Archives for : SCAMMERS

On the Trail of the Robocall King-Part 1

An investigator set out to discover the source of one scammy robocall. Turns out, his target made them by the millions.


Brad Young, a lawyer at TripAdvisor, arrived at the company’s offices in Needham, Massachusetts, on October 12, 2015, to find an email from his boss, Seth Kalvert, the company’s general counsel. In itself that wasn’t strange. As a travel site built on crowdsourced wisdom, where hundreds of millions of ordinary people post reviews and rate businesses, TripAdvisor is susceptible to fakery meant to inflate the ranking of a so-so restaurant or stain the reputation of a storied hotel. Young oversaw a group responsible for fending off these efforts, so he frequently got questions from Kalvert about con artists, cunning new deceits, and other shady corners of the law.

But this email was different. Kalvert’s wife had received a robocall offering an exclusive vacation deal as a reward for her loyal accumulation of “Trip­Advisor credits.” That would have been nice if TripAdvisor credits were a thing, but they weren’t. The call was also odd because TripAdvisor didn’t engage in telemarketing, much less robocalling. Kalvert wanted Young to look into it.

The anti-fraud team was, in Young’s words, “the company’s secret sauce,” adept at tackling every deception the internet had to offer. But the hustle meant to entice Kalvert’s wife relied on old-school telephony. Cracking it would require an unusual set of skills. Luckily, Young knew just the person to turn to.

Fred Garvin had joined TripAdvisor’s anti-fraud team eight years earlier. He’d been employed in a series of short-term jobs: mechanic, audio editor, anything that seemed interesting enough to hold his attention for a while. He was out of work when a friend saw an opening for a content moderator at TripAdvisor and urged Garvin to apply. He worked at home for a while, under the radar, but pretty soon managers started noticing his obsessive streak and a knack for what he called “research.” As a kid growing up in a small New England town in the pre-internet era, he’d tracked down the addresses of celebrities so that he could request an autograph; he got a postcard signed by the B-52s and one from Mr. Bill, a famous Saturday Night Live character from the 1970s. (The name “Fred Garvin” is another SNL reference, one of several professional aliases he adopted to protect his identity from the scammers and fraudsters he chases. It comes from an old sketch with Dan Aykroyd as Fred Garvin, male prostitute.) Garvin’s manager recommended him for a position with the anti-fraud team. “He’s the most cynical person I’ve ever met,” she said. “He will question everything.” He was a perfect fit.

Young asked Garvin to look into the suspicious phone call. He said he figured it was probably the work of “some two-bit hustler” and wouldn’t take long to sort out. Garvin, though, had only one phone call to go on, and a simple question: Who was on the other end of the line?


Henry Sapiecha

More than 3Billion fake emails sent daily as phishing attacks continue to persist

Some 140,000 more domains are using DMARC records since the start of 2019, though DMARC-based enforcement remains complex to implement.

Phishing is as much a technical attack as it is a social engineering method—for any phishing attempt to be successful, a phishing email must pass through software filters, and be acted upon by the recipient, exposing sensitive data. That may sound like slim odds for success, though the Valimail Spring 2019 Email Fraud Landscape report released Tuesday indicates at least 3.4 billion fake emails are sent each day—making phishing attacks resemble something of a “spray and pray” strategy.

The original specifications for email were written without particular regard to security. While that may have been an acceptable course of action decades ago—when internet use was restricted to government and academic users—deploying a mail server in 2019 without any security protection at all is inadvisable.

Domain-based Message Authentication, Reporting and Conformance, or DMARC, is an open standard (published as RFC 7489) that can be used to prevent inauthentic email from reaching the inboxes of end users. DMARC is gaining widespread adoption, with Valimail reporting that DMARC is used on “almost 80% of all the inboxes in the world.” A survey of public DNS records revealed nearly 740,000 domains with DMARC records as of May 2019, an increase of 140,000 since the beginning of the year.

DMARC is complex to implement, however, and partial implementations—namely, DMARC records versus DMARC enforcement—can limit the efficacy of these deployments. “For domains that are actually used to send email, it takes a lot of tedious work to figure out which sending services need to be whitelisted. The fear of blocking good (legitimate) email keeps a lot of domains from switching to enforcement, and thus they remain vulnerable to bad (fake) email,” the report states.

A few industries are rising above 20% enforcement rates, with the US federal government leading the way, due largely to mandates requiring the protection. Conversely, the least-protected industry is media organizations.

“It remains clear that fake emails from hackers, phishers and other cybercriminals constitute the major source of cyberattacks,” Alexander García-Tobar, CEO and co-founder of Valimail, said in a press release. “As more companies recognize and respond to email vulnerabilities, we expect to see organizations continue to deploy authentication technologies to protect against untrusted and fraudulent senders. The fact is that too many attackers are using impersonation to get through existing email defenses. A robust approach to sender identification and authentication is needed to make email more trustworthy, once and for all.”

For more, check out “Oh Canada: Why half of phishing attacks target the Great White North,” and “Your data, stolen twice: Pirated phishing kit contains hidden backdoor


Henry Sapiecha


HUNDREDS of Woolworths Rewards members have been targeted by fraudsters in a bid to steal their points over the past few months.

The retail giant has moved to tighten account management controls following increased reports of scammers targeting customers.

A spokesman for the supermarket chain told our sister paper there was no evidence to suggest its systems had been breached or compromised.

“Our investigations indicate to us they’ve had their details obtained from another source or from a scam,” the spokesman said.

More than 11 million Australians have a Rewards card with Woolworths. A few hundred are believed to have been directly affected.

Hundreds of customers were potentially affected.

Rewards online accounts with suspicious logins have been locked down and customers who were potentially affected have been contacted directly.

All fraudulently redeemed points will be reinstated to members in full.

“We value the trust of our members and take our responsibility to uphold the security of their accounts seriously,” Woolworths director of loyalty Ingrid Maes said.

“It’s clear fraudsters are becoming more sophisticated in the ways they target users online and our members are unfortunately not immune to these threats.

“That’s why we’ve put in place a range of new account security controls to help our members keep their accounts more secure.

“As always, we encourage our members to remain ever vigilant of online scammers and to keep their accounts as secure as possible with strong and unique passwords.”

To put a stop to the fraud Woolworths has implemented the following changes:

One Time Code: members will be required to enter a unique one time code sent to their email address if they wish to change point redemption preferences.

Auto-notification of redemption settings changes: members will receive immediate notification via email if their stored redemption preferences is changed.

Enhanced password security: new and existing members updating passwords will be required to use a password comprising at least 8 characters, a number, and upper and lower case characters. This will assist customers to adopt stronger passwords.

According to the latest ACCC data, Australians have reported 104,000 scams so far in 2018, totalling $84 million.

