How Telstra gave my details to crypto scammers

By

Published on

At 11.42 am on a pleasant Monday, hackers gained access to my Telstra account.

They instantly removed my email address and mobile number, and added theirs to my account. This removed my opportunity to get the standard SMS or email from Telstra, warning of "account changes" - instead, this was sent to the crooks.

Having control over my account gave them access to all my emails. They started trawling over these, seeking personal information, banking and credit card details, and searching for any opportunities to defraud me, my family, friends and colleagues.

paul clitheroe telstra scam identity theft

With the "account change" warning going to the scammers, not me, the first clue that something was amiss was an "account error" warning when I tried to send an email. We've all seen these, and I figured there was a poor connection to our wifi, as the error message said "no connection to the server".

This was my first mistake - the failure to act quickly.

Fortunately though, I was saved by a phone call. A financial services company phoned to ask about our instructions to sell $35,000 of shares we hold and to purchase Bitcoin. This woke me from my relaxed Monday morning!

Our advisor sent me the email they had received. I was really concerned.

The crooks had used our personal information to construct a very convincing email. It read like it was from us.

Obviously it did not succeed because of the two-factor authentification used by any reputable financial services company. In this case, they will also not do a transfer without verbal confirmation, a third security factor.

My heart rate was still very high though. Think about what your email inbox and sent items contain. It will be a whole stack of personal, business and financial information. What were the crooks planning next?

Stopping a scam in action

Breathing deeply, I remembered the lessons of scams and fraud I have written about for decades.

First up, I had to regain control of my Telstra account to stop the bleeding.

I tried calling the customer line. A recorded message said, "extensive delays, go to the Telstra app". I tried calling the fraud line - same message.

As the crooks had applied their password, I had no access to my account.

I needed to take urgent action. So, I cancelled all my appointments and raced to a Telstra store with phone bills and proof of ID.

A staff member checked my ID, opened my account and provided me with a new password. They helped me to remove the crooks' phone number, and reinstall my mobile as my contact number.

I felt things were looking up. Wrong.

The scam isn't over

I raced home and started contacting my banks and financial services providers. A couple of hours later all our accounts are frozen. I was starting to breathe a little more calmly and my heart rate was down.

But hang on - I could send emails but not receive them.

I thought this was just a Telstra glitch that would soon be sorted now my new password had been installed. Wrong again. I have quite a few services from Telstra - mobile phone, internet, Foxtel and a couple of prepaid SMS cards.

When I downloaded the Telstra app some time ago, I remembered the number of services I was paying for gave me "gold customer service". The Telstra phones still had "extensive queues", so I opened an online chat with a Telstra representative.

Then I nearly had a heart attack. The last chat regarding my account, a few hours earlier, was between Telstra customer service and the crooks!

11.39 am - Crooks: "I have several emails" (sic)

11.39 am - Telstra: "What email account your trying to get the passwords?" (sic)

11.39 am - Crooks: supply my email. 

11.42 am - Telstra "Here's the temporary password" (to my account)

The scammers immediately left the chat to take over my account with the replacement password provided.

I do not need to point out the complete, absolute, breach of even the most basic security.

From here my Telstra chat goes on, with pauses as I talk to banks and credit card providers, plus two more visits to Telstra stores. This continues until finally, a breakthrough some 32 hours later at 7.24 pm on Tuesday night.

Blamed for being scammed

Telstra, like many institutions, seems to work on a cascading urgency system. So you start with representatives who may be quite junior, or quite frankly, know next to nothing.

I'd need quite a few pages to go over the entire chat transcript, but I was pretty sure that escalation to a more senior person would happen as I used certain key words. Wrong again.

I requested to be passed to a supervisor. That was ignored, as was my description of the fraud.

Stating the obvious, that Telstra had given a replacement password with no customer verification, was also ignored.

One representative suggested I must have provided my Telstra ID to the crooks.

So I just plugged away, repeatedly asking why I could not get emails.

A clear breach

Some 32 hours after the crooks got control of my account, I was transferred on Tuesday evening to a Telstra representative in the Townsville team. He was fantastic. No more nonsense about it being my fault.

Telstra, he agreed, had, very clearly, breached their verification process. He went into my account and instantly found the problem. The crooks had put their email in the "forward email" setting.

No wonder I was getting no emails. Even though I had control of my account, emails were redirected to them allowing them to follow my attempts to control the fraud. He noted the email address they were using and passed this to the Telstra fraud team.

I will keep the next steps to the bare minimum and move on to tips on how you can protect yourself, and the actions you should take. But the Telstra fraud team rang me and followed up with an email. This gave me a contact I could speak to directly.

Protecting customers

As I felt it valuable for all Money followers to read about this, I emailed the Telstra media team seeking to understand more about customer protection. This led to further emails and an opportunity to speak to a senior Telstra executive.

