Making Australia a harder target for scammers

Speakers: 
Ms Gina Cass-Gottlieb, Chair
Conference: 
Law Council of Australia's 2022 Consumer Rights Forum
19 July 2022

Ms Gina Cass-Gottlieb, ACCC Chair, delivered the keynote address at the Law Council of Australia's 2022 Consumer Rights Forum.

Transcript: 

Check against delivery

Introduction

Thank you very much for having me here today to speak to an issue of crucial importance to every Australian.

Earlier this month we at the ACCC published our annual Targeting Scams report. The report detailed the significant efforts the ACCC and other agencies, including ASIC, ACMA and the AFP, are taking to disrupt and prevent scams.

One of the most successful exercises of this kind was the takedown of the infamous Flubot scam. In August 2021 the ACCC received some of the first complaints of what would become the biggest phone malware campaign ever to hit Australia. The Flubot scam involved text messages with content about rescheduling your parcel delivery or having a missed voicemail. As I am sure many of you would recall, Flubot was relentless and disruptive as it sought to steal passwords, online banking details and other sensitive information from smartphones around the world.

The ACCC led a multi-pronged approach to minimise the impact of the Flubot scam. We engaged with banks and the telecommunications sector, we worked with the Australian Cyber Security Centre and their partners and we shared the scam reports about Flubot with the Australian Federal Police. In June 2022, the EU announced international police cooperation including the AFP was successful in taking down the FluBot criminal infrastructure. The persistent texts ended as suddenly as they had arrived.

This is one of many success stories in the battle against scams. Yet despite all these successes, there continues to be record levels of scam activity in Australia. During 2021, almost $1.8 billion in combined losses were reported to Scamwatch, ReportCyber, 12 financial organisations and other government agencies. Once we consider the fact that about a third of scam victims don’t report their losses, the real figure lost to scams in 2021 was well more than $2 billion.

These figures are staggering, and represent a severe financial impost. What can never be calculated, however, is the emotional toll and the life changing consequences that can result from these scams and their impacts on individuals, families, and businesses.

The question we have come to discuss today is, who should be responsible for scam losses? It’s an important question, which we will get to in the panel session to come. But in advance of that I want to consider a slightly different question, if I may.

That is, how can we work together to better disrupt scammers, so the losses don’t occur in the first place? What do we need to do to prevent the financial and emotional damage being wrought every day?

How can we make Australia the world’s hardest target for scammers?

In the ACCC’s view it will require a three-pronged approach. First, we need to stop scammers reaching consumers by disrupting the means by which they contact would-be victims – whether through phone calls, SMS, email, social media. Second, we need to better educate consumers so that if a scam contact makes it through to them, they are able to recognise it as a scam. Finally, we need measures in place so that if a consumer is convinced to attempt to transfer funds to a scammer there is a safety net there to prevent this from happening.

Let me detail where, in our view, the work is needed on each of these.

Stop scammers reaching consumers

Enforcement is an important part of the fight against scammers, as we saw in the case of Flubot. At the ACCC, this year we instituted proceedings against Facebook’s parent company, Meta, for publishing scam advertisements promoting cryptocurrency and other money-making schemes that we allege amount to false, misleading or deceptive conduct. That case is before the courts, so I will be limited in my comments.

These actions are of course important, but enforcement action alone cannot solve this problem.

We need to use technology and intelligence to disrupt the scammers before they can get to consumers.

While progress has been made on this front, especially by the telecommunications sector, more must be done.

We are already seeing some success in the work of the ACMA, telecommunications industry and other agencies through the Reducing Scam Calls Code, which has led to a reduction in phone scam reports to the ACCC of more than 50% in 2022. Across Australia, we are aware of 357 million scam calls being blocked in the first year of the Code’s introduction.

I note though, that some carriers are responsible for a disproportionate amount of the scam traffic not being blocked. Scammers will always target the point of least resistance and so it is important that each carrier does its part to ensure all our international gateways are blocking known scam and spam traffic. We also encourage leaders in the telecommunications sector to share their approaches and successes with others in the industry to assist in making Australia the hardest target for scammers.