Henry Sapiecha

Phone Scam targeting Chinese Nationals in Australia by pretending to be from the Embassy RAKES IN MILLIONS $$$

IN RECENT months, you may have been confused by a voicemail left on your phone in Mandarin.

Whether you understand it or not, authorities have warned smartphone users to hang up immediately.

Police have warned of a phone scam targeting Chinese nationals in Australia by pretending to be from the embassy and demanding a large sum of money.


“We have offenders contacting victims on the phone purporting to be from the Chinese Embassy, and saying victims either committed an offence or had their identity stolen. As a result, victims are asked to pay fines or a debt,” Financial Crimes Squad Commander Detective Superintendent Linda Howlett told a conference Wednesday afternoon.

“I want to stress that the Chinese Embassy would never contact a person to pay money over the phone.

“We’ve had incidents where the victim is threatened, or their family back in China is threatened.”

She said there have been cases where the victim didn’t have any money. In these cases, the victim was instructed to stage a kidnapping so they could get money overseas from their parents.

The scam has reaped in millions of dollars, targeting victims across Australia, New Zealand, the United States, Canada and the United Kingdom. One victim alone in NSW had $1.9 million stolen.


According to Det Supt Howlett, there have been at least 50 reports of this scam across NSW, with three calls this week alone.

But she said a lot of the victims still aren’t coming forward, urging people receiving the calls to hang up and notify the authorities.

Variations of this scam have been reported recently. In another one, an automated voice in Mandarin claiming to be calling on behalf of the Chinese Embassy tells the listener they had an important parcel to collect.

They are encouraged to press 9, at which point they are transferred to a scammer who tries to take their personal details.

China’s Deputy Consul-General in Sydney Tong Xuejun said more than 1000 cases had been reported since August last year.

“We have confirmed about 40 cases that caused a loss. The total amount of money involved is about $10 million,” he said, adding that the money lost ranged from $2000 to one case of $3.5 million.

In another fraud, the scammer tells the victim they are involved in a crime like money-laundering or embezzlement, and threatens them with jail or deportation unless they pay a hefty sum to get a “priority investigation” to clear their name.

They also try to extract sensitive information like passport numbers, bank details and addresses.

According to Scamwatch, if the money is sent to the scammer, it is likely lost and extremely difficult to recover.

Many non-Chinese people have reported getting the calls too, and being left confused.

The Chinese Consulate-General has urged Chinese citizens in Australia to be aware of fraudulent calls.


Henry Sapiecha

Con artists strike it rich in Hong Kong with job fraud and ID theft totalling HK$7.82 million in 2018, or seven times more than all of 2017

Desperate jobseekers persuaded to hand over personal details and bank information in fake employment scammers

Hong Kong’s con artists have scammed ­job seekers out of seven times more cash in the first four months of 2018 than they did in the entire year of 2017, police revealed on Monday.

Identity theft and fake job offers drove the rise, with the latest police figures showing 78 Hongkongers losing HK$7.82 million (US$996,000) in 48 reported scams.

That is compared to the HK$1.13 million that 43 vunerable victims lost last year to con artists in 33 cases, covering a variety of scams. Of the HK$7.82 million, HK$7.1 million was lost in loan-related employment fraud, a figure that dwarfs the HK$480,000 con artists raked in using similar schemes in 2017

This year’s biggest loser to date is a 26-year-old woman who was duped of HK$800,000 in a loan-related job scam. She replied to an online job advert in March.

“To secure the position, she provided the interviewer with a copy of her identity card, together with other personal data,” chief inspector Jackie Tam Wing-sze of the force’s commercial crime bureau said.

The victim was later told HK$780,000 had been paid into her bank account. She was requested to help withdraw the money, with the promise of a HK$13,000 payday afterwards.

Some weeks later, she received a formal request of debt recovery from a bank, and realised the fraudster had stolen her identity to apply for a personal loan amounting to HK$800,000.

A 25-year-old woman was conned out of HK$640,000 after she responded to a job advert on the internet in January.

She was lured into applying for loans, and to use her credit cards to buy gold, and was promised HK$74,000 in commission if she did so. According to police, she was told the “company would be responsible for repaying any & all the debts”.

The woman only realised it was a scam after she gave all the money and gold to the conman and then lost contact with him.

Police said they had also observed criminals were more & more using the lure of attractive job offers, such as working as a flight attendant for overseas airlines, to swindle jobseekers.

In November, a 24-year-old woman fell victim when she answered an advert for a supposed vacancy with an overseas airline on a social media platform. In due course she was eventually convinced to part with a total of HK$170,000 as part of the fake recruitment process.

The victim only discovered the scam the following month when she tried to verify her job application.

The woman is the biggest loser of such fraud in recent years, police stated.

Officials attributed the increase in the reports of employment fraud, and the amount of losses this year, to their investigations into a loan-related job scam in which 10 victims lost HK$3.4 million.

“Any person could be the victim of employment fraud,” Tam said, adding that con artists would always invent different ways to steal other people’s money.

Increasingly, Tam said, fraudsters were using various scams online and on social media.

With the approach of the summer holidays, Tam said school leavers and summer jobseekers should be “cautious and on vigilant alert at all times”.

Senior labour officer Yeung chi-kit of the Labour Department said jobseekers should be wary of adverts for well-paid jobs that do not require work experience, or any academic qualifications.

He said all persons should be cautious if asked to pay deposits, training fees, for goods and services, or asked to provide personal data or credit card, identity card, and bank account details.


Henry Sapiecha

Scammer’s Computer DESTROYED – His Reaction on video.Must view.



Henry Sapiecha

How to RAT scammers (the complete how to video guide)





Henry Sapiecha

Scammer Vs Trojan.Baiting a Scammer | Scammer Reacts.Video shows how.

Setting up a scammer & deleting their files.Video alert how to.


Henry Sapiecha

Destroying all Computers on the Scammers Network Video How to.

Follow this system & get even with the online scammers



Henry Sapiecha

Jail time prescribed for medical centre fraudster

PRISON has been deemed the best medicine after a con artist fleeced a couple out of $132,000 and invested the money between his assets, including a Central Queensland business.

Ronald James Richardson, the former Fraser Shores Medical Centre owner, duped a couple who approached him after seeing an ad in Mackay.

Richardson’s business was buying and selling medical centres.

And he was “in a position of trust” regarding the couple with a self-managed superannuation fund who made contact, Judge Nathan Jarro said.

Richardson advertised about medical centre investments with a “12.5% guaranteed return,” Brisbane District Court heard on Thursday.

The con artist took $75,000 from the couple.


Then he was declared bankrupt.

But in December 2012, when banned from acting as a company director, a company Richardson controlled borrowed $100,000 more from the couple.

“Those funds did not go to purchase medical equipment but the bulk was diverted into other accounts.” Judge Jarro said.

Richardson paid back more than $40,000, so the total amount defrauded was $132,985.15.