She was very straight with me, explaining how the breach of customer verification occurred and the actions taken, and wanted a complete conversation about my experience to assist with steps to more broadly protect all customers.

I was also able to pass on two colleagues who had very similar issues leading to fraud and in one case, very serious identity theft.

I reported this fraud to the Telecommunications Ombudsman. A combination of this complaint and my direct complaint to Telstra led to an offer of compensation, with no fees on my account for a period of time.

I was pleased to see how the customer compensation scheme worked, and the offer was fair.

However, I do not want compensation apart from better security for all of us. (Unless the breach of my security by Telstra leads to the total theft of my identity - in that case I will need all the help I can get.)

What I want is an explanation of how this happened - a password reset by a crook with no verification or ID - and if it's likely to happen again.

'Inexcusable'

Telstra has thousands of customer-facing staff. I accept mistakes will happen.

But how can these be minimised? How can we customers be safer? How can we report fraud very quickly and have it acted on? Finally, what access do impacted customers have to assistance and compensation?

Here I will give Telstra some credit.

The handing of a replacement password to a crook with no ID verification is inexcusable. Telstra accepts that.

It also took me far too long to get to a Telstra employee who could help me stop the fraud. But once my persistence elevated the fraud to a more senior level, the help and explanations have been open and frank. But goodness, it took far too long to get there.

Cautiously moving forward

We have cautiously lifted the freeze on our bank accounts, but they are flagged for all transactions.

I am using one existing credit card which I can freeze and unfreeze securely on an app. It also sends an instant SMS for every transaction, so I am now only checking the card, when it is unlocked, from a few times an hour to a few times a day. I am monitoring my Telstra account very regularly.

Telstra has worked hard to resolve the error. My account has been flagged and I have been notified if anyone opens my app or directly contacts Telstra. Recently, I received a message saying Telstra had frozen my account over my app being opened, in fact, it was my app updating, but given the recent fraud, this level of security made sense.

One thing I did learn may help many of us. Our ultimate security is our "secret" pin. By approaching Telstra through the telco's app, a high-security transaction such as a password reset, will require a customer to enter their secret pin. By contrast, a direct approach to Telstra will (or should) result in you being asked the usual verification questions, but also being sent a six-digit code to your registered email or SMS.

My discussions with Telstra also answered more of my questions. I have a very strong bias towards a secret pin, not known to the telco or anyone but us. So I'll be using the app. But Telstra tells me it is also introducing an account lock. This was a ripper with one of my credit cards, I could instantly freeze it on their app. Instantly freezing my Telstra account would have helped me enormously.

The telco is also bringing in a digital ID scanning product, which I presume will allow facial recognition.

The crooks will know enough from my emails to have a crack at identity fraud. But I am hoping I have moved quickly enough to make access to our money, credit cards and information to apply for loans in our names pretty hard. Mind you, I am monitoring my credit report daily and will be for a very long period of time.

The starting point for this fiasco was not of my making, it was Telstra's error. All institutions are cranking up their security, in particular around customer verification, and so they must. But I have learnt a lot about what I should be doing to protect myself. Here are my key tips.

How to spot a telco scam

1. You cannot get phone calls, SMS or emails.

2. Your email system says "account error".

3. You can't access your telco account with your password.

4. A service provider rings to say they are getting requests for fund transfers. Remember - if anyone emails you, the crook may get that, not you

5. A family member or anyone in your email list says they have had an email asking for money to be transferred, or other strange emails from you.

If any of these happen, do not walk, run to your Telco store with full ID.

Stopping the scam

1. Regain control of your account by presenting full ID to your telco and regain control of your account with a new password

2. Check your emails are sending and receiving by emailing yourself a test.

3. Check that your phone and email have not be set to "call forwarded" or "email forwarded"

4. Check your "sent" emails. You may find emails the crooks have sent.

5. Check all your credit cards. With some you can do a temporary freeze in their app.

6. If the crooks have discovered any credit card information in your emails (you may have sent credit card details by email to make a purchase) cancelling the card and getting a new one is the safest course of action

7. Alert your bank. If any attempted fraud is taking, freezing your accounts is necessary

8. Advise any other financial service providers, such as an advisory firm or broker.

What's next

1. As the initial panic passes, you have control of your telco account and taken the steps above, you need to have a frank conversation with your telco provider. This will probably be a slow and painful process to speak to someone who understands what has happened. Someone in the Fraud Team would be best.

2. If like me, this takes some time, lodge a complaint with the Telecommunications Ombudsman. They will ensure the telco responds to your complaint.

