About us - Online Security

Common threats

'Phishing or fake emails'

Criminals work in various ways to steal your identity. Phishing, pronounced 'fishing', is the term coined by hackers who imitate legitimate companies in emails to entice people to share passwords or credit card numbers.

An email is broadcast from a fake server address, pretending to be a real company or financial institution, containing an invitation to verify or to enter username or password. The fake website looks like the real one from the financial institution.

This leads to identity theft: criminals adopt the identity of the holder of the online bank account or credit card and with that they can make payments in name of the genuine holder.

The Digipass system used by RaboDirect makes phishing virtually impossible. Phishing attacks can be successful if your bank relies on just passwords and PIN's that never change. If a fraudster gains access to your username and password detail s/he can access your online bank account.

The Digipass helps to prevent this because of the two-factor authentication principles. The fraudster would need to know your Customer Number and Digipass PIN code and have your Digipass to be successful with a phishing attempt. The Digipass is also required to authenticate transactions giving you a double layer of security.

How to identify a phishing email or fake website

The fake email can look very realistic but there are tell-tale signs that they are fakes.

RaboDirect will never ask you for reconfirm your Customer Number or Digipass PIN code or bank account numbers by email or by telephone. If you receive an email or a telephone call requesting confidential information this should immediately raise your suspicions and you should contact us immediatly.

Check the URL address carefully on the website. It might look similar to the usual online banking URL that you use but there will be some subtle differences. Look out for the padlock icon to determine if you are in an encrypted secure session. Does the web address begin with "Error! Hyperlink reference not valid."?

Look out for obvious grammatical errors or mis-spellings. Sometimes these errors are deliberate - they can help get around spam filters.

The layout of the email and logos may make you suspicious. If you hover your mouse over links in the email probably won't point to your bank's website but to some other third party website unknown to you.

Does the email address you personally by name? If not, this can also raise suspicions.

The tone of the email is urgent encouraging you to immediately take the action requested in the email such as verifying your online banking security details.

The Fido site managed by the Australian Securities and Investments Commission has some good examples of fake emails.

Why did I receive a phishing email?

There are many ways that criminals harvest emails. Sometimes they can hack into a database to steal them, other times they just buy lists from disreputable marketing companies. Another way is to try and guess email address using automated programs.

If you receive a phishing email you may think that the fraudster knows that you bank with the bank they have targeted. They generally don't know this. By casting their net far and wide they hope to catch some real bank customers.

What should I do if I receive a phishing email?

First of all, don't panic.

Do not respond to the mail. This is important because the fraudster will then know that your email address is real working one.

Do not click on any links in the email. You could unwittingly download spyware programs to your computer by doing so.

Contact your bank. They will probably already be aware of the email by the time you contact them.

You can also report the fake email on SCAMwatch.

Fraudulent Pop-up windows

Pop-up windows are the small windows or ads that appear suddenly over or under the window you are currently viewing. The vast majority of these are legitimate ads and pose no threat. Fraudulent pop-up windows are a type of online fraud often used to obtain personal information.

Pop-up windows are often the result of programs installed on your computer called "adware" or "spyware." These programs monitor your web surfing activity and regularly come hidden inside many free downloads, such as music-sharing software or screen savers.

Many of these programs enable harmless advertisements, but some contain "Trojan horse" programs that can record your keystrokes (for account login) or relay other information to an unauthorised source.

You should also be vigilant for pop-up windows that appear while you are logged onto your online banking site. The pop-up may claim that that you need to log on again to your online banking site again due to a terminated session but this time the pop up asks for a signature code. In reality the customer still has a valid session, but now the hacker tries to get a signature code to conduct transactions. This is what is known as a 'man-in-the-middle attack' where the person attacking attempts to intercept, read or alter information moving between two computers.

You can activate pop-up blocker windows to prevent these windows. Always ensure that your anti-virus protection and firewall software is kept up to date. You can also scan your computer for spyware and remove it.

Pop-up windows are the small windows or ads that appear suddenly over or under the window you are currently viewing. The vast majority of these are legitimate ads and pose no threat. Fraudulent pop-up windows are a type of online fraud often used to obtain personal information.

Pop-up windows are often the result of programs installed on your computer called "adware" or "spyware." These programs monitor your web surfing activity and regularly come hidden inside many free downloads, such as music-sharing software or screen savers.

Many of these programs enable harmless advertisements, but some contain "Trojan horse" programs that can record your keystrokes (for account login) or relay other information to an unauthorised source.