The fraudster, 63, has been in and out of court several times this decade.

The crimes he was sentenced for this week happened before his conviction for a different fraud in 2013.

That year, jurors found he fraudulenty funnelled investors’ money into an interest-bearing account.

His companies set up practices in Gympie, in Biloela and in NSW.

Richardson, a married father of three, was released on parole in 2015.

During a bail application last year, Crown prosecutor Ron Swanwick said Richardson displayed a “chronic pattern of dishonesty over a lifetime“.

On Thursday, the Crown wanted Richardson to go to jail with no parole for at least six months.

But his behaviour while on bail for the latest charges was impeccable, the court heard.

Richardson’s wife and one of his daughters wrote letters of support.

Defence counsel Kate Juhasz said Richardson should be released on parole at once.

Judge Jarro said a term of imprisonment was “the only option”.

Richardson was jailed for two and a half years but will be released on parole on July 30 this year.

No people were in court to support him.

He appeared to send someone a text after learning he was going to jail, then was led off into custody.


Henry Sapiecha

Co-workers in shock over fake cancer allegations against mum & scamming $45,000

FORMER colleagues of a Casino [Nsw. Australia] mother of four charged with fraud helped out by driving her to medical appointments and chemotherapy treatments and performing child minding duties, it has emerged.

Co-workers in shock over fake cancer allegations against mum


It’s understood several staff at the Casino RSM Club where Melissa Quinn worked part-time in 2014 were in tears today after hearing about the police allegations.

The Casino RSM Club has subsequently issued a statement about the affair.

In the written statement, secretary manager of the club Neale Genge said the club was “deeply shocked and saddened to be informed about the arrest of Melissa Quinn in relation to alleged fraud from fundraising activities held to assist with her cancer treatment.”

“While the Casino RSM Club has a strict policy of not making cash donations to individuals, we have on many occasions assisted a number of individuals to host fundraising events for persons requiring medical treatment.

“Our contribution has always been non-cash such as assisting with promoting these events and making our facilities available at no cost.

“The Casino RSM Club assisted Ms Quinn’s friends and family in hosting an event in November 2014 in which approximately $20,000 raised at the Club with additional funds coming from Cricket Australia and other sources.

“Ms Quinn was a part-time employee of the club at that time, while also being an employee of Cricket NSW.

“At no stage was the Casino RSM Club aware that Ms Quinn’s illness was anything but genuine, and a number of staff members had assisted Ms Quinn by minding her children and driving to her alleged medical appointments and chemotherapy treatments.

“The generosity of the people of Casino and District has been highlighted a number of times in the support they show for people in need.

“While this matter is before the courts we cannot speculate further, but we trust this incident will not dampen the Casino community’s commitment to provide assistance to individuals and support their own when required.”

It’s understood that Ms Quinn quit her job yesterday at the Casino BWS bottle shop.

Update 12.05pm: THE CLOSE knit Casino cricket community is reeling with news that former player and volunteer Melissa Quinn has been charged with multiple counts of fraud.

John Black, long serving secretary-treasurer of the Casino Cavaliers Cricket Club said news of Ms Quinn’s arrest came as a “huge shock”.

Mr Black worked closely with Ms Quinn during her tenure as a volunteer for the Casino and District Cricket Association and vice president of the Cavaliers, which field the elite district team.

“These are just allegations… we probably can’t judge Melissa just right at this moment, but it is a shock,” he said.

Mr Black said the entire community took Ms Quinn “at her word” and pitched in to help raise money for her treatment.

“The community got in behind her because that’s what most communities do when someone is suffering from cancer, that’s what people do, help each other.

“She exhibited for me a love of cricket… she was always willing to help.”

Mr Black was one of scores of local business people and community members to contribute to an auction at the Casino RSM Club in 2014 to raise money for Ms Quinn’s medical trip to California.

“We all pitched in a did our little bit to help her,” he said.

Ms Quinn was also supposed to be spending eight weeks in the US to undergo specialised proton radiation therapy. But he said she returned after two weeks.


Original story 5am: A Casino woman allegedly faked cancer to fleece tens of thousands of dollars from unsuspecting donors including Cricket NSW.

Mum of four Melissa Irene Quinn, 34, allegedly concocted an elaborate story in 2014 to raise money for an all-expenses paid trip to California to undergo “life saving” proton radiation therapy.

Ms Quinn was a volunteer for the Casino District Cricket Association at the time.

Former Australian captain Michael Clarke was one of three Test players to donate signed and framed playing shirts for auction for a $70 per head fund raising event in her honour in October 2014 held at the Casino RSM Club.

NSW State of Origin also donated a jersey.

Prior to the 2014 event she told The Northern Star then she had only two years left to live after being diagnosed with terminal brain cancer.

“I had cancer two-and-a- half years ago in the uterus, so it wasn’t a huge surprise that it’s come back,” she said.

“The Australian Medical Board is covering 90% of my costs to go to California to receive proton radiation therapy.

“But we need to make up the money for eight weeks of airfares, clinical fees and everyday expenses.

“We’ve estimated we need to raise $20,000.”

In 2015 Ms Quinn started work full-time for Cricket NSW as a development manager for the North Coast region.

Then in 2016, she allegedly claimed she had contracted ovarian cancer and chronic myeloid leukaemia.

“I’ve got a tumour in my leg and I’ll actually be having surgery next week,” she told The Northern Star in May 2016.

“It’s a bit of a tough time for me at the moment and I’m just looking forward to getting back on my feet.”

Cricket NSW then supported her with a number of auctions to raise further funds for her treatment.

During Casino’s annual Beef Week celebrations that year Test cricketer and current Sheffield Shield captain Steve O’Keefe helped auction off cricket memorabilia on her behalf.


Sydney sixers and NSW cricketer Steve O’Keefe was part of fundraising activities for Melissa Quinn in Casino.

Her story was the source of widespread media coverage including a feature story on the ABC’s 7.30 as well as press released from Cricket NSW which linked to a Gofundme crowdfunding campaign raising funds on her behalf.

Between 2014 and 2016 she is alleged to have raised a total of $45,000 – but police allege it was all lies.

The 34-year-old is charged with four counts of dishonestly obtaining financial advantage by deception, one count of making false document to obtain financial advantage, and using a false document to obtain financial advantage.

She was arrested and charged on Tuesday and granted conditional bail.

Her bail conditions forbids Ms Quinn from approaching or contacting any prosecution witness or any member of Cricket NSW involved in the matter.

The matter is set down for mention in Casino Local Court on 18 April 2018.


Henry Sapiecha

Australian union official seemingly connected with fraudulent Facebook page

Two National Union of Workers officials in Perth WA have been suspended after it emerged that a fraudulent Black Lives Matter page had an Australia connection.

