If the news about data breaches at multiple organisations in the past few weeks has you worried about your cybersecurity, you're not alone.
Many of us are wondering what we need to do to protect ourselves from hackers and scammers — which can be overwhelming thought given how much of our lives are online.
Paul Haskell-Dowland, a professor of cybersecurity practice at Edith Cowan University, runs us through a few simple things you can do.
How do I check if I'm a victim of a hack?
Check if your number or email's been caught up in breaches
Head to the HaveIBeenPwned website and check to see if your mobile number and email address have appeared in recorded data breaches.
It'll instantly tell you if your details have been exposed in known unintentional breaches or pastes — where information has been posted to a public website.
But you have to subscribe if you want to see if you're caught up in sensitive breaches.
The free website is run by Australian cyber security professional Troy Hunt and is run using a database of known leaked data.
However, Mr Hunt points out that it's "but a small subset of all the records that have been breached over the years", so don't assume you're in the clear if nothing comes up for you.
"Just because your email address wasn't found here doesn't mean that it hasn't been compromised in another breach," the website says.
Check your free credit reports
Credit reports allow you to check if someone has tried to apply for credit in your name — like taking out a car loan or signing up for a buy now, pay later service.
ID Care, a not-for-profit charity which describes itself as Australia's national identity and cyber support service, says you're entitled to free credit checks through official Australian credit reporting agencies.
The Office of the Australian Information Commissioner says there are three main credit reporting bodies:
- Equifax, which provides free credit reports every three months
- illion, which doesn't charge for credit reports. Once you've created a free account, you can go on as often as you like
- Experian, which provides free credit reports every three months
ID Care recommends going through each of the three agencies to make sure you don't miss anything but, if an ID theft event has only just happened, it says to wait a week before applying for the credit report.
And, if you're going to do this over email, make sure you're using a device with updated anti-virus protection.
Here's where you can go to request a credit history:
If nothing comes up, am I in the clear?
Not necessarily.
"Data can be held for days, weeks, months, years before being used," Professor Haskell-Dowland said.
"It can be traded on underground markets and used for less noticeable purposes — spam — while waiting for the heat to die down and could be adopted for more impactful campaigns in the future."
What if I've already applied for new IDs — am I safe?
Many people who were caught up in the Optus data breach have applied for a new Medicare number, passport or licence.
Professor Haskell-Dowland says if you've done this, you're "probably OK".
"The documents could still be used fraudulently, but if used by criminals for a 100-point ID check, [they] should fail when verified," he said.
What should I be watching out for?
Unusual banking activity
"Check bank and credit card statements regularly, review your credit report for new accounts and report any unusual activity immediately," Professor Haskell-Dowland said.
Updates from the hacked company
"Watch your email for notifications from the company, or in the media," Professor Haskell-Dowland said.
"Check their website for specific notifications and advice."
It's a good idea to check your junk inbox and, if you've got other old email addresses you barely use anymore, it wouldn't hurt to check those as well just in case you used them to sign up for services in the past.
Suspicious messages claiming to be from official organisations
Many of us can pick a poorly worded scam text message that comes to us out of the blue — especially if they misspell a name or claim to come from a bank you don't use.
But if scammers are armed with your personal details, they can tailor their messages to trick you.
"Exercise additional caution when responding to emails and text messages," Professor Haskell-Dowland said.
"Scammers will use the additional personal information to appear more convincing.
"Always refer to the company the caller is purporting to represent.
"Never trust contact details in the original message — call the number on the back of your bank card or independently find the contact details."
Be very wary of clicking on hyperlinks in messages and only put your details into websites you trust.
Losing mobile phone signal unexpectedly
After the Optus data breach, Jennifer Williams, Jeffrey Foster and Tamara Watson wrote an article for the Conversation about how customers could best protect themselves.
They warned people to be wary of SIM jacking — which is where scammers trick mobile phone service providers to give them access to a phone number they don't own.
"If you suddenly lose all mobile service in unusual circumstances, contact your provider to make sure you haven't been SIM jacked," they wrote.
What can I do to protect myself?
Apply for a credit ban
This means that credit reporting agencies can't disclose any personal information from your consumer credit file to any credit providers unless they have written consent or are required to do so by law.
ID Care recommends going through all three main credit reporting agencies.
Here's where you can request a credit ban:
Change your passwords
If you've been using the same password for everything, now's the time to stop.
"Create a strong, unique password for every service," Professor Haskell-Dowland said.
"Use a password manager to help manage your accounts or keep a notebook locked away."
Opt for multi-factor authentication where you can
This usually means receiving a text or an email with a code you must enter before transferring money or logging into a service.
But think about the security of the email or phone number that code will be sent to.
In their article with cyber-safety tips after the Optus breach, Ms Williams, Dr Foster and Dr Watson said to avoid having the codes sent to an Optus number "as it's at higher risk of being stolen".
