It's Scam Awareness Week, and CoinJar is an official partner. Today, we've jumped off the deep end straight into a live impersonation scam, so you don't have to. This blog post will help you spot and identify the common themes of these types of scams and understand the risks that these scams pose.
First, here's a quick primer on green and red flags. A green flag is a reassuring or positive sign that something is genuine. A red flag is the opposite - a concerning or negative sign that something is not genuine.
Everyone knows the trusty national delivery service, Australia Post, which is the postal service formerly known as the Australian Postal Corporation. Over the years, we've all shortened this household name into colloquialisms like 'AP' and 'AusPost'.
But have you heard about the lesser-known name of Australia Post: 'post.expressau.top'?
If you're thinking, "That's completely bonkers. I've never heard this name before in my life," then you'd be right.
Au contraire, here's a text message we received:
Catch Me If You Scam: Digital Disguises
It's important to know that thousands upon thousands of these messages can be sent by computers daily: bad humans set the messages up, and unsuspecting robots send them out.
So – how can we catch out the scammers? Let's break down this text message and shine a light on the five immediate red flags:
- The message comes from a number as random as a cat walking on a keyboard. We haven't included the number in the screenshot above as it could be a genuine number owned by an innocent person who has nothing to do with the impersonation scam. Alphanumeric sender IDs (where the number is replaced with the sender ID "Aus Post", for example) can add a touch of legitimacy; however, sender IDs are easily spoofed.
- Random capitalisation in the text message? Your spidey sense should be tingling! Legitimate messages from companies are like a well-tailored suit – neat, fitting, and without odd bumps. This message, however, looks like it got dressed in the dark.
- Received at 6:16 AM? Unless your delivery driver is a vampire or an insomniac owl, that timing is as odd (and controversial) as pineapple on pizza. The timing of this message screams 'scam!' louder than a rooster at dawn.
- The domain in the text message is as official as a superhero in a bath towel cape. Since it doesn't match Australia Post's web address (https://www.auspost.com), it's a gigantic neon sign saying 'Scam Ahead!'. Always scrutinise the URL like a detective examining a crucial clue – every detail matters.
- Lastly, and most importantly – we weren't waiting on any deliveries when this message came through. It's not likely that we would get a text message about a failed delivery if nothing is being delivered.
It's a lot of information to glean from 135 characters – but even a fraudulent text message claiming to be a genuine business contains a wealth of information that can help you identify if it's accurate before you get involved further.
Since we're doing a deep dive, we'll open the link in the text message.
First, however, a word of caution – exploring scam websites is like poking a sleeping bear. It's risky and not a recommended pastime. Do not try this at home.
Unsurprisingly, after clicking the link in the text message, the website looks a lot like the Australia Post website. The font and logo are the same, and the favicon (the browser tab's little icon) also matches. So what are the red flags?
Let's focus on the problem areas.
Section 1 – Parcel details
Based on the text message, we already know that this website is impersonating the real Australia Post. Even without knowing that, there are a few things that stand out as red flags:
- The menu and search functions are just decorative, leading nowhere. It's a maze without an exit, a clear sign of a façade rather than a functional site.
- The tracking number doesn't look like a standard Australia Post tracking number.
- There is unusual capitalisation throughout the section explaining that the parcel must be redelivered.
- The details section mentions there is no tracking history for the parcel.
The one "green flag" is that the Australia Post logo is the genuine logo, but that's one green flag amongst four red flags – if the suspicious-looking domain name didn't already convince us, this is even more evidence to show that this website is not genuine.
Section 2 – Verify address
In the running narrative of a failed delivery, we are asked to enter our personal details. We've filled in the form as an example with fake personal information.
Here's the red flags we can spot:
- The address field lacks autocomplete, a common convenience feature in legitimate forms.
- The contact name field is spelled 'Contacte.' This typo is a massive red flag. In the world of online scams, spelling errors are like leaving footprints at a crime scene.
- None of the fields has a small red asterisk indicating the required fields. If my details are necessary to resolve issues with the delivery, why are the fields not needed on the website?
If we scroll down further into the footer section of the fake website (not included in the screenshots), the links go nowhere and are simply there for decoration.