3. When your telco gets in touch, make sure you state that part of your compliant is more secure customer verification in future. This helps all Telco customers

4. Demand compensation. This should reflect the time you have had to put into getting your fraud stopped, any losses, your costs, loss of salary and the stress this causes. Fraud is a low cost item for a telco. The truth is we bear the risk, costs and time to fix their errors. Customer compensation will elevate the seriousness of fraud to telcos

5. Don't be shy. Telcos value their reputation. Tell your family, friends, work colleagues about your fraud and what caused it. This herd behaviour also protects all of us in the herd. The more we hear about fraud from people we trust, the more action we and institutions take. This leads to better security for all of us.

6. Bad things can still happen to us as the crooks go over our emails they have downloaded. Be prepared for potential identity theft.

Preventing identity theft

My colleague Ron Hodge, CEO of InvestSMART, was also impacted by a Telstra customer verification failure. He is a lot more tech-savvy than me and put me onto these very valuable resources to help with where the crooks may go next with my personal data, identity theft.

You should contact IDCare, a not-for-profit that Ron tells me was "amazing and very helpful". You can lodge official reports with these organisations

Hodge also had other tips.

"If you think the hackers have access to copies or physical identification documents such as passport, driver's licence, and Medicare card you should look to cancel and renew these documents. It is very hard to cancel driver's Licence but canceling and reissuing my passport and Medicare card was very easy.

"Place a ban on your credit report with all credit agencies so hackers cannot apply for new credit cards in your name. Equifax was the best, who also reported to other credit agencies and I also signed up to their ID Basic plan of $4.95 per month to alert me of anyone who attempts to use my details to apply for any sort of credit in Australia and elsewhere."

If you suffer a basic breach of security by a telco, this is the path you have to go down.

It is hugely time-intensive, which can impact your job and your life. It is also highly stressful.

We consumers deserve and need to demand better. The very obvious solution is right back at the start. A telco needs to recognise that something as critical as a 'password replacement' is a very high-risk transaction.

Sure, we consumers also need to play our part and insist on two- or three-factor identification for these high-risk transactions. And it needs to be real verification.

As with our banks, one of the strongest parts of verification is the secret pin or password that is known only to us. Fraud is best stopped before it begins once a telco opens a door to our emails and mobile phones to crooks, the horse has bolted.

Get stories like this in our newsletters.

Related Stories

TAGS

Paul Clitheroe AM is founder and editorial adviser of Money magazine. He is one of Australia's leading financial voices, responsible for bringing financial insight to Australians through personal finance books, the Money TV show, and this publication, which he established in 1999. Paul is the chair of the Australian Government Financial Literacy Board and is chairman of InvestSMART Financial Services. He is the chair of Financial Literacy at Macquarie University where he is also a Professor with the School of Business and Economics. Click here to ask Paul your money question. Unfortunately Paul cannot respond to questions posted in the comments section. Please view our disclaimer here.
Comments
Cathleen Timbs
June 4, 2022 11.15am

I'm flabbergasted that this could happen Paul! Hope there are no further repercussions from this invasion. Thanks for all the advice which I've copied just in case. I'm glad I'm not with Telstra!

Rams Gounder
June 4, 2022 2.49pm

Really a painful experience Paul. Thank you for sharing your bitter experience with us so that all readers will be very careful.

Kate Williams
June 4, 2022 2.54pm

Just reading your story made me stressed. I hope like crazy that nothing further happens and also, that I don't become a victim. Not sure that I would cope as well as you did.

Peter Biggs
June 4, 2022 3.24pm

I agree with you Kate. I feel Paul's stress! Paul, would you consider a follow up story explaining any improvements committed to by Telstra? Real time access (in a non-queued way) directly to a Telstra Fraud representative must be considered. As you have indicated, without this, stress dramatically escalates, along with potential financial and reputational loss.

Gillian Brent
June 4, 2022 5.12pm

A small side note - as an ex-Optus call centre worker, one thing that was *insisted* upon was that if you request to speak to a supervisor, it *must* be done. The Call Centre worker can reasonably ask for your ID so that they can have the account up ready for the supervisor, and also for a reason (again, so that they can brief the supervisor, but also they honestly might be able to fix the issue), but the option to escalate is always there. If the Team Leader doesn't satisfy, the Centre Manager is the next step. (And the Ombudsman will not accept a complain, if I remember correctly, unless you *have* tried to escalate the issue).

Steve D
June 4, 2022 5.19pm

I don't understand how someone can access your emails just by having access to your phone.

Richard Jordan
June 4, 2022 7.07pm

Sad to hear of this scam and thank you for sharing.

My wife was a victim of ID fraud after her handbag was stolen during the 2019-20 fires when I took one day off from fighting fires to spend a day with my wife at the beach.

My experience of equifax was very different with them being totally unhelpful and even failing to report new false credit applications due to there system failings, they just want to encourage fraud so that you pay them more to monitor it.

