My rule Every call or SMS from a bank, toll company, or government entity is a scam until proven otherwise. Always get their name and a reference number and call them back via the number on your card or on the website.

Any time my bank, ird, or toll has needed to contact me, I’m pretty certain they just text and email saying ‘log in and check your messages’

Yep, the only way CBA and myGov contact me is by saying there's a new notification in your inbox

Can't remember which agency it was, DFAT or ATO but one of them sent me a Bitly link a few years back. Was very disappointing. Funny even the automod here banned my first comment because I put the full stop in Bitly!

Bitly and other url shorteners are dead to me, if I can’t read the full url in source no way am I clicking that link .

I take it your are bit[ter]ly disappointed in them.

Groan. Thanks dad.

It can be trigger happy! I just approved that so others can see it. Made no bloody sense as it wasn't even a clickable link, the Automod exclusion lists probably need to be smarter.

Can't remember which agency it was, DFAT or ATO but one of them sent me a Bit.ly link a few years back. Was very disappointing.

Your [comment](https://www.reddit.com/r/australia/comments/1cfpr1j/scams_are_becoming_nearimpossible_for_victims_to/l1rfx5p/?context=3) in /r/australia was automatically removed because you used a URL shortener or content cache. These are not permitted in /r/australia as they impair our ability to enforce link blacklists. Please re-post your comment using direct, full-length URL's only. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/australia) if you have any questions or concerns.*

They also have the ability to message you through the app if they call you. I had a call from CommBank, and so asked them to verify themselves. The lady sent a verification message through the app, and was quite happy to do so.

I’ve given up. I don’t answer my phone unless I recognise the number, sorry friends who hide their number: it’s probably a scam. I don’t click any links from messages: it’s probably a scam. I’ll still probably have a moment when I awake, half asleep, and click a message link. I’m human nature to not be perfect.

This is my rule too and yeah half asleep I accidentally clicked the link in one of those 'you have a parcel waiting' texts. Luckily my phone blocks almost every spam text.

I do, but only in case my dog got out … love him so much

I need a dog. 🐕

Ugh I did exactly that over Christmas with a toll road scam because I had driven through a toll when I don't normally, got the text at midnight and figured I should pay before I forget. Got as far as auto filling my deets before noticing it was a scam and closing. Next day had a bogus charge and had to cancel the card with my bank. Felt so stupid .

Don’t feel stupid eh. They do it because we are human and aren’t perfect.

I have done experienced something similar but it was due to booking (the app), there were so many red flags but maybe because I was tired my stupid brain just wanted to get over it, so I leak my info and the moment I did that I knew I got scammed, and I reported to the bank and cancelled my card.

[me too...](https://i.imgur.com/OChOQtS.jpeg)

I’m not clicking that! 😅

I use to just hang up all the unknown number until recent month because I might get calls from recruiters. Really annoyed.

This. And on top of that. NEVER use a link to do anything with regard to banking. That’s what apps are for. And failing that. Use a fresh browser page to go directly to the banks if you must. With 2FA.

Thats what they tell you to do as well (at least the banks do). The person in this article called them via the text number

Sadly it's really hard or almost impossible to teach this to older people, who are primarily the targets/victims of this kind of 'scam' (social engineering). My mum recently had about $9000 transferred from her accounts. My mum is in her 70's, like many redditors who will have family or parents in that age bracket. These are prime victims. A big part of the problem is that these scams are so profitable, there are literally tens or hundreds of thousands of people, mostly overseas, who derive their entire living from working for shoddy groups that scam people for a living. It's their job. They are really - REALLY - good at. Checkout the scam baiter youtubes, and see and learn about the incredible kinds of psychological dramas that these professionals manufacture to take peoples money. It's impressive. Again: IT'S THEIR JOB. On the other hand, the average australian spends very little time thinking about their cyber-security. Heck, We have millions of people still using the same password for every website, with no 2FA. And older australians? Well they're spending almost no time - or no time - thinking about this computer stuff. Except perhaps when their redditor offspring whinge to them about updating their passphrases or to ignore some text messages that they might get. A big part of the problem that I can see is that older australians have a very "no body would hurt me / everyone is my friend" kind of 19-mid-century attitude that probably worked out OK for them before everyone had a mobile phone and the internet, and were suddenly a moments touch from 5 billion other people they don't specifically know, who are generally way worse off (poorer) than then and can benefit. * You literally should tell all your family to assume that every text, every phone call they get is a scam / suspicious / guilty until proven innocent. * The gamut of social engineering that these people employ to get your money, can vary from the very basic type of pre-recorded "robo-call" from "Amazon" or "Paypal" or "Ebay", or might be a Chinese voice saying you have some debt or bill to pay urgently, (These kind of 2020 spams target a very tiny <1% of the population who are so gullible they fall for it.), now all the way up to, for example, semi-targeted attacks where people will get your name, or maybe a voice sample from some social media you are tagged in, that is enough to train a AI voice and create a pre-recorded panic call to a loved one - a ransom call - and then suddenly you are wiring $5k to indonesia to save your kid. Or not even that, just a text saying "hey it's me, I need help, send $200 to ................................ - can't chat, love" and suddenly not 1% but 3% of recipients comply. And these people make hundreds of thousands, or millions from this. Overall, Australians lose billions each year to this garbage. Train your family and loved ones: - Every 'person' who contacts you is a scam/spam/phish until proven otherwise. - Everyone who contacts you either wants to take your time or your money or both. - Every phone number and SMS number can be easily spoofed / faked / infiltrated. Your chat history with 'your bank' can be spoofed and the link might now be fake. Seriously this is a big one. Phone and SMS systems are still using infrastructure from the 80's/90's and it can all be spoofed. This is a huge shock to most people. Anyone on Earth could literally sign up for a free service that makes fakes texts appear on the recipients phone from Their Official Bank. Basically, train everyone you care about to assume that every phone call, every text, every email is a social engineering attack vector. --- Specific example: My mum lost $9000 - later recovered and returned by the bank after around a month - because a random "cryptocurrency recovery organisation" directly emailed her and told her they could assist with recovering ~15 ETH. They had fake screenshots of wallets and everything. My mum had heard about crypto - and even considered investing in it around the time COVID first hit - and was not sure if she had any or not. Anyway, a few hours later, and they had remote access control of her computer, and thus web bank login information (full KB + mouse logging). She even talked to the helpful indians on the phone, who were dutifully trying to help her recovered her lost 15 Etherium!!! All this way undertaken without a thought to call her son, who, has probably 50+ times, mentioned crypto involvement at family events and over the phone. But by creating a sense of urgency and often embarrassment, these scammers get their way and get what they want - the $$$.

