, you shouldn't do that, don't be gullible.'
"It's really at odds with the facts, which are these are sophisticated criminals who are performing scams."
The success of a phishing scam hinges on manipulating the emotions and behaviours of a potential victim.
Urgent calls to action requiring a victim to pay off an outstanding tax debt or reactivate a suspended bank account are common techniques used by scammers.
Ofir Turel, professor of information systems management at the University of Melbourne, says scammers appeal to the impulsive part of our brains, using temptation to override restrained, logical thinking.
"Someone gets a message. The message generates a sense of urgency and there are many ways to generate this … it could be fear, it could be distracting you from thinking clearly," Professor Turel says.
"Once it's in place, people's reactions become very impulsive and less logical."
Professor Turel's research has found a range of risk factors for phishing susceptibility, including fear, trust in the purported source of the scam message, loneliness and sleep deprivation, which affects a victim's rational thinking.
But scammers do not only prey on negative emotions like fear or anxiety.
Some have tried to capitalise on the success of the Matildas by linking to fake websites offering cheap tickets to Women's World Cup games.
Professor Turel says the promise of a reward targets the temptation part of our brains.
"This is why a lot of the training modules about how to avoid scams teach you to stop and think," he says.
"If you act immediately and impulsively based on the immediate fear or immediate desire to see what's in the package someone sent you, then you're going to be scammed."
According to Scamwatch data, the average phishing scam victim is likely to be a woman aged 65 or older and living in New South Wales.
She will receive a text message that impersonates her bank or a road toll company, and she will lose money by having it transferred out of her bank.
Nearly 20 per cent of reported phishing scam attempts last year were bank impersonations, with more than $20 million lost.
Recourse can be difficult to obtain for phishing victims.
Banks have their own individual policies for dealing with cybercrime, and despite Australians losing a record $3.1 billion to scams last year, the big banks only compensated customers about $21 million.
Victims who are unhappy with how a bank has responded to their situation can complain to the Australian Financial Complaints Authority.
While consumer groups argue Australia's online banking laws currently lack a strong framework to protect victims of scams, there are strong indications from the federal government of future reform.
Assistant Treasurer Stephen Jones says the government is taking steps to introduce "tough new industry codes of practice".
"I have an expectation that the model will require banks to provide appropriate compensation to victims, where these institutions do not meet the very high bar set out in the codes," he says.
"The codes will ensure both consumers and industry have a clear understanding of responsibility, liability, and obligations."
Australians who believe they've been phished are strongly encouraged to secure their personal information through IDCARE.
We acknowledge Aboriginal and Torres Strait Islander peoples as the First Australians and Traditional Custodians of the lands where we live, learn, and work.
This service may include material from Agence France-Presse (AFP), APTN, Reuters, AAP, CNN and the BBC World Service which is copyright and cannot be reproduced.
AEST = Australian Eastern Standard Time which is 10 hours ahead of GMT (Greenwich Mean Time)
Recent Comments