- Cybersecurity
- Consumer Protection
- Online Safety
A mother's close call with a sophisticated Australia Post SMS scam reveals how scammers exploit parental stress. Learn the warning signs and protection strategies to avoid falling victim to smishing attacks.
The Text That Almost Caught Me
As parents of teenage girls know all too well, life can be a delicate dance. A hoodie in the wrong size or colour is evidence of my lack of love for her. If it arrives late, well, I may as well just abandon her at a fire station. So my stomach dropped to my knees when I read this text seemingly from Australia Post in May, claiming there was an issue with something I'd ordered for her birthday.
When texting scams first began, they felt extremely intrusive. Now they are common, and most of us know to approach any texts requesting additional details with caution. Most Australians are well aware of consumer scams. Sadly, we've become used to them. I knew all of this when the text arrived on my phone. But I was awaiting delivery of my daughter's sixteenth birthday gifts, and I didn't even think it could be a scam.
The text read: "We regret to inform you that your parcel is currently being held due to an invalid postal code provided at the time of dispatch. In order to avoid return or disposal of the item, please verify and update your postal information within the next twenty-four hours." I was then directed to activate the link by replying with Y or cutting and pasting the web address into a browser.
The Moment I Almost Clicked
I am ashamed to admit, I almost did it. My immediate response was to activate the link and check on it. I initially trusted that it was from Australia Post Customer Service. But my mind was screaming at me this might be a scam. With every fibre of my being I found the strength to stop and think.
I have the Australia Post app that allows me to easily and legitimately track all of my orders, and they were all listed as being on track. I then went through my email orders for all of her gifts, and checked that they each had the full and correct postal details. They did. It was in fact all a well-designed scam, and one of the most dangerously real I had seen in a while.
I have never come so close to falling for a scam before or since, but it got me thinking. I can see how easily people can fall for them, not when they are calm and rested and in their right minds, but when they are tired or busy or stressed out.
Australia Post Warns of Scam Surge
Australia Post issued a warning in May urging Aussies to stay alert as a new wave of scam messages and emails impersonating Australia Post and preying on vulnerable customers sweeps the country. The fraudulent messages claim a delivery failed due to an invalid postal code, luring recipients into clicking malicious links to hand over personal information.
Their research shows nine out of ten Australians have reported they have received a scam text or call, with nearly three-quarters reporting being targeted by scams mimicking parcel delivery services. Andrew Reeves, Deputy Director of the Institute for Cyber Security at UNSW, has labelled these smishing scams, as in SMS-phishing scams, with phishing normally seen via email.
Understanding the Psychology Behind Smishing Scams
Scammers have long been effective at leveraging our own psychology against us, Reeves explains. He outlines the key tactics scams like this use to influence us which are consistency and fear as well as claiming authority. Consistency is when scammers try to align with our expectations. They know many people order gifts online, and it is expected that we receive SMS updates about our deliveries. This is why Australia Post scams ramp up towards the Christmas period here in Australia.
The fear part of the text tries to encourage us to act quickly without thinking. They can do this through pretending to be an authority, adding a time pressure, or using emotive language. My text nailed all three of these tactics, according to Reeves. They pretended to be Australia Post, they added an arbitrary time limit, and they used language like failure to do so will. They want you to panic.
How Criminals Execute These Sophisticated Scams
A spokesperson for the ACCC's National Anti-Scam Centre explains that criminals impersonate well known organisations like Australia Post to carry out phishing scams. The purpose is steal personal information such as bank details, passwords and credit card numbers. Scammers use this information to withdraw money, open accounts or commit fraud.
These scams may arrive via email, social media, phone calls or SMS, often impersonating trusted organisations, such as banks, government agencies and other institutions. The messages and websites are designed to appear genuine, including by copying logos and branding, or web addresses that differ only slightly from the real ones.
They say to look out for warning signs which can include urgent demands, unfamiliar contact numbers, messages that do not address you by name, spelling and grammatical errors, or suspicious website addresses.
Practical Steps to Protect Yourself from Texting Scams
To protect yourself, avoid clicking on links or opening attachments from unexpected messages. Instead, type the organisation's website address directly into your browser or use their official app, Reeves advises. Always verify the legitimacy of messages by contacting the organisation through a trusted phone number found on their official website rather than the one provided in the message.
For those who feel they are vulnerable to scams such as this, Reeves advises connecting to a cyber buddy, someone you can trust, a friend, a family member, who you can send questionable messages to for a second opinion. Their distance from the situation can help to take the heat out of it if you are struggling to think objectively.
What to Do If You Click a Suspicious Link
The scammers seem to keep up the scale of their enterprise year-round, merely adapting the details of their attacks to the moment, Reeves says, adding that tax return time and Christmas are two such examples. For those who do click before catching themselves, he says don't despair. Normally, the attacker is wanting you to click the link and then take some action afterwards such as enter a password or download a file. If you did that second action, you will need to take action.
These actions include changing passwords on the services you shared details of and if needed, contacting your bank. Australia Post has a number of resources educating Australians about these scams and have set up a hotline so scams can be reported. They explain they will never call, text or email you asking for personal or financial information including password, credit card details or account information. They will never call, text or email you to request payment or send messages via social media.
Australians are warned to look out for these scams ahead of the festive season. As my experience shows, even the most vigilant among us can be caught off guard when emotions run high and stress levels peak. The key is to pause, verify through official channels, and never let urgency override common sense.