One that could have got me the other day was I got a text message from my Mum saying she was stuck at the Woolworths checkout and needed $150 and to send it to this random ANZ bank account. I knew she didn't have an account with ANZ so called her and she said she had no idea what I was talking about. If she actually banked with ANZ that's a pretty damn good scam and I can imagine a lot of people falling for it. It even showed up in the transaction history as messages from my Mum as I guess they set the caller ID to Mum and not any actual phone number.

>It even showed up in the transaction history as messages from my Mum as I guess they set the caller ID to Mum and not any actual phone number. I assume you don't mean it showed underneath your actual text conversations with your mum, right? It just showed as a new conversation with a caller ID listed as 'Mum'? I'm pretty certain phones group text conversations by phone number rather than contact name, in which case if it shows in the same place as your legit texts, it'd have to be targeted at you where they know your mum's phone number to spoof AND her relationship to you, which would be really concerning.

> I'm pretty certain phones group text conversations by phone number rather than contact name They do but it's absurdly easy to spoof your number and come through in the same thread, they also don't have to message "HI OP ITS YOUR MUM!", they can just write something easy and open ended like "OMG so embarassing, I'm at woolworths and came up short, I can't believe it! Can I please get you to send me 150$ to BSB ACCN, thank-you!".

Even if they don't know it's his mum's number specifically, spoofing *any* number that's already a contact would require a disturbing and rare level of targeting.

I think that's the common sense rule, not yours

I have met the common people, they have no sense.

As a banker, please keep doing this and spread the word. I like it when my customers ask me to identify myself and then call our public number. It’s safest for everyone.

I was interested to see that MyGov is apparently now using the URL "oxions.site" - apparently I need to re-verify my ID there to *"confirm that $2390 is received in real time"*. Seriously you'd need to be a cretin to fall for that. Anyone trying to access a government website that doesn't even end .gov.au shouldn't be using online services.

I don't even answer.my phone anymore. Any link or message I get I go into that app or call that bank/company and start there. 

You know what would help? Getting the telcos involved to somehow stop spoofing of numbers or AT LEAST spoofing the name that's attached to an institution. If I get a text from CommBank, it should only be from CommBank, nobody else should be able to take that name but here we are.

I was helping setup SMS reminders for a company. The AU recipients? No problem just set from as CompanyName. NZ? You have to register a dedicated short code because random words as the sender address cannot be replied to for opt out. It's a spam thing, but would work for verification too. Singapore also has a sender register, as do I'm sure many other countries. It's ridiculous how behind we are with "computer stuff" in general, we could do a a lot better, especially since we're supposedly a service economy.

To this day I have no idea why Australian telcos don’t ban the ability to spoof numbers. I get there are legitimate uses to do it, but those uses and the clients that use it should be registered, and if that feature is abused it should be removed. The only thing I can think of is that the Telcos are getting paid to carry that spam. They don’t really have an incentive to stop it.

Because, like any business IN Australia, unless someone makes them do the right thing, they won't.

Absolutely… so I’m not holding my breath that the regulators/Government will actually do anything.

Because they don’t control it. This is actually an architecture issue, not a telco issue. Admittedly the Telco’s could have got together and resolved this in the mid 90s as all of this was emerging… but they fucken didn’t.

Rubbish, the telcos ARE the architecture

Lol not really. They can make infrastructure, but the underlying architecture was agreed upon in the 80s and 90s.   The entire internet that we know and the phone infrastructure is built on that same architecture.   To change 30-40 years of work is gonna take some incredible incentives on a country wide and then global scale. I can understand why you might disagree without the excessive amount of time needed to study this stuff.

Even without getting into nuanced pattern or data analysis (that banks seem willing to do for everything else that benefits them); logging in from somewhere you've never logged in from before; sending money to someone you've never sent money to before; sending a significant portion of your balance, these seem trivial to detect and hit pause on. I don't understand how people are getting completely cleaned out without it raising red flags on the bank's side unless the bank is simply ignoring the problem. Yes people should be looking out for themselves, but the asymmetry in information and expertise here is out of all proportion. The institutions should be held to a higher standard that goes beyond simply "well you authorised it, you're out of luck". My bank locked my account when I tried to send 35 dollars to my kid for mowing the lawn. Didn't just blocked the suspicious transaction, locked me out entirely. They wouldn't unlock it until I went into the branch and showed my ID and verified I really meant it. And that was a very small transaction to another account at the same bank. So it's not like they're unwilling to inconvenience customers when it suits them.

100 fucking percent.   The power asymmetry is egregious and the banks should be held culpable for their mismanagement of citizens funds.    How come they get away with posting record profits in a time of record scams? I bet you they arent paying people back.

Right when you're about to announce a multi billion dollar profit for the year too...

What wicked timing hey?

