Alongside growing concerns over a possible resurgence of the coronavirus during winter, the pandemic is now creating even more victims as cybercriminals aim to capitalise on the economic upheaval.
According to news reports, people have had money stolen from their super funds by fraudsters exploiting the COVID-19 early access scheme.
The attackers reportedly used victims’ stolen identity credentials to create fake myGov accounts and lodge applications for the early release of up to A$10,000 from superannuation accounts.
If you’re worried about accessing the scheme, there are a few ways you can strengthen your protection against fraudsters looking for quick financial gain at your expense.
Always looking for weak points
COVID-19 has threatened the national economy and left more than 700,000 people without work. In April, the federal government responded by allowing access to A$10,000 worth of super funds for eligible applicants in this financial year, and a further A$10,000 after June 30, to help sustain people during this difficult time.
Unsurprisingly, cybercriminals have sought to take advantage of flaws in the scheme.
In May, the Australian Taxation Office reportedly found at least 100 cases of applications lodged using stolen personal information.
It’s not known how attackers managed to access the personal information required for such fraud. It may have been stolen earlier this month from the hacked customer files of a tax agent, as confirmed by federal home affairs minister Peter Dutton.
Or this may have been a less sophisticated scheme. All it takes to steal identity details is a fake email or web page that looks trustworthy enough to dupe you into sharing your information.
Cybercriminals often try a broad approach, sending the same malicious email to hundreds of thousands of people in the hope someone will fall into the trap. And someone usually does.
What can you do to stay safe?
Now is a good time to check your super fund statement to make sure there hasn’t been any unauthorised withdrawal. Even better, you should regularly check all financial statements, including bills. If you see a transaction you don’t remember making, block your bank cards and inform your bank immediately.
Although there are algorithms that help detect credit card fraud, you are the only person who can recall whether you made a specific purchase. With online shopping booming during lockdown, the pool of potential victims has increased.
It’s also common for fraudsters to “test” whether a credit card works by deducting a very small amount (as little as 10 cents) with a generic description such as “service fee” or “top-up charge”.
This may seem insignificant, but for cybercriminals it’s the “perfect crime” as its simplicity and perceived lack of damage means it often escapes detection. Also, the operational costs of committing such a crime are very low, which means more people can be targeted.Shutterstock
Verify information and report
One foolproof way to keep your personal information safe from hackers is to double-check the websites you use – whether it’s for online shopping, checking emails or chatting with friends online. Make sure there are no obvious spelling mistakes in the URL, or otherwise.
If in doubt, try to verify the site’s legitimacy through a quick Google search. Often some online cross-checking, or a phone call to an organisation’s official phone number, is enough to reveal a scammer. And if you can’t confirm authenticity, ask yourself: is sharing my details worth the risk?
If anything doesn’t seem right, always report it to the relevant authorities so others don’t fall victim. In Australia and New Zealand, you can report identity theft on IDCARE and any type of cybercrime on the government’s ReportCyber website.
And if do become victim to fraud, alert your superannuation provider and bank as soon as possible. Cybercrime victims should always be empowered to report fraud, as this is the first step to potentially getting your money back.
Are more checks needed?
Some ways to potentially make the early release of super funds more secure include allowing only one verified account per person which should be confirmed, potentially via a physical interview, before any account activity is carried out. Requiring double-factor authentication throughout the process of submitting an application would also be helpful.
The successful exploitation of the scheme indicates the government may have rushed trying to process and complete applications. One member of the public said it took 12 hours to have their application approved.
This sudden administrative efficiency raises reasonable doubt about the level of security checks in place. And if fraudsters have managed to bypass security protocols, it’s very likely more checks will be needed.
Authors: Roberto Musotto, Cyber Security Cooperative Research Centre Postdoctoral Fellow, Edith Cowan University