The National Union of Workers (NUW) has suspended two officials in West Australia after US news outlet CNN claimed that a Facebook page purporting to be part of the Black Lives Matter movement was a scam with ties to Australia.

CNN named one of the men as NUW offical Ian Mackay – who is white – and SBS News understands another male from the union was also suspended after the story broke.

The Facebook page titled “Black Lives Matter” had almost 700,000 followers, which was more than twice as many as the official page of Black Lives Matter, an activist movement that campaigns against violence and racism towards black people.


CNN reported on Monday that the page was connected “to online fundraisers that brought in at least $US100,000 (AUD$129,000) that supposedly went to Black Lives Matter causes in the US. At least some of the money, however, was transferred to Australian bank accounts”.

In a statement to SBS News, NUW national secretary Tim Kennedy confirmed that the union had “launched an investigation into claims made by a CNN report and has suspended the relevant officials pending the outcome of an investigation”.

“The NUW is not involved in and has not authorised any activities with reference to claims made in CNN’s story.”

SBS News has approaced Mr Mackay for comment. He denied running the page when contacted by CNN, but did not provide further comment.

The Facebook page has since been closed down and fundraising campaigns associated with the page were reportedly suspended by PayPal and Patreon. Donorbox and Classy had also removed the campaigns.

“Our objective is to raise awareness about racism, bigotry, police brutality and hate crimes by exposing through social media locally and internationally stories that mainstream media don’t,” a message on the group’s Donorbox page reportedly read.

A spokesperson for Facebook told SBS News that “we investigated this situation as soon as it was brought to our attention, and disabled the page admin for maintaining multiple profiles on the platform”.

“We continue to monitor the situation and will take the necessary action in line with our policies.”

SBS News has also reached out to Black Lives Matter in the US for comment.

It comes the same week as Mark Zuckerberg is set to appear before US politicians, where he will face a grilling about data that was improperly shared with Cambridge Analytica.


Henry Sapiecha

NZ Man in court over alleged $1.2m scammed from pensioners


A 48-YEAR-OLD Kiwi has been extradited back from New Zealand to face 21 boiler room fraud charges that police claim stripped retirees of their superannuation and others to the tune of $1.2 million.

The man, who is due to appear in Maroochydore Magistrates Court this afternoon, was the alleged ringleader of the Gold Coast-based scam, police claim.

Victims were lured into the scam with cold calls or by visiting websites set up by the group, Detective Senior Sergeant Daren Edwards alleged.

They were drip fed a small amount of cash to get them to pour more in.

He said the “callous” alleged fraudster had blown most of the $1.2 million on a luxury Gold Coast lifestyle and police did not yet have any assets to strip from the man.

“It was to do with safe racing and betting,” Sen Sgt Edwards said.

“Some of the allegations are that some of the complainants received some of the funding back so they appeared they were getting returns however that was just a phoenix set up. Once an investor put money in they would drip feed some of the other investors money to give the false impression they were getting money,” he alleged.

Snr Sgt Edwards alleged one West Australian victim invested $300,000 into the scam while another Sunshine Coast man in his 70s put in more than $70,000.

A second man has been charged on the Gold Coast.


Henry Sapiecha

This Android ransomware threatens to expose your browsing history to all your contacts

This Android ransomware threatens to expose your browsing history to all your contacts


A form of Android ransomware which threatens to send the victim’s private information and web history to all of their contacts has been discovered in the official Google Play app store.

Uncovered by researchers at McAfee, LeakerLocker doesn’t actually encrypt the victims’ files, but instead claims to have made a backup of data stored on the device and threatens to share it with all of the user’s phone and email contacts.

Those behind the malware demand $50 in exchange for not leaking personal data including photos, Facebook messages, web history, emails, location history and more, playing on fears of potential embarrassment rather than any form of cryptography.

Two applications in the Google Play Store contained the malware, Wallpapers Blur HD, which has been downloaded between 5,000 and 10,000 times, and Booster & Cleaner Pro, which has been downloaded between 1,000 and 5,000 times.

The combined number of downloads means that up to 15,000 people have fallen victim to this ransomware, which has been in the Google Play Store since at least April. Both apps have good review scores, suggesting that those behind the scheme have been giving them fake reviews.

Once downloaded, LeakerLocker asks for vast swathes of permissions, including the ability to manage calls, read and send messages, and have access to contacts — overreaching for the apps the malware is claiming to be — before communicating with a receiver, initiating the malicious activity and locking the homescreen of the device with the extortion threat.


LeakerLocker attempts to extort victims into paying a ransom by threatening to release their personal data.

Image: McAfee

It’s true that the malware can gain access to private information — thanks to its victims granting permissions at installation time — but not all the private data LeakerLocker claims to have access to can be seen or leaked.

However, analysis of the code shows it’s capable of at least accessing an email address, some contact information, Chrome browser history, text messages and calls, and photos from the camera.

Snippets of this data are chosen at random to convince the victim that all their data has been copied — although at this point the information hasn’t actually been copied, but it could happen if the control server issues relevant instructions.

This basic form of ransomware demands the ransom via credit card, although researchers advise infected victims not to pay because there’s is no guarantee that the information will be released or not used to blackmail victims again.

McAfee researchers have reported LeakerLocker to Google, which says it’s “investigating” — and it appears that the two apps including the malware have been removed from the Google Play store.

It’s far from the first time malware has infiltrated Android’s official app marketplace and is indicative of Google’s continuing battle against cybercriminals sneaking malware into the store.


Henry Sapiecha

Lottery officials confirm $70m scam Hervey Bay Qld Australia

Too good to be true – An instagram scam, claiming to be an account of a Hervey Bay winner of 70 million dollars, is hooking followers into sharing their bank and paypal account information.


A SCAM warning is in place after a fraudster masquerading as a $70million Hervey Bay lottery winner began targeting locals online.

The Chronicle understands the scammer is attempting to capitalise on the region’s recent lucky streak where locals have taken out two major jackpots.

On Tuesday, an Instagram user by the name of Susan Croper posted a photo of a woman holding a cheque for $70 million addressed to ‘Hervey Bay grandparents’.

The photo caption read “Just about 1 year ago I walked in and collected my $70million cheque. To mark this day we would like to give something a little back to the hard workers of this lovely world”.

The fraudster continued by announcing the next 50,000 people to like, comment, share and tag Susan Croper in the picture would receive $1000 via Paypal or bank transfer.

A link was also provided in the account description which claimed to provide “proof”.

Last year, a retired Hervey Bay Couple was in fact lucky enough to take out a $70m lotto jackpot.

A Hervey Bay man won $30million last month.

But Golden Casket spokesperson, Elissa Lewis, confirmed the post was a hoax and not linked to any actual winners.

“(The grandparents) still hold the record for the largest single ticket lottery win in Australian lotto history,” Ms Lewis said.

“Unfortunately someone is trying to take credit for their profit.”