I am pleased to say that is the direction that the sector is moving in. Last week, the industry finalised the expansion of the Code to place obligations on telcos to monitor and block scam SMS, which have filled the gap left by phone scams. Similarly, new rules have commenced to require better identification for high-risk telco transactions.

We hope to see the results of these initiatives in 2022 and 2023.

Phishing website takedowns

The next thing I’m going to talk about is the most common scam Australians will experience. In the first half of 2022, Scamwatch has received 32,000 reports of phishing scams but these reports pale in comparison to the reality. Everyone in this room will have a junk email folder full of phishing links, social media contacts full of requests from strangers, and these days, a spam folder on your phone full of the same though if you’re like me, you’ve never actually checked this one.

The most financially devastating bulk phishing scams are those impersonating large organisations, leading to passwords and personal identification information including passports and driver’s licences falling into the hands of scammers.

I’m aware of an impression that nothing that can be done here, or views from some that scam victims are somehow to blame for their own losses. I disagree. There are many measures that can and are being taken. I’m going to talk about what the government is doing about phishing scams and what we expect from private sector organisations.

Netcraft takedown trial

The ACCC together with ASIC is undertaking an automated website takedown trial with United Kingdom company Netcraft to remove scam websites reported to the ACCC’s Scamwatch reporting website and to ASIC. This is the same service utilised for more than 4 years by the United Kingdom’s National Cyber Security Centre.

Over the past 3 weeks we have submitted more than 300 malicious websites targeting Australians to the service, resulting in dozens of takedowns to date with dozens more pending. Many of these are phishing sites impersonating Australian businesses and government authorities, though others relate to puppy scams, shoe scams, cryptocurrency investment scams and tech support scams.

Direct protection of consumers through disrupting scam websites at their source is a powerful addition to arming consumers with knowledge about scams. I am very pleased the ACCC is conducting this work. We are also pleased to acknowledge there are some private sector organisations that are effectively identifying and disrupting scams. However, many organisations can and should do more themselves.

We note Industry Codes are still being developed in many areas, but in any event organisations should already be taking the following steps in relation to phishing scam prevention.

Organisations know when they are a regular target of impersonation by scammers. Organisations should actively monitor for, warn about, and request the removal of websites impersonating their brand. Complaining of a branding or copyright violation to a website hosting provider is fast and easily proven relative to, for example, the ACCC requesting a website’s removal for not delivering goods after customer payment.

We also expect organisations to be monitoring their own platforms, services, and transactions for scams. The ACCC engages with many private sector organisations about their scams, including sharing our own data about scams relating to the organisation, but this is an aid to help organisations meet the basic consumer protection they should be doing, not a substitute for best practice independent action.

Educate consumers to stop scams and avoid becoming victims

Some time ago, while still in my previous role, I was busily working my way through my inbox when I came across an email from a friend who had sent me a link. The email had a familiar format and the correct signature, and I came very close to clicking that link. But something about it looked not quite right, and I paused.

Of course, the email had not been sent by a friend, but by scammers. I admit I was slightly shaken that I had come so close to clicking that link. Had I been a little more rushed, or just a little more distracted, there is no doubt in my mind that I would have clicked.

The fact is that anyone, and I mean anyone, can fall victim to a scam.

It is important to recognise, however, that the toll of scams falls disproportionately on older Australians, on culturally and linguistically diverse Australians, and increasingly on Indigenous Australians. As our Targeting Scams report revealed, last year Scamwatch received 4,958 reports from Indigenous reporters with $4.8 million reported lost. This represents a 43% increase in reports and 142% increase in losses. The median loss for people from CALD communities was higher than for the overall median across all reporters - $1,200 vs $845. People aged 65 and over made the most reports (46,286) to Scamwatch and lost more money than any other age group.