You should also be vigilant for pop-up windows that appear while you are logged onto your online banking site. The pop-up may claim that that you need to log on again to your online banking site again due to a terminated session but this time the pop up asks for a signature code. In reality the customer still has a valid session, but now the hacker tries to get a signature code to conduct transactions. This is what is known as a 'man-in-the-middle attack' where the person attacking attempts to intercept, read or alter information moving between two computers.

You can activate pop-up blocker windows to prevent these windows. Always ensure that your anti-virus protection and firewall software is kept up to date. You can also scan your computer for spyware and remove it.

Viruses and Worms

A virus is a computer program designed to cause undesirable effects on computer systems. Viruses are often designed so that they can spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a CD, DVD, or USB drive.

While active, the virus attempts to reproduce and attach itself to other programs. This can tie up resources such as disk space and memory, causing problems on any home computer.

An email virus is transported through email messages and usually replicates by automatically distributing itself out to all contacts on the victims email address book.

A worm is a type of virus (computer program) which takes control over computers.

Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or devour files on a targeted computer.

You can increase your chances of ensuring your computer is free from worms and viruses by:

  • Installing anti-virus software, and keeping it updated with the latest virus definitions.
  • Downloading and installing security patches for your operating system as soon as they become available.
  • Not accepting attachments from emails of unknown sources.
  • Installing software from trusted sources only.

Trojans

A 'trojan' is malicious code which is hidden in a computer program or other computer file which may appear to be useful, interesting, or at the very least harmless to you when using your computer.

For example, some Trojans will claim to rid the computer of viruses or other harmful applications, but instead introduce viruses and leave it vulnerable to attacks by hackers and intruders. When this computer program or file is run, the malicious code is also triggered, resulting in the set up or installation of the malicious trojan horse program.

You can minimise your chances of unintentionally downloading trojans by:

  • Not opening emails or accepting attachments from unknown sources.
  • Installing software from trusted sources only.
  • Not clicking on links contained within emails of unknown sources.
  • Regularly scanning your computer for trojans and other malicious programs with up-to-date anti-virus software.
  • Using a firewall to monitor traffic to and from your computer while connected to the Internet.
  • Downloading and installing security patches for your operating system as soon as it is available.

Identity theft

The incidence of identity theft is on the increase and you should be aware of this and the practical ways of ensuring you don't become a victim of it. The information provided below has been sourced from http://www.protectfinancialid.org.au which is a partnership between the Australian Bankers' Association (ABA), the Australian High Tech Crime Centre (AHTCC) and the Australian Securities and Investments Commission (ASIC).

Identity theft and identity fraud refer to crimes where someone wrongfully obtains and uses another person's personal data in a way that involves fraud or deception, typically for economic gain. If you're a victim, someone else has the ability to misuse your identity and access your money.

Identity theft involves the theft of a pre-existing identity. It may occur when a criminal steals or comes into possession of your personal information, such as your name, credit card details, address, date of birth, bank account, debit card details, driver's license etc and assumes your identity to commit fraud. Criminals commit this crime by applying for credit, running up bills and not paying creditors - all under another person's name.

Identity theft can range from a criminal using your credit card details illegally to make purchases over the internet or telephone, through to having your entire identity assumed and used to open bank accounts, take out loans, lodge tax returns and conduct other business illegally in your name. When someone assumes your identity it is known as 'Identity takeover'.

Identity takeover is relatively rare in Australia, but using aspects of your identity to commit fraud can and does happen. It can also happen quickly. You might have your credit card details skimmed when you make a purchase, lose your wallet or other personal effects, or have them stolen. House break-ins and mail theft are also way in which fraudsters can get information about you. Perhaps most unexpected of all, you could have your identity stolen and used by someone you know and trust - a friend, relative or work colleague.

Social networking sites and identity theft

Identity theft is stealing and using personal identifying information to pretend to be another person, generally for illegal purposes such as financial fraud.

Personal information such as name, address and age details that are posted on social networking sites can be used to create an 'identity package'. A false identity package can be used to open or close bank accounts and steal and transfer money. Once an identity has been falsely assumed it can be used for any number of reasons including financial fraud and damage to reputation.

The information provided below has been sourced from the Federal Government's Stay SafeOnline

What are social networking sites?

Social networking sites are places on the web to meet and interact with people. The purpose of using networking sites can vary from person to person. Some people access them to make friendship or business connections and others use them to share information on a range of topics.

Social networking sites such as MySpace, Facebook, Bebo and LinkedIn may differ but they all allow you to give your personal information in profiles, forums, chat rooms, email, instant messaging etc, where you go to connect with other people. Some sites let you search or browse for people and other sites require you to be 'introduce' to new people. Essentially the sites are a way to meet people with similar interests, hobbies and so on.