Ms Lewis said Golden Casket was working closely with Instagram, Google and Facebook to have the hoax shut down.

In the meantime, readers are being urged to remember never to pass on their personal details online.

“If anyone suspects a lottery scam they should report them to Scam Watch,” she said.

“If they think they’ve handed over personal details but aren’t sure if the party is legitimate, it becomes a legal matter and they should contact their local police.

“We just caution customers to be aware of these sorts of requests because if it seems like easy money, it is not.”


Henry Sapiecha



Thieves are preying upon consumers when they need help the most by claiming to fix their bad credit.

In the credit repair scam, con artists claim they can erase bad credit, remove bankruptcies or liens and even create a new credit history. The thieves usually ask for an upfront payment in cash.

Legitimate credit repair companies are required to provide a person’s legal rights in a written contract, give a three-day window to cancel without any charge and provide the cost of the services.


  • Check your credit history and dispute inaccurate information
  • Do not pay for services before they are rendered
  • Obtain legitimate credit counseling from a nonprofit credit repair agency or your bank or credit union

For more information, you may contact the Fair Trade Commission at and the Consumer Financial Protection Bureau at


Henry Sapiecha

Phishing? How to protect yourself from scam emails and much more

Don’t click on that email! Find everything you need to know in this phishing guide including how to protect yourself from one of the most common forms of cyber attack.


What is phishing?

Phishing is one of the easiest forms of cyber attack for a criminal to carry out, but one which can provide these crooks with everything they need to infiltrate every aspect of their targets’ personal and working lives.

Usually carried out over email – although the scam has now spread to social media, messaging services and apps – a basic phishing attack attempts to trick the target into doing what the scammer wants. That might be handing over passwords to make it easier to hack a company, or altering bank details so that payments go to fraudsters instead of the correct account.

The aim and the precise mechanics of the scams vary: victims might be tricked into a clicking a link through to a fake webpage with the aim of persuading them user to enter personal information. Other campaigns involve tricking users into downloading and installing malware – for stealthy approach to theft – or inadvertently installing ransomware, providing the attacker with much more immediate profit.

More complex phishing schemes can involve a long game, with hackers using fake social media profiles, emails and more to build up a rapport with the victim over months or even years in cases where specific individuals are targeted for specific data which they would only ever hand over to people they trusted.


That data can be as simple as an email address and password, to financial data such as credit card details or online banking credentials or even personal data such as date of birth, address and a social security number.

In the hands of hackers, all of that can be used to carry out fraud, be it identity theft or using stolen data to buy things or even selling people’s private information on the dark web. In some cases, it’s done for blackmail or to embarrass the victim.

In other cases, phishing is one of the tools used for espionage or by state-backed hacking groups to spy on opponents and organisations of interest.

And anyone can be a victim, ranging from the Democratic National Committee, to critical infrastructure, to commercial businesses and even individuals


Whatever the ultimate goal of the attack, phishing revolves around scammers tricking users into giving up data or access to systems in the mistaken belief they are dealing with someone they know or trust.

How does a phishing attack work?

A basic phishing attack attempts to trick a user into entering personal details or other confidential information, and email is the most common method of performing these attacks.

The sheer number of emails sent every single day means that it’s an obvious attack vector for cyber criminals. It’s estimated that 3.7 billion people send around 269 billion emails every single day.

Researchers at Symantec suggest that almost one in every 2,000 of these emails is a phishing email, meaning around 135 million phishing attacks are attempted every day.

Most people simply don’t have the time to carefully analyse every message which lands in their inbox – and it’s this which phishers look to exploit in a number of ways.

Scams vary in their targets – some are aiming at unwary consumers. Here, their email subject line will be designed to catch the victim’s eye – common phishing campaign techniques include offers of prizes won in fake competitions such as lotteries or contests by retailers offering a ‘winning voucher’.

In this example, in order to ‘win’ the prize, the victims are asked to enter their details such as name, date of birth, address and bank details in order to claim. Obviously, there’s no prize and all they’ve done is put their personal details into the hands of hackers.

A young woman is overjoyed by message on her tablet computer stating she has won a prize, not realizing it is a scam.

A young woman is overjoyed by message on her tablet computer stating she has won a prize, not realizing it is a scam.

Similar techniques are used in other scams in which attackers claim to be from banks looking to verify details, online shops attempting to verify non-existent purchases or sometimes — even more cheekily — attackers will claim to be from tech security companies and that they need access to information in order to keep their customers safe.

Other scams, usually more sophisticated, aim at business users. Here attackers might also pose as someone from within the same organisation or one of its suppliers and will ask you to download an attachment which they claim contains information about a contract or deal.

In many cases the file will unleash malicious software onto the system – in many cases it will harvest personal data, but it in many cases it’s also used to deploy ransomware or rope systems into a botnet.

Attackers will often use high-profile events as a lure in order to reach their end goals. For example, a major campaign used the lure of the 2016 Olympic Games to help distribute malware in the run up to the event.

In many cases the malicious payload will be hidden inside a Microsoft Office document which requires the user to enable macros to run. The payload will trick the victim into enabling them by claiming that an update needs to be installed or permissions need to be given to allow the document to be viewed properly. But if users allows the payload to run they and their company are likely to be in big trouble.

Why is phishing called phishing?

The overall term for these scams — phishing — is a modified version of ‘fishing’ except in this instance the fisherman is the cyber attacker and they’re trying to catch you and reel you in with their sneaky email lure.

It’s also likely a reference to hacker history: some of the earliest hackers were known as ‘phreaks’ or ‘phreakers’ and it’s likely a reference back to that.

When did phishing begin?

The consensus is the first example of the word phishing occurred in the mid-1990s with the use of software tools like AOHell which attempted to steal AOL user names and passwords.

These early attacks were successful because it was a new type of attack, something users hadn’t seen before. AOL provided warnings to users about the risks, but phishing remained successful and it’s still here over 20 years on. In many ways, it has remained very much the same for one simple reason – because it works.

How did phishing evolve?

While the fundamental concept of phishing hasn’t changed much, there have been tweaks and experimentations across two decades as technology and how we access the internet has changed. Following the initial AOL attacks, email became the most appealing attack vector for phishing scams as home internet use took off and a personal email address started to become more common.

Many early phishing scams came with tell-tale signs that they were not legitimate – including strange spelling, weird formatting, low-res images and messages which often didn’t make complete sense. Nonetheless, in the early days of the internet, people knew even less about potential threats which meant that these attacks still found success – many of these are still effective.

Some phishing campaigns remain really, really obvious to spot – like the prince who wants to leave his fortune to you, his one long lost relative, but others have become to be so advanced that it’s virtually impossible to tell them apart from authentic messages. Some might even look like they come from your friends, family, colleagues or even your boss.

What’s the cost of phishing attacks?

