How to spot a scam

Scammers are getting more sophisticated in their attempts to steal your private information and divert National Disability Insurance Scheme (NDIS) payments into their own pockets.

This is done through a variety of tricks and techniques that are common in today’s technology-based world, where fraudulent activity is easily cloaked in a text message, email or phone call claiming to be from an NDIS participant or a legitimate company.

According to the Australian Government, the average cost incurred by a business from a single breach of cybercrime in this country is more than $276,000.

And that’s why getting scam savvy is vital for your business and your cashflow!

In this article, we outline a few of the more common tactics used by scammers today.

Phishing attacks

Phishing is a type of attack used to steal private information through fraudulent messages to conduct crime. It’s where a person receives a text message, email or phone call claiming to be from their bank or a company or individual asking them to click a link to transfer funds or provide information, like credit card numbers.

If you receive a text message, email or phone call from a person who claims to be a client, vendor or plan manager asking you to provide or confirm private information – like a client’s NDIS participant number – or make a payment, it could be a scam.

If you suspect it is, be sure to report it to the National Disability Insurance Agency (NDIA) by calling the NDIS Fraud Reporting and Scams Helpline on 1800 650 717 or by emailing fraudreporting@ndis.gov.au.

What to watch out for

• Unexpected requests for information: Legitimate companies will never ask for private information, including passwords and PINs, in an unsolicited text message, email or phone call.
• Urgency: If the text message, email or phone call creates urgency to act, it’s likely a scam. Scammers create urgency because they want their target to act quickly and not think too much about what they’re asking.
• Suspicious content: If a text message or email you receive contains spelling errors or incorrect details, or if it doesn’t look quite right, it could be a scam.

Compromised email attacks, impersonation scams, and accounting fraud

A compromised email attack is a cybercrime that involves a scammer taking over the email account of a business and tricking a person into sending money or providing confidential information. This is a type of phishing attack that targets individuals, with the goal of stealing money or information.

For example, a vendor your company regularly works with may send you an invoice with updated bank account details – but they may have been hacked and the email may be from a scammer trying to get your payment diverted to their bank account. Or a scammer might hack your email account and email your client’s plan manager to say your banking details have changed, so any outstanding payments are diverted to them.

Note: If My Plan Manager receives an email or phone call requesting to add or change account information, including bank account details, we first send an email to the address we have on file for you, to confirm the request came from you. We don’t ask you to divulge private information in this email.

When a scammer claims they’re someone they’re not to extract private information, money or funding, this is known as an impersonation scam.

Scammers are also known to set up fake email addresses that can look legitimate but aren’t (and they can include the name of a well-known company), to convince a person to divulge information.

Email spoofing is when a scammer modifies an email template to make it appear the same as one from a legitimate sender, so they can extract private information or money.

When a criminal submits fake invoices to a client’s plan manager on their behalf, this is known as accounting fraud.

What to watch out for

• Emails claiming to be from legitimate businesses (like a plan manager or vendor) that request private information or ask you to make a payment. These emails usually create urgency to act.
• An email from My Plan Manager that confirms you’ve requested to add or change bank account information and asks you to call us on 1800 608 298. Let us know immediately if the request wasn’t made by you.

Remote access scams

This is where a scammer contacts a person via a text message, email or phone call, claims to be from a legitimate company, and convinces them to hand over control of their computer or devices remotely by installing malicious software or enabling remote login.

Remote access scams give the scammer access to the target’s personal information, like their NDIS participant or provider number, bank account details or a credit card number.

Frequently, the scammer will use intimidation tactics and technical words to confuse their target and create urgency. Remote access scams can be initiated via a phone call, email or pop-up ads which claim the user has a virus, and they include a phone number to fix it.

What to watch out for

• Unsolicited contact: Remote access scams typically start with a text message, email or phone call to let the target know there’s a problem with their device or a payment.
• A forceful or agitated caller: If the caller becomes noticeably frustrated or forceful when their target doesn’t do what they ask, it’s likely a scam.
• Unusual requests: If the caller, email or SMS message asks you to log into a bank account, make a payment or disclose security codes, it’s likely a scam.

More information about scams

If you receive a text message, email or phone call that asks you to share your information – and it’s unexpected or doesn’t look quite right – be sure to stop and think before you do anything.

The NDIA explains how to report suspicious behaviour here. Alternatively, you may wish to contact the NDIS Quality and Safeguards Commission.

You can also find further information on the websites listed below:

• ‘What are scams?’ from the NDIS
• Scamwatch
• Australian Cyber Security Centre
• Australian Competition and Consumer Commission