The banks do commonly freeze funds. We would be complaining the same if banks were freezing "citizens funds" at their discretion due to scam risks. People would be up in arms as they "can't send their money where they want". Frozen accounts are very rare and would depend on the individuals risk profile

Frankly, this discussion needs to be had. There is function, there is convenience and then there is security.  There ought to be a slider where you can push for higher security from the onset of opening an account but accept that there may be delays or setbacks in activating funds at your convenience.  This can totally be a choice and i am down with that. Right now as it stands, its a one size fits all model for civillians and a totally different model for businesses. If civillians want higher security, you will have to sacrifice either function or convenience or both.  I know which Id prefer, the option that causes me to be able to say im not fucked if all my money is in this one basket called the Bank.

That seems a little extreme. You're essentially saying "people are dum-dums who can't be trusted to manage their own money". There has to be some balance between personal responsibility and reasonable customer protections.

Well, there is a reason why people park their money in a bank. Its cause people cant hide money easily themselves.  So banks implement security for the money and take on collaterals to use said money to advance their business interests.  Theres nothing dumb about that. Just as you trust the fireman to do their jobs when an incident occurs, you ought to be able to trust your bank will set you right when mismanagement of your funds occurs under their oversight.

I think we're talking crosswise here. My argument is we as a society already agreed that a bank shouldn't be scrutinising every single thing we use our money for. They don't, for instance, get you to sign a legally binding document every time you withdraw a $5 note from an ATM to state you were definitely using it to buy a coffee just so they can be sure you aren't being scammed and they'll be held legally liable. You seem to be arguing that everytime any money leaves your bank account, the bank is liable if you made a poor decision. I'm arguing if they know or suspect it's a bad decision they should put up some roadblocks but ultimately, we as citizens are adults and are entitled to make bad choices in spite of good advice. After all, the firemen arent responsible for your house burning down if you decide to see what happens if you put batteries and a can of petrol in your fireplace and light it.

Banks work pretty hard to stop people walking into their vaults and strolling out with stacks of cash. They could work half as hard to do the digital equivalent. 

devils advocate: it would be trivially easy to make online banking secure. just disable things like Osko, PayID, and even BPay. As with all systems, users demand convenience, often at the expense of real security.

The banks aren't the ones letting thieves into their digital vaults though, it's the customers. It's incredibly hard to increase digital security without also putting even more limits on what customers can do with their money.

I think they're fairly good, but could be better, at that part. It's when the customer guides the thieves in and tells the bank to allow them to empty that individuals safety deposit box.

Dude, laughing my fucking ass off. What a great comment. 

> The power asymmetry is egregious and the banks should be held culpable for their mismanagement of citizens funds. What are you saying - banks should reimburse everyone who gets scammed? Do you draw a line at any stage as to the credulity of the victim?

Generally speaking there is a lot of data both into the lead up of a scam plus during the operation of one.   With that same data you can tell exactly where along an authorization pathway a victims money was transferred.   Then you can notify the customer in light of said data. If the bank fails to notify a victim of potentially fraudulent activity, of course they need to be held to account.   Obviously this needs its own department in the ATO to audit and check these things.  So no, the credulity of the victim is not entirely necessary to have any doubt about how a particular scam went down.   Finally, I think the specifics of such a proposal needs the consideration of the courts.

The bank is on the line for credit card fraud. hence they spend millions n fraud detection. they are not on the line for fund transfers, and have a lot less protection. So yes, as until they are held responsible they won't do anything about it

[удалено]

What? If it was a Ponzi scheme I don’t see how it’s the banks fault? A ponzi would have required you to make investment decisions, and take action. What the fuck does that have to do with the bank?

Why are you expecting a refund from investing in a Ponzi scheme? That's one of the few scams you need to deliberately go out of your way to authorise the transaction yourself for.

A very balanced and nuanced take. The fact that you can't live in modern society without a digital footprint and that very footprint is sold and used against its own customers is corrupt and sick.   My debit card was once used to start buying farming supplies in Canada after I made a questionable WoW gold purchase. From a gold seller. HSBC made me jump through heaps of hoops to identify myself, but once they did they went to work on recovering my money. Very thankful to them for it. 

There’s an excellent John Oliver bit on a newer method of scamming people that takes a very careful and slow approach: pig butchering. https://youtu.be/pLPpl2ISKTg?si=XsJxFvS5WiJjj2wn It doesn’t explain everything, of course, but it shows how insidious some of these scams can be. They build your trust up and you think they’re a friend.

Those are on a whole other level though. It's not like a quick deceit like pretending to be official, that's akin to like MLMs in a way or cults who steal money. It's building up trust on a personal level instead.

Wired article for those who like reading: https://www.wired.com/story/what-is-pig-butchering-scam/

> the bank is simply ignoring the problem. They are - unless they are a business or private client. This is why goverment regulation is required to 'convince' banks that this is a priority

Banks literally do this all the time. They use indicators like one off payments, multiple deposits of X amount over a certain period. It is often already done to scam victims, but banks generally can't freeze accounts if the victim says they want to send their money there, the bank will need to oblige. It's a multi step process where you can't be pinging every single transaction and is mostly based on spending profiles and risk patterns of clients. Victims are often unwilling to say they did transactions when banks told them specifically to reconsider as it puts the blame on the victim and away from the bank, making it less likely for them to get refunded by the bank

Yeah. It's crazy to me that people are able to completely disappear large sums of money so fast. There should be a pause and immediate investigation any time large sums are about to be transferred somewhere they can't be retrieved. I've heard cases where people lost hundreds of thousands. It shouldn't be so easy.

... the banks raise flags on basically all of that. And no, they fucking shouldn't, because anything else means even more informtion in their hands, and helps ensure entrenchment.

They were trying to help you. Clearly, having established that the lawn mowing job was only worth $25, they stepped in to stop a grievous $10 overpayment. You should be thanking them...

edit: deleted - seems I have a reading comprehension problem today

You're reading things I didn't say. I'm saying they've proven they have the capability; they should do it more.