How much information you choose to share with friends you make at these websites is a judgement call. It is good idea to understand that whatever information you share on the internet remains on the internet and could be used inappropriately, either now or sometime in the future. This information includes items such as a photos, videos or detailed personal information. There are a few simple security rules to remember and to help you act smart and be safe when visiting social networking sites.

How should I protect myself online?

  • Think about the amount of personal information you share online - do not post information that would make you vulnerable (e.g. your address, information about your schedule or routine). Adjust your privacy settings to control the amount and type of information you want to share, so that people you don't know very well can only see certain parts of your profile.
  • Actively manage your public messages noting you are in a public space - delete old messages and only put information on the website you are comfortable with anyone seeing. This includes information in your profile, in blogs and other forums. Once information is online, it is not easy to remove it. Even if you remove the information from a site, saved or cached versions may still exist on other computers.
  • Be wary of strangers -the internet makes it easy for people to misrepresent their identities and motives. It is a good idea to limit the people who are allowed to contact you on these sites. If you interact with people you do not know, be cautious about the amount of information you reveal and don't agree to meet them in person.
  • Be sceptical - don't believe everything you read online. People may use false or misleading information about various topics, including their own identities. This may be unintentional, with malicious intent or just a joke. Take appropriate precautions and try to verify the accuracy of any information.
  • Check the sites privacy policies - some sites may share information such as email addresses or user preferences with businesses. This may lead to an increase in spam. Also, try to locate the site's policy for handling referrals to make sure that you do not unintentionally sign your friends up for spam.

What should I be cautious of?

You need to provide a certain amount of personal information to connect to social networking sites. The type of information required by sites varies. Some may need an email address, a name and password. Other sites may require more information. When deciding how much information to reveal when online, you may not be as cautious as when you meet someone in person, because:

  • The internet provides a sense of anonymity.
  • The lack of physical interaction provides a false sense of security.
  • Information is generally intended for friends to read, forgetting that others may see it.
  • Some want to offer insights to gain a wider network of friends or associates.

While the majority of people using these sites are not threatening, there are criminals who are attracted to them because personal information is available on the sites. The more information criminals have about you, the easier it is for them to take advantage.

Predators may form relationships online and try to physically meet you. By using information that you provide about your location, hobbies, interests and friends, a criminal could impersonate a trusted friend or convince you that they have the authority to access other personal or financial data.

In addition to the risk of identity theft, viruses and malicious software may be embedded in the banners and advertisements that you see on social networking sites. The way social networking sites are set-up can mean that the owners of the site may not be aware of 'rogue ads' on their site. These rogue ads may contain software designed to harm your computer or steal your passwords.

Scams

Remember, if it looks too good to be true then it probably is. Here are some examples of scams that you should be on the look out for. The list is not exhaustive. Use your commonsense to guide you.

Fake job scams

These scams are often advertised on the web as 'working from home' jobs. You are offered commission for simply receiving money into your bank account and then transferring it on again. You get a percentage of the transfer amount. These are usually money laundering scams.

Engaging in such activity is a criminal offence. If you receive such a request do not reply to the email or click any links in it. Delete it completely from your email system including your trash box/deleted items folder.

Lottery scams

Often referred to as a Nigerian 419 frauds. They are called Nigerian scams because the first wave of them came from Nigeria, but they can come from anywhere in the world. The '4-1-9' part of the name comes from the section of Nigeria's Criminal Code which outlaws the practice.

You receive notice that you are the winner of a lottery that you did not enter, but must pay a small percentage for fake taxes or other fees before you can receive the rest of your prize.

Usually, you're excited about a windfall and keen to claim the money, even though you don't exactly remember ever entering the lottery in the first place.

You contact the people who emailed you, and they reply in a polite and helpful way. There's just one catch. They want you to send them a 'fee' to process your winnings. That's the fraud. You have not really won anything at all, but your winnings are dangled in front you while the scammers try to get as much money out of you in fees and charges.

Overpayment scams

If you are selling something over the internet or through the classifieds, you may be targeted by a cheque overpayment scam. You might receive an offer from a potential buyer (often quite generous) and accept it. The scammer then sends you a cheque, but the cheque is for more money than the agreed price.

The scammer will invent an excuse for the overpayment. For example, the scammer might tell you that the extra money is meant to cover the fees of an agent or extra shipping costs. The scammer might just say that it was a mistake they made when they wrote the cheque.

The scammer will then ask you to refund the excess amount-usually through an online banking transfer or a wire transfer (such as Western Union).

The scammer is hoping that you will do this before you discover that their cheque has bounced. You will have lost the money you paid into their account, and if you have already sent the item you were selling, you will lose this as well. At the very least, the scammer will have wasted your time and prevented you from accepting any legitimate offers.