It’s on this point that I want to thank the many community action groups involved in scams awareness. The single most powerful protection for an individual consumer to avoid a falling victim to a scam is specific prior knowledge about that exact scam. Scammers are increasingly sophisticated and cunning in the ways they trick consumers and businesses, so this is a key challenge to address. We rely on a huge range of intermediary groups to keep their communities informed about current scams both through amplifying existing ACCC media and by organising presentations to their communities from scams experts

Scams Awareness Week took place in November last year, with the campaign theme Stop scams. Speak up. The potential audience reached by the campaign was 15.2 million, thanks to the 353 partners from across government, the private sector and community organisations. We’re hopeful this year’s November campaign will have an even greater impact, assisting in making Australia a hard target and I encourage any organisations here today to contribute to this limb of the strategy by running your own scam awareness activities throughout the year.

It’s also important that organisations inform customers of their official channels of communication. If a company exclusively communicates by email and would never cold call or text, this should be clear and prominent on their website and in their communications.

Stop funds from reaching scammers

The third plank of the effort against scams needs to involve efforts to prevent funds reaching scammers.

Financial firms are in a unique position to assist with these efforts. This is because, despite the rise in cryptocurrency scams, most payments to scammers take place via traditional bank transfer. In 2021 $129 million was reported to Scamwatch as paid via bank transfer.

We think the time has come for Australia to adopt an approach similar to that of the UK’s Confirmation of Payee measure, which matches an account number to the intended recipient.

With the recent revision of the E-Payments Code to specifically exclude scams, we see an opportunity to create a new more focused framework to improve consumer protections from scams across the sector.

Earlier this year I urged the financial sector to take six steps to make a difference in the fight against scams. These are:

  1. prevent scammers from opening accounts at your institutions
  2. make sure you have rigorous identity verification processes informed by knowledge of the risks of scams
  3. ensure your systems can flag and block suspicious transactions
  4. intervene to warn your customers when you identify suspicious transactions
  5. introduce confirmation of payees to reduce the losses to scams that we are seeing, especially through payment redirection scams (otherwise known as Business Email Compromise scams)
  6. stay on top of scam trends and educate your employees about scams – they are on the front line and often the last line of protection.

Cryptocurrency scams and exchange licencing

In the financial services sector, we are seeing a sharp rise in the number of people losing money through cryptocurrency both as a form of investment scams, as well as a payment method for scams more broadly. So far this year, more than $100 million has been reported lost to crypto investment scams.

As with the telecommunications sector, we are seeing industry leaders emerge, creating best practices with a range of impressive scam-prevention initiatives.

We’ve seen implementation of live-video verification that customers’ match the photo identification documents, such as licences or passports, that they’re providing as part of know your customer checks. We’re seeing mandatory phone calls from company representatives to senior Australians opening accounts on cryptocurrency exchanges to ensure they are not being coached or scammed into transferring money to the exchange.

On the other hand, we are seeing cryptocurrency exchanges that do not have measures like these and strongly encourage them to adopt these significantly more effective best practices.

Role of the banks in crypto scams

We remain concerned at the traditional banking sector’s role in cryptocurrency scams. In the United Kingdom we are aware of at least one bank that outright blocks transfers to cryptocurrency exchanges. Outright blocking of money transfers to any cryptocurrency exchange is not a path we are considering but that example is illustrative of the key role banks play in approving that first transfer of money to a cryptocurrency exchange during a scam. Banks often have a lifetime of data on their customers’ usual habits and have responsibility commensurate with that constructive knowledge of whether a customer is likely to be investing in cryptocurrency.

We will continue to liaise with the financial sector on these issues and want to see banks and cryptocurrency exchanges placing consumers’ welfare at the forefront of their policies. This is a challenging area, largely due to the sound but complicated definition of a ‘financial product’.

We are working closely with ASIC, the Treasury and other stakeholders to ensure there are mechanisms in place that allow ASIC and the ACCC to take action under the Australian Consumer Law, or the ASIC Act and Corporations Act.

Conclusion

It is very clear that the fight against scams is never-ending and ever-evolving. No sooner do we succeed in shutting down one scam than another springs up in its place.

But I firmly believe that by bringing together government, consumer groups, the financial services sector and the telco sector we can make Australia a much harder target for scammers and prevent not only the billions of losses that we have seen to date, but also the emotional devastation.

Take this as a call to action to make Australia the world’s hardest scam target.