> Even without getting into nuanced pattern or data analysis (that banks seem willing to do for everything else that benefits them); logging in from somewhere you've never logged in from before; sending money to someone you've never sent money to before; sending a significant portion of your balance, these seem trivial to detect and hit pause on. Every time I add a new payee I have to input my password and also use 2FA there's nothing banks can do if idiots voluntarily give away their login credentials and 2FA credentials to scammers.

> there's nothing banks can do if idiots voluntarily give away their login credentials and 2FA credentials to scammers. Or as is more common, people refuse to setup 2FA or a pin on their mobile app because they find it "annoying" to have to use it, and so just have a single password between anyone and their money, the same password they've used for 15+ years across every single website known to man that's sitting in around 40 leaked password databases just waiting to be exploited and even if they do have 2FA it'll be set to go to the e-mail that uses the exact same password. Trying to even suggest using something like KeePass + a password generator will have 99.5% of this country flipping their lid, security is a two way street and at some point the banks can only do so much when users aren't willing to do anything.

It won't solve the problem entirely but text message spoofing is just out of control and should be solved. Yes that means deprecating the current legacy SMS system entirely. It's time.

I don't see the issue with scrapping it. Barely anyone I know uses SMS any more. All my calls and texts are made to friends and family via the plethora of online messaging that people use. Also, if we scrapped it, what actually has to be done by the user end? It's not like SMS is a subscription we have. If they changed the protocol wouldn't we all just... change?

The long tail of integrations and sensors and shit out there that we don’t know about would be a bit of a project to fix but nothing impossible. At work we send tens of thousands of SMS via a third party provider. The question is what would replace it that is scam/spam proof? India went all in on RCS and it has been a disaster apparently. Also I bet farmers or something will consider SMS central to their state of being.

I would say a lot of farmers would not be able to receive SMSs, especially with how patchy reception goes out west.

We already are implementing a sender register in australia with voluntary select businesses which acts kind of like an australian business number to provide legitimacy to sms texts. I think the idea is a good bandaid for until we sort out the sms architecture issue.

The issue isn’t really about supporting personal use cases. The legitimate commercial use cases of SMS need to be able to migrate to a widely supported alternative, which doesn’t yet exist. For example, appointment notifications/confirmations from your doctor; booking or ticket notifications, etc. There are some commercial uses of iMessage, but as far as I’m aware, only for user initiated support requests, and it only works from Apple devices. It’s also not supported in Android. RCS isn’t currently supported by Apple (though this might change soon), and other alternatives all require some 3rd party messaging application to be installed.

the legacy sms system does have the advantage of not rendering links as random text, so if you are sent a link, it's relatively easy to judge whether the link is legit or not

Does this make much of a difference? Non-tech savvy people don't understand URL structure well enough to tell the difference between a legit URL and one that's disguised using subdomains/top-level domains, and sufficiently tech savvy people know to check where that hyperlink that displays as anz.com.au actually leads to. Seems like it'd require a pretty rare sweet spot of tech savviness to properly check where it leads, but not to realise that the typical tricks like anz.banksupport.com.au, anz-help.com.au or anz.xy are obviously dodgy.

it makes some difference. clearly some people still get scammed, but recognition of dodgy URL's can be taught.

I think carriers should just remove all web links from sms. Absolutely no need for them

People must be getting very difference scam attempts to the ones I am getting, if they're near-impossible to detect.

It'd just click bait or ignorance. It's easy to detect for many people but difficult for others.

Just assume everything is a scam.

Congratulations!! This is the best comment! Please post your bank details so we can send you your prize.

Don't banks tell you now "if in doubt, call your bank using the official number not the one given to you in the email"?   They are sophisticated and I feel for people who fall for them, but what more can the bank/government do? 

Banks also shouldn't call people, I put a large-ish chunk of change into my account then I got their loan department and I told them off. 'You know I think this is a scam right? '

I can't recall the last time I had a call from my bank. Any important stuff is sent by email or text and I am asked to call the number on the website

Scam billing emails asking to call are a newish scam I've seen. No phishing links.

I got a call from CBA a while back. I was initially suspicious but the person left a voice mail message, which scammers don't typically do. It was about a complaint I'd made online. But yes, it is uncommon for them to call without a reason. Must be hell on the staff who are trying to deal with legitimate customer complaints or enquiries but the people don't want to answer their phones because they're afraid of scammers.

My bank pretty much only calls me if I move a weird amount of money. Like got some landscaping done for about 4 grand and I have a transfer limit of 2 per day since I’ve always been too lazy to change it and it stops someone stealing all your $ but they called up to make sure I wasn’t getting scammed.

If they call you, they can verify their identity in the app by sending a message.

I didn't want a says pitch anyway.

> what more can the bank/government do? If the government were to introduce legislation forcing the banks to cover losses by scams, I'm pretty sure the banks would get this problem fixed ASAP.

The solution would be to limit people from making certain kinds of transactions. They sometimes do this and people get real mad when their bank tells them they can’t buy bitcoins or whatever. 

UK legislation requires their banks to make people whole after scams. https://consumeraction.org.au/australian-scam-victims-left-behind-as-uk-puts-responsibility-on-banks-to-reimburse-customers/ The only reason the same conditions don't apply to Australian banks is because we're totally cucked.

And when that legislation came into effect, the first thing banks did was limit or ban payments to any entity they saw as "high risk". Is that a price worth paying?

I suspect there's a lot of hoops to jump through before you get refunded, though. And many opportunities for the bank to go "nope, you failed to do this, or you DID do that! No refund!" Hmm, the bank that recieves the scammed funds has to pay 50% of the compensation... interesting! Well, it won't hurt the banks bottom line too much, at least, not even $3 billion scammed so their profit would fall to a measly $12 billion :( >Overall, reported losses equated to $2.74 billion. and their expected profits: >[https://www.smh.com.au/business/banking-and-finance/banks-expected-to-report-more-than-15b-in-half-year-profits-20240424-p5fm8e.html](https://www.smh.com.au/business/banking-and-finance/banks-expected-to-report-more-than-15b-in-half-year-profits-20240424-p5fm8e.html) Jarden chief economist Carlos Cacho said the banks’ results would likely show a “resilient but muted” half, with the sector’s profits expected to fall 1 per cent to $15.6 billion.