It’s hard to put a total cost on the fraud that flows from phishing scams, but earlier this year the FBI suggested that the impact of such scams could be costing US business somewhere around $5bn a year, with thousands of companies hit by scams every year.

One example of a high profile incident: in July 2017 MacEwan University in Edmonton, Alberta, Canada fell victim to a phishing attack.

“A series of fraudulent emails convinced university staff to change electronic banking information for one of the university’s major vendors. The fraud resulted in the transfer of $11.8 million to a bank account that staff believed belonged to the vendor,” the university said in a statement.

What types of phishing scams are there?

The ‘spray and pray’ is the least sophisticated type of phishing attack, whereby basic, generic messages are mass-mailed to millions of users. These are the ‘URGENT message from your bank’ and ‘You’ve won the lottery’ messages which look to panic victims into making an error — or blind them with greed.

Schemes of this sort are so basic that there’s often not even a fake webpage involved – victims are often just told to respond to the attacker via email. Sometimes emails might play on the pure curiosity of the victim, simply appearing as blank message with a malicious attachment to download. This is the way Locky ransomware is spread and it’s one of the most effective forms of the file-encrypting malware around.

A simple Locky distribution phishing email – it looks basic, but if it didn’t work, attackers wouldn’t be using it.These attacks are mostly ineffective, but the sheer number of messages being sent out means that there will be people who fall for the scam and inadvertently send details to cyber attackers who’ll exploit the information in any way they can.

What is spear phishing?

Spear phishing is more advanced than a regular phishing message and aims at specific groups or even particular individuals. Instead of vague messages being sent, criminals design them to target anything from a specific organisation, to a department within that organisation or even an individual in order to ensure the greatest chance that the email is read and the scam is fallen for.

It’s these sorts of specially crafted messages which have often been the entry point for a number of high profile cyber attacks and hacking incidents.

At a consumer level, it can be designed to look like an update from your bank, it could say you’ve ordered something online, it could relate to any one of your online accounts. Hackers have even been known to seek out victims of data breaches and pose as security professionals warning victims of compromise – and that targets should ensure their account is still secure by entering their account details into this handy link.

While spear phishing does target consumers and individual internet users, it’s much more effective for cyber criminals to use it as a means of infiltrating the network of a target organisation.


Lure document used in a ransomware attack against a hospital – attackers used official logos and names to make the email and the attachment look legitimate.
This particular type of phishing message can come in a number of forms including a false customer query, a false invoice from a contractor or partner company, a false request to look at a document from a colleague, or even in some cases, a message which looks as if it comes directly from the CEO or another executive.
Rather than being a random message, the idea is to make it look as if it has come from a trusted source, and coax the target into either installing malware or handing over confidential credentials or information. These scams take more effort but there’s a bigger potential payback for crooks too.What is CEO fraud?

CEO fraud is a very specific type of phishing campaign which usually targets staff in the financial or human resources department of a business.

The target receives an email from the attacker which is disguised to look as if it comes from the CEO of the company or some other high level executive and – sometimes after a period of small talk to build up trust – it requests and urgent transfer of money to a particular account.


CEO fraud sees attackers posing as executives and sending multiple messages back and forth with victims. Image: Trend Micro

Usually some sort of business reason is given such as the funds being required for a new contract or something similar. Of course, this message isn’t from the CEO at all and the account doesn’t belong to anyone within the company, but rather the attacker, who before the victim knows understands what is going on, has made off with a significant sum.

It’s thought that at least $5 billion has been lost as a result of this particular form of phishing scam and law enforcement has warned that it continues to rise.

Other types of phishing attacks

While email still remains a large focus of attackers carrying out phishing campaigns, the world is very different to how it was when phishing first started. No longer is email the only means of targeting a victim as the rise of mobile devices, social media and more have provided attackers with a wider variety of vectors to use for attacking victims.

Social media phishing

With billions of people around the world using social media services such as Facebook, LinkedIn and Twitter, attackers are no longer restricted to use one means of sending messages to potential victims.

Some attacks are simple and easy to spot: a Twitter bot might send you a private message containing a shortened URL which leads to something bad such as malware or maybe even a fake request for payment details.

But there are other attacks which play a longer game. A common tactic used by phishers is to pose as a person – often an attractive women – using photos ripped from the internet, be it stock imagery or someone’s public profile. Often these are just harvesting Facebook ‘friends’ for some future nefarious means and don’t actually interact with the target.

However, sometimes plain old catfishing comes into play, with the attacker establishing a dialogue with the (often male) target – all while posing as a fake persona.


The ‘Mia Ash’ social media phishing campaign saw attackers operate a fake social media presence as if the fake persona was real. Image: SecureWorks

After a certain amount of time – it could be hours, it could be months – the attacker might concoct a false story and ask the victim for details of some kind such as bank details, information, even login credentials, before disappearing into the ether with their gains.

These campaigns can be completely random, but some are specifically targeted with hackers running an entire online persona of a fake person across multiple social media sites in order to look like an authentic, real living person.

One campaign of this nature targeted individuals in organisations in the financial, oil and technology sectors with advanced social engineering based around a single, prolific social media persona that was absolutely fake.

Those behind ‘Mia Ash’ are thought to have been working on behalf of the Iranian government and tricked victims into handing over login credentials and private documents.

SMS and mobile phishing

The rise of mobile messaging services – Facebook Messenger and WhatsApp in particular – has provided phishers with a new method of attack, with the fact that smartphones are now in the pocket of the victims making them almost immediately accessible.

Attackers don’t even need to use emails or instant messaging apps in order to meet the end goal of distributing malware or stealing credentials – the internet connected nature of the modern way phone means text messages are also an effective attack vector.

A SMS phishing – or Smishing – attack works in much the same way as an email attack, presenting the victim with a fraudulent offer or fake warning as a malicious incentive to click through to a malicious URL.


Text messages offer another attack vector to criminals. Image: Action Fraud

The nature of text messaging means the smishing message is short and designed to grab the attention of the victim, often with the aim of panicking them into clicking on the phishing URL within. A common attack by smishers is to pose as a bank and fraudulently warn that the victim’s account has been closed, had finances from it withdrawn or is otherwise compromised.

The truncated nature of the message often doesn’t provide the victim with enough information to realise the message is fraudulent, especially when text messages don’t contain tell-tale signs such as a sender address.

Once the victim has clicked on the link, the attack works in the same way as a regular phishing attack, with the victim duped into handing over their information and credentials to the perpetrator.

How to spot a phishing attack

The whole point of attackers carrying out phishing attacks is to use deception in order to trick victims into compromising themselves, be it by installing malware onto the network, handing over login credentials or parting with financial data.

While at its heart phishing remains one of the most basic forms of cyber attack, the simple fact of the matter is that it works – and it’s been working for over two decades.

