Nick Bruining: The cunning tricks hackers used to steal Perth man Jeff Pollard’s Centrelink age pension
Retired University of Western Australia employee Jeff Pollard is no fool when it comes to online safety. But even the security-savvy can get caught.
It started with an email purportedly from myGov, with a message that he had a notification from Centrelink.
“I had been providing some requested information, so thought it was a follow-up to that and I simply clicked the link in the email,” Mr Pollard said.
Sign up to The Nightly's newsletters.
Get the first look at the digital newspaper, curated daily stories and breaking headlines delivered to your inbox.
By continuing you agree to our Terms and Privacy Policy.The link opened a perfect replica of the myGov website and he entered his login details, including his password. As expected, he received an SMS message with a six-digit security code.
Codes sent via SMS are an extra level of security as part of “two-factor authentication” protocols which attempt to provide greater protection against scammers.
It’s likely that as Mr Pollard was entering the legitimate number on the fake site, the scammers were entering it on the actual myGov site, and logging in using his details.
The site then asked him to set up some security questions and also to send a scanned copy of the front and back of his driver’s licence.
“At this point, it seems they had everything they needed to hijack my identity completely,” Mr Pollard said.
“I remember seeing messages about a new device and passkeys being set up, but just thought this was in response to my earlier exchanges with Centrelink.”
Fortunately, the next series of text messages raised his suspicions.
“After doing this I received a notification telling me that I was due a tax refund and it would be paid into my bank account, which they had. I was suspicious and contacted the Australian Taxation Office, which put my tax details on a security watch,” he said
But reporting the suspicious activity does not seem to have been passed on to other government agencies connected to Mr Pollard’s myGov account. Things only got worse from there.
“I did not receive my age pension on the normal date,” he said.
“I looked at my payment history and found out that some payments had gone to suspicious bank accounts, including an advance of $1200.”
Mr Pollard contacted Centrelink again, and it locked the account. Within a few days, his missed payment had been made, and Centrelink is now investigating the fraud.
He said most of the ordeal could have been avoided if he had followed the golden rule for avoiding scams.
“Never click on a link unless you genuinely know it is legitimate and have spoken to someone first,” he said.
“From now on, I will always type in the name of the website on my computer. That, really, is the only way I know the website is the real thing.”
Nick Bruining is an independent financial adviser and a member of the Certified Independent Financial Advisers Association.