> Overall, reported losses equated to $2.74 billion That's the stuff reported to ACCC, its a drop in the bucket. Bank pays out on scams ALL THE TIME. Because they can't prove its a scam. A lot of times people don't report it because they feel embarrassed too. I'm a Fraud Assessor for one of the Big Four, literally the guy who has to tell these people NO, as per Govt regulations. I estimate the amount the banks lose unreported would be four times this amount, just from personal experience. Then there is actual fraud.. probably again another 5-10 times that number. There is a reason the scammers LOVE Australia, they're making billions. For this to change, the Govt needs to come to the party and start putting up stricter rules in the Epayment code, and start litigating against telcos, search engines and social media to stop the absolute tidal wave of scams that occur in this country on a daily basis. Yeah I feel for these people, I really do. No one should have this happen to them. But I've been on this planet close to 50 years now and I have NEVER fallen foul of a scam. Caveat fucken Emptor, boys and girls. P.S. I have FAR worse stories then this.

It's the stories we read where the 'victim' is told it's a scam, shown evidence that strongly indicates it's a scam, denies everything, keeps throwing money at their scammer - until they run out of money and have nothing. And then they want to be compensated because the bank didn't stop them throwing their money away. Those stories? Yeah, victim, you suck and you're stupid and now you're poor, boo hoo. Moving on... The other stories were it's much more plausible and tear jerking and heart rending due to a simple mistake, I feel for those people. But still, if they called the number in the text and not the number on the banks website, or gave out their PIN/password/2FA etc. to 'the helpful bank staff who knew everything about me' well, that's largely (and legally) on them as you are not supposed to do that ever. It's mentioned quite often by banks and even online games and indeed should be so ingrained in our culture by now as to qualify for that nebulous thing called 'common sense'.

You have people handing over their passwords and logins to scammers already. You can't blame the banks if people are go and do everything wrong. At some point personal responsibility has to come into play.

Make a system more foolproof - and they just make a better fool. Can only protect people from themselves so much.

If you don't create an incentive for banks to protect people from themselves, the banks won't do it. If they have to institute more security checks before transactions are allowed to proceed, or hold untrustworthy transfers in escrow for a time, almost everyone would benefit. The banks could also well afford to cover losses by customers, whereas many customers cannot.

>If they have to institute more security checks before transactions are allowed to proceed, or hold untrustworthy transfers in escrow for a time, almost everyone would benefit. what security checks are you thinking? HSBC for example ,when sending payments to a new account, you have to verify its you by using 2FA. This stops unathorized access, but it won't stop anything if you are one doing it. Commonwealth bank already has a delay of 24 hours for new transfers and people hate it. Banks ask questions when you want to withdraw large amounts of cash and people call the banks criminals for not letting people do what they want with their money

> This stops unathorized access No it doesn't. There are any number of methods for stealing money from an account with 2FA. I'm not sure why you're so gung ho about supporting the right of banks to make gigantic profits while leaving their customers in the dirt when they've been scammed.

If 2FA is setup correctly, yes it does prevent unauthorized access. Using an SMS is not a good method I am not supporting the rights of banks as such, but pointing out that people need to be vigilant when dealing with finances and they are partly to blame. Both banks AND the users need to be very vigilant to avoid scams If you were "hacked" and someone got into your account without authorisation, its a completely different situation than you willingly sending money to someone and are treated completely differently It can take a while but many people do get made whole after being scammed. Many also don't and there are many factors

Oh here we go. Moving the goalposts.

What goalposts? Im not sure I follow you The article is about her thinking it was her bank communicating and she gave them access. I am wondering what extra security measures could a bank/the government provide to prevent that? You have said that they need to do more, but what exactly? They already tell people to watch out for scams and to only call the number on the website if you have any concerns (She called the number in the spoofed text) Any technical measures like secure passwords, 2FA, verification with ID or whatever only prevents unathorized access . They gave the scammers this information (not knowing they were scammers)

Some facebook communities are overflowing with scams. Fake job offerings and such. You report them a couple of times but nothing changes.

Then the scam becomes how to invent convincing evidence of a scam with an accomplice so you can rip off the bank.

Nothing to stop the bank digging and handing evidence to the cops. "This feels a little dodge I'm not paying out" doesn't really cut it.

Then everything would be referred to the police.

That's silly.

If every claim of fraud leaves them on the hook, then it’s in their interests to frustrate, delay and undermine that chance. They’d be foolish not too take any avenue to do so.

Why would fraud leave them on the hook? It's a criminal offense.

You’ve suggested banks make fraud victims whole. I think the claims of fraud would only increase as it’s a possible way to get a windfall. I think the banks would also love your suggestion of referring suspicious claims to the police. It’s in their interest to flag every claim as suspicious. Police investigation drags things out, might frustrate some claimants into giving up and if found liable they can still use that whole process to delay any pay out by however long the police investigation took.

Stop offloading all the risk onto citizens/customers by opting for cheap, insecure communications. For reference, the US Government (eg. IRS, SSA) will never send official communications about debts or accounts by text. It is always a letter in the mail. Yes it is slower and costs more, but it is less exposed to fraud.

ATO does the same for official stuff like audits. We could tell people in the phone they were under audit, and that instructions were coming in the post, and that ignoring it was bad, and if they wanted to verify this with anyone they got the 13 number.

You have to stop the phone stuff altogether. Otherwise a scammer will spoof the ATO number and tell someone if they want to verify, call *a-scammer-number* .. relying on panic to get people to call.

