Three examples of scams that impacted clients this month

Getting scammed is an extremely distressing experience - and three iTandCoffee clients suffered that terrible experience recently.

One client found that someone had gained access to a range of her social media accounts - and had even changed the password and email address for one of these, so she was no longer able to access it.

Another client fell for a scam call, and the scammers initiated transfers of thousands of dollars - which were luckily stopped by her bank.

The third client received as strange message on her screen - saying she had a virus and to call the number provided, which she did.

Let's look at what happened in each of these cases - and what lessons can be learned from each.

Case 1: Multiple accounts hacked

In the case of the first client, multiple 'password reset' emails had arrived in her inbox from different social media accounts - alerting her to the fact that something was amiss. These emails had gone to her Bigpond mail account, which was (luckily) auto-forwarded to a separate Gmail account. Someone was trying to reset passwords on multiple online accounts.

She then found that she could no longer access one of the social media accounts - after receiving another email to say that the account's password had been successfully changed, then that the account's email address had also been changed. Her own email address was no longer valid when she tried to sign in to that account.

When she contacted iTandCoffee and showed me these emails, my first concern was for the security of her email account, which I suspected had been accessed by the scammers - and that this was how they were resetting passwords.

We signed in to the webmail version of her Bigpond email - only to find that the Inbox, Sent and Deleted mailboxes had been completely cleared - a sure sign that someone had been there, and was covering their tracks. Luckily she had the copies of the emails that had been auto-forward to Gmail.

The password for the Bigpond/Telstra account was then changed as quickly as possible, to lock out the intruders and prevent them from doing any more damage.

But how had they gained access to this client's mail account in the first place?

We checked the haveibeenpwned.com website to see if her email address and password were included on any stolen lists - which they were.

And it seems that the password used for one of the breached services on that haveibeenpwned list was the same as that used for her email account.

This made it easy for the scammers to log into her Bigpond webmail with the stolen credentials, then visit various websites where the email address may have been registered - and they obviously tried several - and choose the 'forgotten password' option to request a password reset link be sent to the email address. Because they had access to her webmail, they could then access each email with the 'password reset' link.

Another way she may have been caught out is by clicking a link in a phishing email or text, and being fooled by a fake login page - and providing login details there.

For this client, the most important thing now is to review all her online accounts - especially those associated with her identity and finances - and change the passwords to unique, strong passwords. She should also set up two-factor authentication wherever possible on these accounts, so that a password alone is not enough to access the accounts in future.

She will also need to advise friends that, should they have received an email from her during the breach period, that the email was not from her and they should let her know (so that she can be aware of what might have been sent to others). (Note. Because the Sent mail has been cleared, this client cannot be sure if any such emails were sent.)

Some lessons from this case:

• Check if your email address is on any stolen list - at haveibeenpwned.com​
• Never use the same password across multiple online accounts.
• Make sure your passwords are strong and different for each account 
• Where available, enable two-factor-authentication for accounts
• Set up a Password Safe to store these strong, unique passwords.

Case 2 - Scam caller tricks client into providing credit card and banking details

This second client came close to losing thousands of dollars. She received a call that she thought was in relation to a set of charges that had appeared on her credit card statement. 

The caller offered to help her resolve those charges, and guide her through what to do. He got her to download an app called Zoho Assist - Remote Desktop, which facilitates remote support by another person. They also got her to download another app called Skrill, which is a payment platform like PayPal.

They then started a 'remote support' session using Zoho Assist, and guided her through how to share her iPad screen with them. Once they could see her screen, they guided her through setting up a new Skrill account, and then linking her credit card and (from what I can gather) her bank account to that Skrill account. 

This then allowed them to initiate transfers of her money to their own bank account.

Luckily the bank has a policy of holding payments to new payees for 24 hours, providing time for the client and bank to notice the transactions and put a stop to them. The bank also cancelled her credit card and put a hold on her bank account.

There are also emails that indicate the scammers tried to change her online banking password.

Of course, it is all very confusing for this senior client - and she is not sure what information she gave away to these people. Because many people are confused about the online world and the multitude of accounts they may have, it can be difficult to unravel what occurred and what was divulged.

We removed the apps that the scammers had added. We also identified that password changes were needed for her Apple account and her PayPal account - just in case. 

There is still the risk that the Skrill account that the scammers set up has her bank account details - so the bank will need to keep her account suspended to monitor activity, and take whatever action that is necessary to ensure no Skrill transactions are allowed in future.

Some lessons from this case:

• Don't believe callers/texts who tell you they are from Amazon, the ATO, the police, Telstra, NBN, Microsoft, Windows, Apple, Australia Post - these are scams.
• Be conscious of co-incidence when you receive a call/text. People so often get caught out because the call/text seemed related to something that is happening at that same time. Deliveries is the classic example - i.e. you are expecting a delivery, and then receive a text about your delayed delivery - a scam text!
• If a caller says they are from your bank or some other organisation, they must be able to provide proof of identity - otherwise hang up and call the bank/organisiation on their normal number.
• NEVER let someone gain access to your device (unless you are absolutely and completely sure they are legitimate)
• NEVER follow instructions of a caller to go to a web page and click a link or to download an app.
• If a caller ever tells you that you need to go and buy iTunes Cards from the supermarket, IT IS A SCAM.
• Don't provide credit card or banking details to any caller - unless you are 120% sure they are legitimate.
• Don't provide drivers license, passport or other identity information.
• If you think you have given away your bank/credit card details, call your bank immediately.
• If you think you have had your identity stolen, visit the IDCARE website or call 1800 595 160 (Australia)
• Report the scam to Scamwatch

Case 3 - Virus message pops up in Web Browser and client calls number provided

In the case of the third client, a message had popped up on the computer, advising that there was a virus on the computer and providing a 1800 number to call. 

While this client did suspect this message was a scam, she consulted someone else who advised her to take it seriously and call the number.

She called the number and the person (of course) said he could fix the virus problem for a fee.

Luckily, she realised she was talking to a scammer before giving away her credit card details. But she wasn't sure whether she had clicked anything the scammer told her to click, and needed her computer checked for any issues.

We cleared the computer's browsing history and cache, checked for any recently downloaded apps, ran a deep virus scan, checked her list of startup processes, and the list of recently modified files. Luckily for her, all was well.

Some lessons from this case

• Don't be fooled by a message that pops up in your web browser, saying you have a virus and to call a number - IT IS FAKE
• Clear your browser's history and cache
• If the browser pops up the message every time you open it, try starting the browser with the Shift key held down - which stops it opening previously open pages (and allows you to then clear the history and caches).
• If you do get caught out and call the number - AND you follow the instructions of the person on the other end and download anything - you will need to turn off your computer immediately, or at least disconnect your router to cut off their internet access, and seek help from a professional to check and clean your computer.
• The scammers may continue calling you and be very assertive and abusive - just hang up. Don't believe what they tell you about the dangers of ignoring them. 
• And if you have given away financial or identity information, or any online account credentials, you will need to follow the advice provided above for the other two cases.

Need Help? iTandCoffee can help.

If you think you may have been caught out, or need to discuss any concerns you have about being scammed, make a time with iTandCoffee. Bookings can be made online here, or by calling 1300 885 420.

​If you are a member of our iTandCoffee Club and have 'free support' as part of your membership, here is the link to book a free 15-minute consultation using this free support allowance.

And iTandCoffee Club members are very welcome to forward any suspicious text/email to iTandCoffee for us to check. Use the email address [email protected]