While many in the information security sector might raise an eyebrow when it comes to the lack of sophistication of some phishing campaigns, it’s easy to forget that there are billions of internet users – and everyday there are people who are only accessing the internet for the first time.

Large swathes of internet users therefore won’t even be aware about the potential threat of phishing, let alone that they might be targeted by attackers using it – why would they even suspect that the message in their inbox isn’t actually from the organisation or even friend it says it’s from?

But while some phishing campaigns are so sophisticated and specially crafted that the message looks totally authentic, there are some key give-aways in less advanced campaigns which can make it obvious to spot an attempted attack.

Signs of phishing: Poor spelling and grammar

Many of the less professional phishing operators still make basic errors in their messages – notably when it comes to spelling and grammar.

Official messages from any major organisation are unlikely to contain bad spelling or grammar, let alone repeated instances throughout the body – so poorly written messages should act as an immediate warning that the message might not be legitimate.

It’s common for attackers to use a service like Google Translate to translate the text from their own first language, but despite the popularity of these service they still struggles to make messages sound natural.

Shortened or odd URLs in phishing emails

It’s very common for email phishing messages to coerce the victim into clicking through a link to a malicious of fake website designed for malicious purposes.

Many examples of phishing attacks will invite the victim to click through to an official-looking URL. However, if the user takes a second to examine the link more closely, they can hover the pointer over it and often find that while the text seems like the legitimate link, the actual web address is different.

In some instances, it can simply be a shortened URL, whereby the attackers hope the victim won’t check the link at all and just click through. In other instances, attackers will take a minor variation on a legitimate web address and hope the user doesn’t notice.

"Minsk, Belarus - October 27, 2011: Official website Blizzard. Photo taken from the monitor."

“Minsk, Belarus – October 27, 2011: Official website Blizzard. Photo taken from the monitor.”

Attackers tried to take advantage of the Blizzard data breach by sending phishing emails claiming to be from Blizzard about account security

For example, a campaign once targeted online gamers after game developer Blizzard was hacked. Attackers spammed messages claiming that the victim had their World of Warcraft account compromised in the breach and asked them to click on a link and enter their details in order to secure it. The malicious link had only one minor difference to the real URL – the L in ‘World’ had been switched to a 1.

Ultimately, if you are suspicious of a URL in an email, hover over it to examine the landing page address and if it looks fake, don’t click on it. And check that it is the correct URL and not one that looks very similar but slightly different to that which you’d usually expect.

shady-hacker-on-keyboard image

A strange or mismatched sender address

You receive a message that looks to be from an official company account. The message warns you that there’s been some strange activity using your account and urges you to click the link provided to verify your login details and the actions which have taken place.

The message looks legitimate, with good spelling and grammar, the correct formatting and the right company logo, address and even contact email address in the body of the message. But what about the sender address?

In many instances, the phisher can’t fake a real address and just hope that readers don’t check. Often the sender address will just be listed as a string of characters rather than as sent from an official source.

Another trick is to make the sender address almost look exactly like the company – for example, one campaign claiming to be from ‘Microsoft’s Security Team’ urged customers to reply with personal details to ensure they weren’t hacked. However, there isn’t a division of Microsoft with that name – and it probably would it be based in Uzbekistan, where the email was sent from.

Keep an eye on the sender address to ensure that the message is legitimately from who it says it is.

The message looks strange and too good to be true

Congratulations! You’ve just won the lottery/free airline tickets/a voucher to spend in our store – now just provide us with all of your personal information including your bank details to claim the prize. As is the case with many things in life, if it seems too good to be true, it probably is.

In many cases, phishing emails with the aim of distributing malware will be sent in a blank message containing an attachment – never clicking on mysterious, unsolicited attachment is a very good tactic when it comes to not falling victim.

Even if the message is more fleshed out and looks as if it came from someone within your organisation, if you think the message might not be legitimate, contact someone else in the company – over the phone or in person rather than over email if necessary – to ensure that they really did send it.

How to protect against phishing attacks

Training, training and more training. It might seem like a simple idea, but training is effective. Teaching staff what to look out for when it comes to a phishing email can go a long way to protecting your organisation from malicious attacks.

Exercises such as enabling staff to make errors – and crucially learn from them – in a protected sandbox environment or carrying out authorised penetration testing against employees can both be used to help alert users to potential threats and how to spot them.

At a technical level, disabling macros from being run on computers in your network can play a big part in protecting employees from attacks. Macros aren’t designed to be malicious – they’re designed to help users perform repetitive tasks with keyboard shortcuts.


Documents dropped by phishing attacks often ask the victim to enable Macros so as to enable the malicious payload to work. Image: Digital Guardian

However, the same processes can be exploited by attackers in order to help them execute malicious code and drop malware payloads.

Most newer versions of Office automatically disable macros, but it’s worth checking to ensure that this is the case for all the computers on your network – it can act as a major barrier to phishing emails attempting to deliver a malicious payload.

The future of phishing

It might have been around for almost twenty years, but phishing remains a threat for two reasons – it’s simple to carry out – even by one-person operations – and it works, because there’s still plenty of people on the internet who aren’t aware of the threats they face. And even the most sophisticated users can be caught out from time to time.

For seasoned security personnel or technologically savvy people, it might seem strange that there are people out there who can easily fall for a ‘You’ve won the lottery’ or ‘We’re your bank, please enter your details here’.

But there are billions of people in the world who don’t regularly use the internet or are just unaware that the internet is something which criminals might use to target them. Unfortunately, criminals are there looking to scam and deceive people and it’s easiest to do it to people who are naive or overly trusting. And the low cost of phishing campaigns and the extremely low chances of scammers getting caught means it remains a very attractive option for fraudsters.

Because of this, phishing will continue as cyber criminals look to profit from stealing data and dropping malware in the laziest way possible. But it can be stopped and by knowing what to look for and by employing training when necessary, you can try to ensure that your organisation doesn’t become a victim.



Henry Sapiecha

Man in Qld Australia scammed of $400,000 for worthless scrap paper


A WEALTHY Queensland man has lost $400,000 buying blackened “US bank notes” that turned out to be worthless pieces of scrap paper.

The notorious “black money” sting has hit Queensland before, but never on the scale inflicted on one hapless investor in Brisbane.

In a separate scam, two pensioner brothers from Longreach have been fleeced of $350,000 after being conned into believing they’d won a $23 million lottery.

And a Brisbane woman was talked into buying $89,000 worth of iTunes cards after being convinced she was helping Telstra catch computer hackers.

Police say these are some of the latest victims of a barrage of scams hitting the state, with 90 Queenslanders a day reporting they have been conned.

In the “black money” sting, scammers convinced the victim they had genuine US bank notes that had been coated in black paint.

A liquid solution was meant to clean the notes, but after buying them at a reduced rate the victim was scrap paper rather than the millions of dollars in profit that had been promised.