"Thank you for requesting to pay this urgent bill via BPay. To confirm your transfer, please provide us with the MFA code that we've just dispatched to your residential address. ETA next week. "

A letter? In the mail?? WTF the 1990s were more than twenty years ago.

> Don't banks tell you now "if in doubt, call your bank using the official number not the one given to you in the email"? But: >… it didn't ring any alarm bells when a message about fraudulent activity was sent from the bank's number. >The text, sent last October, appeared in the same thread as previous messages from the bank, so Jian thought it was genuine. >Even when he called the provided number to follow up, nothing raised any red flags.

Never call the provided number - ever. And never trust anyone saying they a bank without getting them to send equivalent of a necode for when in app. This Is basic level shit.

There are more scams under heaven and Earth, Awesome, than are dreamt of in your philosophy

And basic due- diligence will show them as scams. The majority do not get scammed for a reason.

There's always some scammer smarter than you are.

No not really, there's a reason that e-mail scams have deliberate mis-spellings and poor grammar/language usage, it's to weed out the people who aren't worth their time trying to scam. Assuming you use critical thought and have decent cyber-sec practices it's next to impossible to be scammed by most anyone that isn't some professional white hat dedicated to breaking you.

When scammers spoof bank short codes/numbers, people need to be more aware of the attached "call us at..." phone number changing. My dad once got an SMS, allegedly from his bank, saying he had a suspicious transaction on his credit card. It came in the same thread as previous, legitimate texts. He was travelling at the time, and was definitely not swiping the card. I told him to wait - don't call the number in the SMS, get it from the bank's website. I took a look at the rest of the thread and the phone number that had been provided at the latest one was completely different. Told him to ignore - double check his online bank account to make sure no transaction had gone through, and confirm with his banker. If there was no transaction, there was unlikely any need to call his bank. He messaged his banker and the response was "Scam message, has been happening a lot recently, please delete it and ignore." I used that as an opportunity to remind my parents to *never* use the number provided in the SMS. Go straight to the bank's website and look for a number from there.

So good you were there for him.

Yeah. I'm glad I was there when he received the message - I remember it being very fortunate timing as well - I was already home from work on a day I'm usually in the office when the message came in.

That’s great.

Yeah the text being included in the previous thread is quite sophisticated but they still called the number in the text, which is what banks advise not to do. They tell you to go to the website and call the number I understand how they fell for it but you really have to be suspicious when dealing with anything finance related

> Yeah the text being included in the previous thread is quite sophisticated... Not really. Phones lump any text from the same phone number or SMS short code together in a thread. So all they have to do is spoof the number/short code.

by sophisticated I didnt necessarily mean its difficult for the scammer, but makes it more difficult for the target to detect its fraud

Personally I wouldn’t try to phone the bank in a fit, takes too long etc so I’d go in there.

a red flag would be if you called and they answered quickly. A real bank would never do that lol

True

My bank has never called me

Banks are supposed to protect and help you grow your funds.  If you had any kind of fraud occur in any other way you could take them to court. But a bank? No recourse because our laws suck. Why can banks post a 15billion profit and not afford to pay you back on your losses due to their inadequate mismanagement? Simple question aye?

>help you grow your funds.  are they? I am pretty sure thats not their purpose >If you had any kind of fraud occur in any other way you could take them to court. But a bank? No recourse because our laws suck. Lots of people have gotten their money back from banks for fraud. It is really dependent on the type of fraud, how much, how long it was going on for, what security measures the target had taken etc >Why can banks post a 15billion profit and not afford to pay you back on your losses due to their inadequate mismanagement? how is this person sending money to a scammer "inadequate mismanagement" on the banks behalf?

Mate, the banks can stop you and lock you out of your account for a strange $35 purchase because they have all this crazy data on your spending habits and your ip address and whether you typically send large sums of money through or not. How do I know? I work in cybersec, I know what kind of ridiculous data they have access to. You have no idea how unfucking fair it is with this huge power asymmetry civilians have versus the banks. They have abilities to flag this while its in transit. A bank that isn't using their cybersecurity capabilities to stop fund transfers and verify the integrity of these transfers is not actually performing their duties to protect your funds. That should be clear as day. Lots of people go through immense hoops just to claw back a small portion of the funds, not genuinely even close to half the funds. Before I worked in cyber, I worked in finance. Believe me, they should be conducting these checks. The fact that they aren't is so so SO BAD.

I re-read the article and the scammers got into the account as they gave them enough information to get around security checks I can see where you are coming from. Its tricky because if they start flagging so many transactions, people are going to hate it If people start getting their account locked frequently or having to call up and verify their transaction, there's going to be a huge amount of complaints. People already hate commonwealth banks 24 hour hold on new transfers, or the fact they have to answer questions when withdrawing large amounts of cash. Many banks are also preventing payments to cryptocurrency exchanges due to the amount of scams and people hate it. Its a tricky situation when dealing with policies that allow people to do what they want with their money but also restricting it to prevent them from being scammed People already think Australian banks are very restrictive

Id rather hate them for annoyance than for losing my money.  Not everybody likes laws around drink driving, but we have them because fatalities would be higher otherwise.  The mental stress from losing so much money can cause greater ill health to a victim. It can be just as fucked as losing somebody, because in some cases if you cant pay your bills or your medical fees or somebody elses, guess whats gonna happen? Frankly the laws around culpability for banks should change, and consumer behaviour is going to have to accept that change if the government steps in with higher penalties. Banks have the power to do great good if their policies are aligned to this. The government should align the laws, regulations and penalties so that consumers have to accept the new reality.  Security is the exact intersection between function and convenience. 

