It’s a new year and another scam has been unearthed.
Thousands of Australians have been hit by a wave of ‘credit stuffing’, and some customers are out of pocket to the tune of $1000.
The wave of online attacks has targeted popular brands such as Dan Murphy’s, Binge, TVSN, Event Cinemas and The Iconic.
Popular online clothing retailer The Iconic is facing heavy criticism as thousands of its customers’ accounts were accessed by unauthorised users who then went on to buy products using other people’s details.
The retailer defended itself by saying it had not ‘technically’ suffered a data breach, though that would be cold comfort to its customers.
The Iconic has promised to refund all affected customers.
What is credit stuffing?
Credit stuffing is an online attack where hackers use lists of compromised data such as email and password combinations from previous data breaches to breach other systems.
The issue with credit stuffing is hackers don’t need your credit card details, they are simply using stolen passwords from one website and trying to reuse them elsewhere, relying on the fact that people often use the same password for different online retailers.
A founder of cybersecurity company Kasada told The Age the recent attacks exposed flaws in online retail security.
“This is a concerted, targeted effort to hit Australian businesses who haven’t had to deal with this before,” Sam Crowther said. “In the past few weeks, the level of activity has gone mental, and it is still going on. While we remain a soft target the problem will get worse.”
Mr Crowther said his company found more than 15,000 Australian online accounts were accessed in November alone.
Buy up big
“The modus operandi of these guys is to purchase the biggest amount you can as quickly as possible before it can be noticed or stopped,” said Mr Crowther, whose firm counts Hyatt, Sportsbet and Flybuys among its clients.
In the case of The Iconic incident, customers received notifications their accounts were charged, password changed or an order was being dispatched to a postal address unknown to them.
As well as full refunds, The Iconic has promised to attempt to cancel any unauthorised order prior to shipping.
Swinburne University marketing lecturer Jessica Pallant told SBS that while the retailer was not directly hacked, organisations had a duty of care to protect any data they stored.
“Organisations need to understand that customer data is a borrowed asset,” she said.
“Customers own their data and have a right for their data to be protected.”
Scams for the year ahead
And it’s not just credit stuffing, the NAB has released a list of the top six scams to watch out for in 2024. They are:
- AI voice impersonation scams
- Term deposit investment scams
- Remote access scams using chat
- Romance scams
- Ticket scams
- QR code phishing scams.
NAB manager advisory awareness Laura Hartley said the ‘scamscape’ was constantly changing and the use of AI was expected to take scams to another level in 2024.
“Criminals are targeting Aussies by using sophisticated technology to manipulate victims when and where they least suspect it,” Ms Hartley said.
“These are scams every Australian needs to know about so they can recognise the red flags and protect themselves.”
Take a breath
Ms Hartley said one simple step to protect yourself was to take a step back and take some time to think clearly about what was happening.
“Scammers create a sense of urgency to encourage you to act quickly. It could be a phone call from your ‘son’ or ‘daughter’ in distress and needing money, a fantastic term deposit rate that’s only available for a limited time or cheap concert tickets going quickly,” she said.
“AI voice scams are one of the six we are closely watching in 2024. They can be created with as little as three seconds of audio taken from a social media post, voicemail or video on a website.
“We know they are happening in the UK and US, in particular, and anticipate it’s just a matter of time before these scams head Down Under.
“We will always do what we can but it’s often very hard to recover money once it’s in a criminal’s account.”
Ms Hartley said NAB customers reported an average of 1500 scams cases every month.
To avoid credit stuffing, consumers are advised to use a unique password for each online retailer they visit and regularly change that password or use a password manager.
Always report any scam activity to Scamwatch.
Do you protect your passwords? What tactics do you use? Why not share your experience in the comments section below?