Protect yourself from ID fraud

Nearly half a million Australians were victims of identity fraud last year.
Learn more

01 .ID fraud


In brief

  • ID fraud risks, particularly over the internet, are growing fast. 60% of people are worried they’ll be caught out.
  • There’s no way to completely protect your identity, but there are steps you can take to reduce the risks

It's estimated that there were 499,500 victims of identity fraud in Australia last year. There were 383,000 incidences of credit or bank card fraud, while 124,000 people had their identities stolen. Many don’t know how the criminals got their details or whether their names and personal information are still being used.

For fraudsters, internet identity theft provides high rewards at low risk, and this has proved attractive for organised crime, including syndicates from eastern Europe and Asia. Experts say the internet was designed perfectly for fraudsters, enabling identity theft on an industrial scale.

A thriving market for sensitive personal information allows criminals to trade credit card data through ‘carding’ sites that traffic this information around the world. The US Secret Service estimates that the current two largest carding sites are used by nearly 20,000 criminals.

‘Click-happy’ consumers opening email attachments, following links to fake websites and even visiting legitimate websites are unwittingly installing spyware and other malicious programs designed to steal their private details and pass them to criminals. The revenue generated by cyber-crime around the world is estimated to be higher than that of the illicit drug trade. Identity fraud in Australia is worth at least $1 billion annually.

A recent survey by the Office of the Privacy Commissioner found that 60% of people are worried about being a victim of ID theft. It can be a traumatic, expensive and time-consuming experience. Very little information is needed to steal your identity: your name, date of birth and address — hardly secret information — can get the ball rolling.

It’s not easy to restore your identity, once stolen, so prevention is better than cure. We tell you about 10 of the latest threats and what you can do to avoid them.

Please note: this information was current as of August 2008 but is still a useful guide to today's market.

Did you know?

The National Privacy Principles say governments and organisations must take reasonable steps to protect information they hold from misuse, loss, unauthorised access, modification and disclosure. Appropriate security requirements must be in place to ensure breaches don’t occur, and these organisations must be accountable when breaches do occur.

However, that accountability doesn’t extend to telling the individuals affected about the theft, or the authorities. The Australian Law Reform Commission (ALRC) proposed a change to the Privacy Act whereby agencies and organisations would be required to notify individuals of any intended or unauthorised disclosure of their personal information. “This alerts individuals to the possibility that they may be at risk of identity theft and may assist them to prevent the theft of their personal information,” the ALRC paper says.”

The ALRC’s final report for the Privacy Inquiry is expected to be tabled in Parliament soon. By the time legal amendments are discussed, reviewed and redrafted, law reform can take years. In the meantime, the Privacy Commissioner has proposed an opt-in system, whereby signatory organisations voluntarily agree to notify individuals of such security thefts and breaches. Go to for details.


Sign up to our free

Receive FREE email updates of our latest tests, consumer news and CHOICE marketing promotions.


Threat 1: Surfing the web

Google’s analysis of 4.5 million websites in 2007 found that 10%, or 450,000 websites, contained malicious code. While you'll often avoid this by having up to date anti-virus software and by being careful about which links and pop-ups you click on, in some cases just by visiting a site you could unwittingly install software that records your keystrokes or steals sensitive information.

Google calls this ‘drive-by downloading’ and says there’s no way for average computer users to protect themselves from this threat. “The victims are completely unaware of the ghost in their browsers and don’t know that their keystrokes and other confidential transactions are at risk of being observed by remote adversaries.”

What to do

Keep your anti-virus software up-to-date. Be judicious about the websites you visit — reputable companies are more likely to have good security systems that protect users. But there are no guarantees.

Threat 2: Company databases

Your details are likely to be on at least 100 databases — government agencies, financial institutions, employers, social clubs, retailers, loyalty schemes, video libraries, airlines … the list is endless. But how safe is that information? What’s to stop hackers stealing it, or unethical employees selling your details, for example?

Bulk theft of identities from large databases is attractive to hackers. In August 2008, the US Department of Justice charged 11 people from five different countries with the theft and sale of over 40 million credit and debit card numbers. The criminals had used ‘war driving’ –- cruising around in cars with laptops looking for accessible wireless networks to hack into and steal details from.

This follows US retailer TJ Stores (which includes the discount department store TJ Maxx) confirming in 2007 that account information for 45.7 million credit card and debit cards, and 450,000 records containing customers’ names, driver’s licence and social security numbers, were stolen from its systems by internet fraudsters. The perpetrators had access to the data over 17 months. US banks claim that 94 million accounts were accessed as a result of the theft. TJ Stores doesn’t know who the intruder was, or whether there was more than one. If your details were stolen from a database in this country, you might never know — until you were defrauded or your identity was hijacked. Australian organisations aren’t required to inform customers or a regulator of such data thefts.