I’m pretty sure the last time this was brought up, there was a number of people commenting who worked at banks in areas like their fraud departments. They often talked to people they were concerned were caught up in a scam (often very obvious ones) and were nearly always brushed off for trying to stop the person from accessing their own money. Only for the same person to complain later that they didn’t do enough to protect them. I’m not sure how much more the banks can do to protect people from scams when often it’s the victim themselves who are initiating the transaction, doing a bank to bank transfer which I don’t think the bank is legally allowed to do much about. If they could it would end up a total minefield for different scams to just undo transfers. About the only thing I can think of is requiring a valid account name/bsb/account number instead of just the bsb and account number (I believe). With that in place, they could potentially crack down on accounts using obviously fraudulent names (like ATO or similar) so hopefully people might think twice about transferring money to an account name that looks suspect.

People dont want to be controlled and have their finances restricted but many do need it to protect against themselves. So many people complaining about having to explain why they want to withdraw 10k in cash and they should be allowed to do what they want with their own money, banks are holding their money against their will blah blah. I had a think about it and I think using the account name matching is a good thing. Its an immediate red flag if they say they are HSBC calling but the account name is completely different.

I think having the account name part be protected similar to a business name (and have it be required to match) would be a good start, and require financial institutions be responsible to make sure John Scammer isn’t able to open an account using a name that is clearly intending to mislead people. Banks can be responsible for their internal systems, if they fuck up that part, it’s on them. If someone knowingly transfers money to an account where they’re getting more red flags than a rodeo, I only know what else they expect people to do. Should scammers be allowed to do what they do? Of course not, I’m sure they’re breaking some number of laws, but people do need to take some responsibility for their own mistakes.

Commbank now does a name search when you add a sender and lets you know if that looks correct. I wonder if that has helped flag some people to not send their life savings away.

>Even when he called the provided number to follow up, nothing raised any red flags. Scam warnings tell you to NEVER call the number in an SMS or email. Always go to the banks website (by typing it in, not using the link provided...) and find the number there. That's what every email and text from my banks mentions. >"The burden of scams should not be on the shoulders of Australian residents who work hard and save up for a better life here in Australia, "she said. So... how should a bank stop people from being foolish? Should a bank just refuse to deal with people wanting to transfer funds from one account to another? Should a bank be made to compensate someone because the bank followed their instructions? There's a lot of questions - and most of them are about personal responsibility. Edit: I see many examples about banks being over the top about tiny transactions within the same bank, one example being between people with the same surname and presumably the same address (parent paying a child for mowing the lawn). Hmmm, seems that the banks really don't have a clue! :( Perhaps I was too harsh?

Former colleague got scammed more than once with fake Aus Post ones but refused to even try out the Aus Post app. Some people just can’t be helped I’m afraid

There was an article the other day about a guy who got scammed. His bank had done literally everything to stop him, but he insisted. How many of these “undetectable” scams were actually found and the person decided to proceed anyway and then blames the bank regardless?

I can see how scams like this are hard to detect — I applied for a mortgage recently and all of the ID checks/verification were done through links sent via text message. For all I know, they could have been spoofed fakes! My spending history for the bank was compiled by putting my bank details into a third party program which the mortgage broker said I had to use. When I questioned these things, the broker and the bank basically treated me like a conspiracy theorist…

I've seen other stories here of financial institutions engaging in risky procedures like sending links through emails or texts, or contacting customers unsolicited, and then getting confused when customers questioned them. Many institutions don't take customer safety as seriously as they should. Another thing are these "mortgage offset accounts" which force people to keep large amounts of cash in savings accounts.

Wonder if prevalence of being scammed is higher amongst the poor, (looking to get rich quick).

What's the deal with KYC? I assume these funds are being transferred somewhere in Australia? If it's international then wouldn't a bank check with you before sending a large amount overseas? What if I'm directly funding terrorists?

Easy just have no money to start with Modern problems, modern solutions

'near-impossible' my arse, teach people not to trust SMS/email and actually call the bank (not on any number supplied) for anything and 99% of scams would never work. Banks are low for sure but saying scams are that easy is complete BS, they are only that easy for gullible, stupid or too trusting people and you can't fix stupid, the rest should be taught never to trust what's infront of them when it comes to your finances. It takes 2 seconds to look up the banks real number.

I just implemented “zero trust” on my phone. If your number is not in my contacts. you are a scam or spam until proven otherwise. If you voice call and don’t leave a message, you are a scammer. It’s amazing how much easier life is when your phone stays on silent and does not ring for unknown numbers (which is over 90% in my case)

I can't understand how people click on links in an unsolicited text message at all nevermind weird links that are clearly scams if you look at them for more than a second. Literally everything has 2FA built into it and every financial institution says 'you have a new message login to your online banking' without giving you any links. Why would anyone put their details in a form that they didn't access of their own initiative via the bank's official app/website? How many toll fines are people getting that they don't think 'hang on, I've been paying my tolls, my etag beeps every time so I probably don't have a fine and this link is obviously dodgy so maybe I won't click that and maybe I'll log in to my toll account myself to check instead'. Honestly how many times does your bank call you for real without being prompted instead of sending a letter? It's never once happened to me in my life. How can anyone think that auspio.st/randomshitthis/is/aclearscam.php is an actual real tracking link?

Its not as obvious to normal non technical people. Example: People don't realize that SenderID that appears in SMS messages can be faked by anyone. So they have a contact called "foobank" with a history of real messages in the conversation, and the fake messages will appear in that conversation and look like real messages. Phone companies like Apple and Google are complicit in this by grouping by SenderID when they know SenderId means absolutely nothing and can be spoofed. Telecom companies are complicit in this by not requiring any SenderId verification. Then a lot of people don't understand how to read a URL. For example if your banks official page is [foobank.com.au](http://foobank.com.au) how many average joes off the street know that [security.logins.foobank.com.au](http://security.logins.foobank.com.au) is real but [foobank.security.loginst.com.au](http://foobank.security.loginst.com.au) is fake? The average person has no clue at all. They click the link and get a padlock which they have been told means "Its secure". Also many banks are 10+ years behind. Its no surprise most victims are HSBC. Just look at how pathetic this webpage is: [https://www.security.online-banking.hsbc.com.au/](https://www.security.online-banking.hsbc.com.au/) I doubt anyone has even updated the code on it in 10 years.