We had multiple phone and credit card applications and it is all left for you to contact the credit providers yourself. Equifax refuse to give you any contact info on credit providers that you have never heard of so the scammers get away with it.

One other thing I learnt was that when you get a new licence the card number changes but never the licence number and when people apply for credit they are only asked the licence number never the card number ensuring an easy ride for the scammers.

Bing Lee
June 4, 2022 11.50pm

I'm glad I am not a Telstra customer !

Sharon Barrett
June 5, 2022 8.52am

I too has experience this with our phones being PORTED or simply put put into SOS mode. After several phone calls and visits to the Telstra shop Saturday-Monday for them finally taking some responsibility. But the major banks where even harder to get through to even when we went into branch they would phone and we would be on hold 25mins in branch. It took 5 weeks to get our funds returned. They took access to all out bank accounts, Afterpay PayPal zip pay email . We have security on our phones and emails !!!! It was stressful and we felt like the criminals the way we were treated by the banks . While they let the criminal change our details contacts without identification

Anthony F
June 5, 2022 10.39am

The email issue Paul had is quite easy to implement. I used to use Bigpond email and in the online portal, you could select to forward emails to another email address and not save a copy to the inbox of the account.

This would mean Paul can send emails from his account but all replies would automatically be forwarded to the scammers email address.

Bit of a worry how easy it was for the scammers to take over everything and how hard it is to stop it.

Leonie Dee
June 7, 2022 10.52am

In my experience the only prompt response you get from any Telco is when you threaten them with the Ombudsman. Appalling service.

Rhett Kipps
June 7, 2022 11.42am

Telstra used date of birth as a method to verify customer identity for many, many years, and completely disregarded for a very long time how public that information was - let alone how stupid it was to use it for customer identification. Whatever Telstra implements by way of two factor authentication comes exceptionally late. It's horrendous it has come to this for this organisation to start listening.

Antony P
June 7, 2022 8.23pm

The fact that you could see their messages to Telstra when you got back into your app means they had your username and password before they messaged Telstra. How did that happen? Had you already been hacked by malware on a device or was a site that you use the same username and password on compromised and your account info also because you used the same password? Also, the Telstra site has had 2FA for quite some time. If you had enabled it, none could have done anything without you being notified first.

Steve Phisher
June 9, 2022 7.03am

Welcome to the finance world Paul. Hackers have been using this method for a number of years now and the telcos should be held accountable.

Jessica Plant
June 9, 2022 8.01am

My telco doesn't have a store like telstra l can go too. That would make troubles like this even harder.

Jarrah Man
June 9, 2022 9.00pm

The problem is you used Big Pond email. You need to segregate your online life, so security failure in one place (Telstra) doesn't give keys to the kingdom. Your main email is your most valuable possession, don't trust a telco with its password.

One email for work. One for Netflix, Qantas, Facebook, and other low quality interactions. One for personal email and banking that you guard with your life.

Andrew Jsena
June 14, 2022 10.38pm

G'day Paul

First off, I like to say I have no empathy for your plight, however I have no ill will against you as well. In your article you never once acknowledge your part in the whole drama of been defrauded, but simply blaming Telstra for the whole debacle, and their lack of interest, is Telstra fully to blame ? No.

Telstra can do better, however facial recognition is not the answer, Apple quietly drop facial recognition when hacker proved Apple wrong in it been secure in less than 12hrs. 2FA is the way to go without using SMS as the sender, as SMS is easily hackable as well.

Telstra would not be in this predicament if you had practise what you preach, Telstra is not alone in how best to secure user data and identity but so is the end user. It's the user's responsibility to be proactive in their own security when sharing personal info across the net.

Don't be lazy in handing off responsibility to others, since others have a minimumless view of your security. What is the bet the crooks got into your account because been human that you are, like million of other people, have taken the shortcut to problem-solving.

For example, same password and email across 2 or more accounts across the internet, giving personal info on social media sites that you wouldn't tell your neighbour etc. I could go on and on, but the takeaway should be, never ever use the same password for any account you have or will create in the future.

Create multiply email accounts for different things, one for money matters, for families and for personal friends etc. Use complex password, the long the better, nothing less than 20-25 characters, use when possible paraphrase, 6-7 words at minimum. Use a good password manager would be best. You're never too old to learn, educate yourself with the likes of YouTube and others on personal security.

All the Best.

john phillips
June 20, 2022 6.39pm

Great info from Paul. Credit cards are the biggest issue with all of this, so do not give any credit card info via the internet. There will always be a new and novel way hackers will find the info they are after.

I have on occasions turned away from the screen for 2 seconds to grab some paperwork. Then turned back to to see that the screen had changed slightly but still look very much the same afterwards. So the link I was using had changed by itself. Do not know what that trick is called that the hackers use ??