What happens if we click 'Continue'?
Here's where this impersonation scam becomes the most significant threat to your personal and financial safety. This impersonation scam quickly morphs into identity theft when we are asked to provide our private identification documents:
You'll note the spelling and grammatical errors continue as we progress into the scam. Let's say we choose "Australian driver's licence", and click Continue. Here's what we see next:
While the fields look standard for providing an identity document, remember that this is a fake website impersonating a genuine brand. Note the checkbox at the bottom of the page. It mentions "ID Masuer", which is not a real business, and it also mentions "Vodafone's identification partners."... but isn't this an Australia Post scam?
For research purposes, we submitted fake details for a person and included no images (as the form didn't require these). In a bizarre turn of events, once the fake details were submitted, the fraudulent site redirects you back to the official Australia Post website.
- We received a text message about a failed delivery.
- We visited a website and provided our details online.
- We provided our identity details.
- We were redirected by the original website to the official Australia Post website.
That's it. In four short steps, you go from getting a text message about a parcel to having your identity stolen and misused. Not only did our identity get stolen in this example, but we were redirected back to the official Australia Post website, making the scam seem legitimate. It can happen to anyone, and it's essential to be vigilant.
Key lessons from our digital expedition
There's so much more we could say about what we've learned on our journey through an impersonation scam, but these are the key things to remember:
- Spelling and grammatical errors are often strong indicators of a scam. However, bad actors are getting better.
- Scams can have multiple layers and cause significant devastation. In this case, a "failed delivery" impersonation scam resulted in identity theft.
- Even if an official logo is used, or you end up on the official website, it's never guaranteed that the site you initially visited is genuine.
- You should always be diligent and verify if a message is genuine by contacting the organisation through official communication channels and verifying that the domain you're visiting is the official domain of the service.
Australian businesses are working hard to protect you from scams every day, but bad actors are working hard to circumvent the protections to stop them.
In Australia Post's case, they diligently maintain a scam alerts page that you can visit anytime to get the most up-to-date information. Our research also shows that Australia Post identifies and purchases fraudulent domain names, which are then redirected to the official Australia Post site – you have to admit that's some top-notch 'Uno reverse cards' in the fight against scams, and we salute their hard work.
Making a Report
Scams can be stopped, but we need your help to do it. You can help prevent the scam and help warn others by reporting it to the National Anti-Scam Centre via Scamwatch.gov.au.
By reporting scams to Scamwatch, you help protect others and disrupt and stop scammers. The reality is that 30% of scams currently go unreported.
The information you share with Scamwatch helps the National Anti-Scam Centre identify the scams causing the most harm to Australians.
Your scepticism and diligence are paramount in this digital masquerade ball, where scammers are constantly evolving their tactics. Always remember, in the face of impersonation, it's not just about spotting the scam; it's about outsmarting it. Stay alert, stay informed, and stay safe.
If in doubt...
If you need clarification on something, contact CoinJar Support. We're constantly monitoring suspicious wallets and websites and can help you determine whether something is a scam.
UK residents: Don’t invest unless you’re prepared to lose all the money you invest. This is a high‑risk investment and you should not expect to be protected if something goes wrong. Take 2 minutes to learn more: www.coinjar.com/uk/risk-summary.
Cryptoassets traded on CoinJar UK Limited are largely unregulated in the UK, and you are unable to access the Financial Service Compensation Scheme or the Financial Ombudsman Service. We use third party banking, safekeeping and payment providers, and the failure of any of these providers could also lead to a loss of your assets. We recommend you obtain financial advice before making a decision to use your credit card to purchase cryptoassets or to invest in cryptoassets. Capital Gains Tax may be payable on profits.
CoinJar’s digital currency exchange services are operated in Australia by CoinJar Australia Pty Ltd ACN 648 570 807, a registered digital currency exchange provider with AUSTRAC; and in the United Kingdom by CoinJar UK Limited (company number 8905988), registered by the Financial Conduct Authority as a Cryptoasset Exchange Provider and Custodian Wallet Provider in the United Kingdom under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended (Firm Reference No. 928767).