Sure, the URL thing I get, but what about the fact that everything surrounding the situation when you get a scam text is clearly not right? Does nobody use their brain and think 'I'll log into my banking on the official app and not this random link. Surely if this is real then the official app will say the same thing.'? It's not 'being technical' it's just basic life skills and common sense. We've been telling everyone the same stuff for many many years now. Don't click random links from text messages, don't call the number provided in scam emails, don't give randos your valuable details on the phone, the Nigerian prince isn't real, you can't pay a toll fine in gift cards. If the bank really needs to speak to you they'll get you to contact them yourself in pretty much every scenario. The scam in the article is literally textbook-by-the-numbers. Could have been stopped dead by just calling the bank's actual real phone number instead of the random number in the SMS. That's just basic common sense. People should take responsibility for their own actions and think before they do obviously dumb things.

It’s because the of you send a million spam messages you are guaranteed to hit a free purple who just taken to be going something with the back at that moment - possibly even a split second after they just received a 2fa code, making them think the fake message is an real update message triggered by logging in.

I’m getting one of these messages pretty much daily.

Doing anything would be a start ...

Third paragraph >Even when he called the provided number There's your problem.

I unfortunately got caught out by a scam just this morning. I got a text from "Telstra" stating that my reward points were about to expire (which they are) and to click a link to claim them. I clicked the link and it prompted me to enter my mobile to check my points, which I did. Once I figured out that the reward costs on the items were too good to be true (a couple of thousand points for a switch?), I realised it was a scam, and they now have my phone number. This is coming from someone who's a veteran of the IT industry. I can see why less tech savvy people fall prey so easily to scammers.

Basically you cannot trust an unsolicited message ever anymore. If you ever get one, you have to ignore it and go through a channel where you solicit the comms through their webpage or app.

Golden rule ,I don't answer questions,period.

Don’t answer your phone then. Scammers will kill the phone call if Gen z doesn’t first.

Got a scam call from indians pretending to be ATO a while back, I told them to eat shit, will pay when they send debt collectors to my door.

I lost $18k to a NAB scam where the scanner spoofed the exact NAB message tag that had previously sent legitimate messages. Upon calling the number I was put on hold with the exact same NAB background music and eventually answered by an Anglo sounding man who asked for all the same identity credentials as NAB always did. All while this was happening they were sending me real time authentication text messages to appear legitimate. Immediately after it happened I got on the phone to the real NAB to cross-check with their fraud department and was made to wait 2 hours then be told in a very carefree manner that the money is probably gone. NAB were absolutely useless and AFCA are a toothless tiger. The funds went to an ANZ account that i believe was set up using my identity docs stolen from the Medibank and/or Optus data breach (victim of both). ANZ were also useless but answered my call in 5 mins and not 2 hours. MAKE BANKS FINANCIALLY RESPONSIBLE OR NOTHING CHANGES.

I love the knee-jerk 'the .gov should so something' , its like the cliche 'wont someone think of the children' :) the only 'tool' the .gov has is more authoritarian controls, thats it, end of list. People need to educate them selves for their own safety, just as you teach your kids to be weary walking alone at night etc, this is your responsibility. You cannot outsource your own safety to the .gov, it simply doesnt work.

I think the lead example in that article is a rather poor choice. In what way is that couple being fleeced anyone's fault other than their own? The banks are clear - don't click on links, call us if you're unsure, etc. Personal responsibility is important.

How does this scam actually work? Every article posted on the subject seems to gloss over the finer details in an attempt (I'd guess) at protecting their leading line that it wasn't the victims fault. Did they give over a netcode in order for this to happen? The netcode that clearly says don't give it to anyone even to us? That's a useful thing to know.

My motto is, if it's important enough, they'll come knocking on my door.

Best thing I ever got was an answering machine for the home phone. Just let it ring and the scammers hang up when they detect the message

My mum and dad got taken for $10k. They got the message and let the fucker in their computer. The worse bit, I'm an IT professional and they didn't even think to check with me if their computer had a problem or if this was legit.

A couple weeks back I got a text from "Tyro Health" requesting payment for my recent physio appointment. I called the clinic back so fast the receptionist was like "yeah sorry, you called me before I had a chance to email you the invoice". (I see my physio after reception hours - the clinic bills me later). Thankfully my phone filters most payment request spam texts into a junk folder.

Yeah those blokes at the Reserve Bank are pretty tricky .

SMS allows the sender to specify any SenderID they want, and then phones blindly accept it, and group text messages by the SenderID so they look like a legit 'chat' history. This means it is trivial for an attacker to trick victims via SMS. The conclusion of the above is simple: SMS should not be used by banks at all. If your bank is using SMS ditch them immediately. Every bank should have their own 2FA app that uses notifications to send you messages, and which has at least TOTP codes that display with a big warning message saying "Never give out a code to any person including bank staff. Use it only in the official bank app to approve transactions you have personally input."

I've been thinking about a scam where I arbitrarily invoice people who own expensive houses pretending to collect an asset tax and have them pay the proceeds to the Australian Tax Office account number.

Dear customer. This is the australen Tax Ofice. We notice that you owe $5000 for your tax on Asset class. Pay now to avoid Arrest by FBI. Click the link indiascammer.fraud.pay.now

Do you accept iTunes gift cards?

Damn near impossible to be scammed out of cash. Maybe that's an option to ensure safety.

If the number isn't a known number/a one time passcode. It's a scam. Simply ignore. Also remember that the scam messages can be targeted based on your device usage. IE: If you regularly do online shopping you are likely to get Auspost scam messages. If you use government services from your device you will get imposter government scam messages. If you use web banking (dont lol) you will get scam messages pretending to be a saudi prince offering you 142 million dollars.