The scheme is also known as the Nigerian “wash wash” scam due to it reportedly originating in the African country about 17 years ago.


The Longreach brothers were in partial care when they were told they had won 15.5 million euros ($23.2 million).

They had been targeted by what is known as an “advance fee fraud”, in which victims hand over money on the promise they will receive a lottery win or inheritance.

Detective Superintendent Terry Lawrence, head of the police Financial and Cyber Crimes Group, warned that vulnerable people were still falling for the scam despite it operating for years.

“They pushed $350,000 out in the belief they would be getting all these millions back,” Supt Lawrence said.

“It was their life savings for their care and everything like that. It’s just gone.”

The iTunes card scam involved a fake Telstra worker convincing the Brisbane woman her computer had been hacked.

The scammer then convinced the woman Telstra was transferring money to her account to help catch the hacker.

Over three days in July, she bought $89,000 worth of iTunes cards and handed them over, her money gone with little chance of a recovery.

The names of major brands such as energy retailers, phone companies and supermarkets are frequently used in the scams.

Bargain hunters, gamblers, online dating users and business owners are among those targeted, with some schemes tailored to match the time of the year.

“At tax time they do the Australian Taxation Office. Come Christmas it will be online sales or hotel accommodation,” Supt Lawrence said.

But it is believed only a fraction of those scammed report their losses to authorities.

In a recent investigation into a Gold Coast boiler room operation, police established there were about 1000 victims but only 200 came forward.

“A lot of people don’t report because they’re embarrassed – or it’s an amount they don’t think is worth reporting,” Supt Lawrence said.

Detective Senior Constable Andrew Browne, also from the financial crimes squad, said scam messages purporting to be from firms such as Telstra or Origin Energy were sent to 100,000 people or more at a time.

“They know they’re the biggest providers of power or phone bills so therefore they’ve got their biggest chance of success. They’re all trusted brands people use,” Constable Browne said.

In another scam busted by police this year, a Gold Coast man who paid for a brand-name BBQ was one of hundreds of people who ordered goods from a sham online trader that never delivered.

Two Latvian fake traders were advertising discounted Weber barbecues and other goods online but customers never received them. The pair was arrested in Brisbane and charged with multiple counts of fraud.

A new Queensland police campaign, R U in Control, is publicising scams as they occur.

Supt Lawrence said: “If people just take that second to have a bit of a think before falling for it, we could prevent much of this fraud together. You decide, not the scammers.”



Henry Sapiecha

Australians targeted by Amazon spam scam

Australians have been targeted by scammers purporting to be the retail giant Amazon and promising them $500 Amazon vouchers.

The scammers used Amazon’s well-publicised expansion into Australia as a hook.


People at the weekend received a legitimate-looking email offering $500 Amazon vouchers to those who clicked on a link and provided feedback on the company.

The email’s subject line was, “Amazon Card for you. Confirm before it expires.” The email featured the Amazon logo, and a cartoon of a man holding a clipboard in front of a bus, with an arrow and the words ‘Confirm my voucher’ running across the picture.


The email says the “expansion of Amazon into Australia is fast approaching. We will soon begin operating brick and mortar distribution and retail centers [sic] in all states across Australia.”

It continues, “Of course, Aussie consumers are no strangers to Amazon. In the past few years we have built strong relationship with you and we are here to say thank you!

“In order to express our gratitude towards Aussie consumers, we are coming to you with a $500 Amazon Voucher.

“We have 80 Vouchers to give away this weekend. All you need to do is: Confirm receiving this email by clicking here. Give us your opinion about Amazon

“That’s simple, right?

“Thank you and Good luck!”

The email was signed off by “Your Prime Team,” referring to Amazon Prime, Amazon’s membership offer which provides fast shipping to members.


While the email stated it had been sent to people who had “subscribed to offer emails”, recipients included people who had never ordered anything from Amazon or signed up for a membership.

Delia Rickard, deputy chairman of the Australian Competition and Consumer Commission, said seven people had reported the “genuine-looking” scam to the watchdog – and none had clicked on the link.

“One of the things that scammers are good at is piggy-backing on a topical event,” she said.

She said it was unclear whether the scam was motivated to spread malware, or to trick people into giving out private information that could be used for identity theft or onsold to other scammers.

The watchdog advises people to verify whether an offer is legitimate by “checking if it is listed on the retailers’ official website or by calling the retailers’ official customer service line.”

Amazon’s public relations firm Weber Shandwick declined to comment.

Amazon’s Australian plans

After Fairfax Media broke the news of Amazon’s Australian expansion plans in 2016, Amazon confirmed its plans in April and promised thousands of new jobs, millions in additional investment, and to “empower small Australian businesses through Amazon Marketplace”.

While Amazon is known for its online marketplace, it has been investing in bricks and mortar stores too.

As at last month, it had six bookstores (soon to be 12), pop-up stores, college pick-up points, and a convenience store without checkouts that is being tested in Seattle. Its finance chief last month described bricks and mortar physical stores as “another way to reach the customer”.

International sales accounted for 32 per cent of Amazon’s sales for the three months to 31 March. International sales were up 16 per cent year-on-year but continued to be unprofitable.

Amazon has been pouring big money into international expansion, particular in India. Its capital expenditure surged 51 per cent year-on-year, primarily due to investment in fulfilment centres, or large warehouses.

Amazon operates its online grocery delivery service Amazon Fresh in 21 cities in the US as well as London and Tokyo, which opened last month.


Henry Sapiecha

Losses from reported Australian hacking victims quadrupled in 2016: ACCC


The Australian Competition and Consumer Commission (ACCC) has reported a four-fold increase in hacking scams, with AU$2.9 million lost to such activity in 2016, up from AU$700,000 in 2015.

According to Targeting scams: Report of the ACCC on scams activity 2016, businesses bore the brunt of these scams, with over half — AU$1.7 million — being attributed to businesses.

“While the digital economy presents many opportunities and efficiencies for businesses, it also presents significant risks,” ACCC deputy chair Delia Rickard says in the report’s foreword.

“Scams targeting businesses are becoming increasingly sophisticated using modern technology to make fake emails, invoices and websites appear legitimate to even the astute business person.”

While the digital age is hitting businesses in Australia, the report [PDF] highlights that consumers are also being affected by scammers, with digitisation providing the opportunity for scammers to try new tricks.

Online scams — those executed via the internet, email, social networks, and mobile apps — outnumbered phone-based scams in 2016, with an increase of 130 percent over 2015.

Elsewhere in the report, losses to online scams accounted for 58 percent — AU$48.4 million — of total losses, while social media was a particularly busy platform used by scammers to lure victims, netting losses of AU$9.5 million in 2016 compared with AU$3.8 million in 2015.

Of the social media scams, the most prevalent were related to online dating and sextortion, a form of blackmail in which compromising images of the victim are used to extort money.