Scams, the Optus data breach and keeping your personal data secure — here are the top tips to help you avoid falling victim

This is where we'll have to leave things for this afternoon, but thanks for following along and for all of your wonderful questions.

And of course, a massive thank you to ACCC deputy chair Delia Rickard, AFP Superintendent Brad Marden, veteran cybersecurity journalist Jeremy Kirk, and triple j Hack reporter James Purtill for their insights.

We couldn't get to every single submission, but we hope you gained some tips and tricks that will help you better identify scams and how keep your personal data secure.

There are also some steps that you can take right now to ensure you don't fall victim.

• You can check out the top types of scams in Australia
• Find out how to get help if you think your information has been compromised
• Report a scam to the ACCC

Before you go, why not put all that newfound knowledge to the test with our quiz — are you smarter than a scammer?

Is there any legal recourse you can take for lost or exposed data?

Thanks for your question, here's Jeremy Kirk:

Jeremy: There are but they’re mostly unsatisfying. Those affected by data breaches can join class-action lawsuits. Those kinds of lawsuits usually end up in settlements that are reached several years later.

For example, credit bureau Equifax had a large breach affecting mostly US consumers that was discovered in 2017, but the settlement only became final this year. It included reimbursement for fraud, losses and fees associated with ID theft. But of course those costs for many people may have been borne upfront years earlier.

How does the ACCC identify new and changing scams? Do you rely on people reporting them or do you proactively look for them?

Thanks for your question, here's Delia Rickard:

Delia: It is based on people coming forward and this is why the ACCC asks people who have been exposed to a scam — even if they didn't lose any money — to let us know via scamwatch.gov.au.

Because we trawl through that data every day and whenever we see a new scam emerging, we're trying to get warnings out to people and look at what we can do. That may help stop the scam.

If you were compromised, you could get a new driver’s licence, passport or Medicare number and free credit monitoring. But those measures could take days or weeks to kick in.

Here's what to look out for while you're waiting.

Thanks for your question Claire, I've put this one to Brad Marden for you:

Brad: I have not seen any cases where general data breaches involving large numbers of exposed personal details have been used for coercive control. Most people who access that type of data are doing it for financial gain.  However, if someone is in a situation where they are at risk they should take particular care to follow any advice given to them in terms of remediating the data loss and if at risk, contact their local police.

Thanks for your question, Stacey. Here's Jeremy Kirk:

Jeremy: It is. But if you are a buyer, just remember that PayID transactions are instantaneous and a transaction could be tricky to reverse if the payment goes to the wrong PayID.

What type of harm does identity theft cause?

Good question — we've put it to Delia Rickard.

Delia: It causes enormous harm and can be incredibly difficult to unravel. When a scammer, a criminal, has enough information about you they can open accounts in your name — bank accounts, credit accounts, running up debts in your name, telco and energy accounts, etc.

They might also be able to get enough information to be able to then try to access important accounts, be it myGov, your Apple ID, your bank account etc.

So it's incredibly important to safeguard your personal information, I don't think most people realise just quite how important it is.

Bill Hall lost $26,000 in an invoice scam after an email from his builder was intercepted and resent with new payment information.

The fraudulent invoice looked exactly the same as one sent by Mr Hall's builder a couple of months earlier, except for the bank account number.

After transferring $26,345 to the Citibank account listed on the new invoice, Mr Hall thought his builder had been paid.

It took about three weeks for his financial institution Bendigo Bank and Citibank to tell him they thought he'd been scammed.

"I was shocked, I thought 'how can this happen?'," Mr Hall said.

Do you have a story you want to share? Hit the big blue button at the top of the page, or use our secure form.

What’s the number one rule you live by when it comes to keeping your info safe?

Jeremy Kirk has jumped in to tackle this one:

Jeremy: We have to give up our data all of the time to interact in a modern economy. We don’t have a lot of choice or oversight when we give our data to companies and organizations. We’re taking them at their word when they say they’re secure. But we have no way to verify that.

I monitor my credit reports, as successful frauds may surface that way, such as the time someone ordered three iPhones and two Samsung phones in my name. The sad reality is that most people have been caught up in a data breach at one time or another.

I’d recommend signing up with Have I Been Pwned, a service designed by Australian data breach expert Troy Hunt that lets you know if your email address has turned up in a data breach. It sends an alert out when your email address has appeared in a new data leak. That way, you are at least aware of how frequently your data has been compromised.

Also, it’s important to be vigilant and ignore any text messages or emails asking for personal data, login credentials, etc. or try to get you to click on a dodgy link. If you have any doubt about the veracity of a communication, contact the service provider on a verified phone number and clarify if there is, for example, truly a problem with your account. 

Thanks for your question, Elizabeth, we've put it to Jeremy Kirk:

Jeremy: You can surely try. Companies will often collect more data than they actually need, which is of course risky if it is compromised. Asking questions about data collection practices may help companies more fully realise the level of concern people have about their personal data. Generally, data governance experts recommend that organisations collect no more data than is needed to provide a service and then delete it when it is no longer needed.

Thanks for your question, Steve. Here's James Purtill:

James: This is exactly the idea recently proposed by government. After the Optus hack , the federal government said it was considering whether to develop a single digital identification service that business could use, instead of each company separately storing millions of people’s data.

And it said MyGovID would be the “natural home”, as it has millions of users already.

So yes, it could happen relatively soon, although federal governments have a patchy record with big tech projects (COVIDSafe) and centralising data storage like this would introduce further problems.

Having all the data in one place would be an irresistible target for hackers. And if the nation’s store of MyGovID numbers were somehow compromised, everyone would need to get a new one.

Australians have lost millions of dollars to scams this year. Have you been recently been targeted by or fallen victim to one?

We'll return to our Q&A shortly, but first, we want to hear from you.

Merrowyn: I'd like an easier way to report scams. We lost 1,000 American dollars once on a Visa card that my husband had. I found the 2 transactions, when going through the statement. The bank had no idea. We'd NEVER shopped at Walmarr. Visa itself was brilliant!!! Cancelled the card straight away. Also whoever keeps saying that cash is dead, I wish they would stop. And as for cryptocurrencies. Good grief 😔. It's just all glorified gambling. If it looks too good a deal, it's probably pretty ordinary. It's been very interesting. Thanks all you experts, and especially for the quiz. I got 8/10 so reasonably aware of personal scam problems. Thank heaven.

Jenny: Just got a text from Telstra with a link saying they need to verify billing details. It felt dodgy so rang Telstra who confirmed it wasn’t them

Anne: Recently I tried to purchase shoes online. I was jet lagged and awake in the wee hours. Probably not my sharpest. I found the shoes I liked on a social media site. I then googled the brand and then the Australian version of that website presented itself. I always ‘feel’ safer buying from an Aussie site. Maybe I’m not the only one, maybe the scammers know that about me! It’s over a month ago now. I received a pair of sunglasses from the ‘shop’ which I didn’t order (in replacement of the shoe order?). We alerted our bank. Then realised I had made another purchase for a different pair of shoes from the same scammer. There was also an amount of money that wasn’t related to any purchase. All in all about $600. The investigation is continuing. Was I the perfect sitting duck: jetlagged, Aussie stockist preferred? Not paying attention! They’re clever!

Thanks for your question, Julie. We've put it to Jeremy Kirk and Brad Marden:

Jeremy: On the bright side that person doesn’t have to worry about footing the bill for fraud. Joking aside, the use of the personal information for deceased people is nothing new.  

But it is a risk to banks or other service providers, which might unwittingly not detect the ruse and grant credit to a fraudster who is impersonating someone else, dead or alive.

Brad: All data breaches can have direct and indirect consequences. Criminals can potentially use the data to establish bank accounts or other instruments, such as Australian Business Numbers or registering company names, in the name of the deceased person.

They're also taking advantage of supply shortages within the agriculture industry, leading to a loss of more than $1.2 million for farmers, according to the ACCC.

Almost 300 reports of fraudulent sales of tractors and other farm machinery have been made to the ACCC's Scamwatch between January and August this year — a 21 per cent increase in reports made for the same period in 2021.

Is protecting yourself likely to get easier or harder in the future?

Good question. We've put this one to Jeremy Kirk:

Jeremy: I think what’s most frustrating for people about data breaches is the realisation that once you give away your data, it’s gone. And you have to do that in order to use services. And then there’s the sick feeling when your name, address, phone number and other data suddenly just turns up on the Dark Web, as what happened with Optus.

I think until the regulatory landscape matches what consumers expect – that companies will invest in appropriate cyber security controls and adopt best practices that protect personal data or else there will be big fines – we will continue to see lapses.

When you hear from people who have been scammed, are there any commonalities?

Thanks for your question, we've put it to Delia Rickard.

Delia: Many people are quite traumatised by being scammed, particularly romance scam victims, they are most traumatised of all.

The emotions range from anger, to despair, but it also inevitably involves a loss of trust in the online world.  

What did you learn about the purported Optus “hacker” from having spoken to them? Does it give you any insights into who some of these people are and why they do it? 

Good question! Here's Jeremy Kirk:

Jeremy: I chat with malicious hackers fairly frequently. I approach it like any other interview, with full disclosure of who I am and asking neutral questions such as, “How did you break in their systems?” The Optus hacker told me how they obtained the data (the unauthenticated API), which confirmed what a second, separate source had told me and also what an Optus executive anonymously told the ABC.

Soon afterwards, however, the person withdrew the ransom demand and stopped logging into the forum under that nickname. The goal for that person was to make money via extortion, but when the Optus situation became just a huge news story, I reckon the person thought it might be best to try to quietly slip away.

We’ll see how the police go in the next few weeks and if they can track the person down. The motivations for attacks can include money, notoriety or political aims.

How do I protect myself without spending hours of time, money and mental load?

Good question! Here's Delia Rickard:

Delia: First of all, you need to be constantly aware that scams are out there. You should have strong antivirus software on all your devices and strong passwords. I know people hate that, but that is important.

Remember that you can never really know who you're dealing with online — by which I mean social media, SMS phone calls, emails. So you do need to be on guard and remember that scammers will almost always pretend to be a trusted entity, a government agency, a bank or major retailer, or they will be tapping in on current events. 

So we're seeing scams and scammers at the moment call and have an excuse that they're calling because of the Optus breach. It's essential not to give people personal information, or banking details or money, or remote access to your computer — and never click on any links in texts or emails.

If you think something's real, then don't use the contact information in the communication. Do a Google search, contact the company, go to their website, and tell them about the call and that communication and say 'Is this real or not?' And you'll nearly always find is going to be a scam.

Thanks for writing in, Anne! Here's James Purtill:

James: That’s very clever! Sounds like a classic online shopping scam.

If it’s any consolation, you’re definitely not alone in getting scammed this way.

I just looked up the latest figures on Scamwatch: There have been more than 11,000 reported online shopping scams this year, totalling close to $6 million in losses.

Scamwatch (which is run by the ACCC) has some tips for how to protect yourself:

• Check the refunds or returns policies

• Try to find out if it’s an Australian company (not just an Australian website), as you have a better chance of getting your money back

• When making the online payment, look for “https” in the URL - and a closed padlock symbol

James: I’d add —  Google the site and find if others have had issues. Also, if you think you’ve been scammed, call your bank right away and they may be able to stop the transaction.