What to do

Read companies’ privacy statements to check how your information will be used. Opt out of allowing your details to be passed to third parties and marketing companies, providing more opportunity for ID theft. Only give the information that companies really need to know.

Threat 3: Malware

A recent OECD report said that malware, or malicious software, is a security threat to the internet economy. It takes many forms, including:

  • Trojan A program that appears legitimate but can get around security measures to carry out attacks.
  • Virus A hidden program that spreads by infecting another program.
  • Keylogger Software that records the information you punch into your computer, and forwards it to fraudsters. Keyloggers aren’t detected by many anti-virus software programs.
  • Malvertising Ads, even on reputable and legitimate sites, can have a malicious purpose, hiding dangerous code that installs trojans, viruses and spyware if you click on them.
  • Spyware This sends information to a third-party computer without your permission or knowledge. As soon as you connect to the internet, you’re at risk from attack. A recent survey found that 23% of PCs are infected.

What to do

  • Keep your anti-virus software and firewall up-to-date.
  • Install spyware scanners.
  • Conduct regular scans of your computer; some security programs allow ‘real-time’ protection, a monitoring system that recommends actions against spyware when detected.
  • Don't click on pop-ups and banner ads unless you trust the source. One dangerous example is being prompted to click on a link to scan your PC for viruses, but when you do, a virus is installed.

Threat 4: Phishing

Victims are tricked into revealing personal details through ‘social engineering’, deceptive emails and fake websites that look just like the real thing. Major banks have been targeted, with fake emails leading consumers to websites that capture passwords and account details. Phishing has been around for at least five years but is still going strong. Criminals can even buy ‘Phishing attack kits’ over the internet. New types of phishing include:

  • Pharming The collection of personal information en masse via fake websites carefully crafted to appear genuine.
  • SMiShing Uses mobile phone SMS (text messages) to phish for information.
  • Vishing This uses voice over internet technology.
  • Spear-phishing Victims receive an email that seems to be from a trusted source, such as their employer’s IT department, asking for personal information or a password confirmation. One of the latest examples of this social engineering is where people receive an email saying they’ve been subpoenaedto attend court —when they open the attachment for more details, malware is installed.

What to do

Be wary of emails with links to websites such as banks, eBay, employment sites, PayPal –- really any site asking for personal or financial information. Banks don’t ask for personal details via email. Some links aren’t what they appear –- type the correct website address into your browser, rather than clicking on links.

Threat 5: Social networking sites

Consumer Affairs Victoria says the craze for social networking sites (like Facebook and MySpace) has led to a new generation of scams. Spammers are using Facebook to spread unwanted links to online shops, bogus lotteries and financial scams. The Privacy Commissioner sees social networking websites are one of the greatest challenges to online privacy.

“My office found that many people, particularly youth, tend to treat sites such as MySpace as a diary and think, for example, that only close friends are reading it, when this is often not the case,” the Privacy Commissioner says. “Identity theft may not necessarily involve the theft of your money, but others getting your details and logging into your social networking page and vandalising it or sending out messages in your name.”

What to do

Use settings that keep your details private, and restrict the details you post online. Recently, the dates of birth of Facebook members were published on the internet, after a programming flaw (which has since been fixed). The Australian Federal Police says such sites are a fertile ground for harvesting identity information. It warns of the risks of putting up details like your date of birth and photos and encourages members to ensure that people they’re interacting with are genuine ‘friends’.

Threat 6: Web 2.0

This term describes the internet’s evolution to a phase of increased information sharing and collaboration among participants. Its features include user-generated content, blogs, social networking and wikis. But Web 2.0 brings new risks. Some websites don’t have adequate security systems to prevent users from inserting malicious coding into web pages, exposing all site visitors to the risks.

Google says user-contributed content is one of the four most prevalent mechanisms used to inject malicious content into popular websites. Security experts are also concerned. “Blogs and wikis create the perfect environment for fraud attacks,” says Nick Ellsmore of IT security company SIFT. Graham Ingram of AusCERT agrees. “If we can’t secure what we have now, what will happen with Web 2.0?”

What to do

Think twice before following the links from blogs and user-generated content. Sites that allow anonymous posts are often riskier. CHOICE Online allows anonymous posts, but not links embedded in the text.

Threat 7: Credit card skimming

Staff at some retailers, restaurants and petrol stations may use small devices to illegally copy information from a card’s magnetic strip. This information can be transferred to a blank card and taken on a spending spree.

What to do

  • Don’t let your card out of your sight.
  • Make sure it’s not scanned twice, or by a suspicious looking terminal.
  • Go through your statements with a fine-toothed comb, and report strange transactions immediately; if you weren’t at fault, the financial institution should reimburse you after it investigates.

Threat 8: Your mail and waste

Fraudsters pay people to go through bins looking for letters, bills, pre-approved credit card offers and bank statements. Cheques and credit cards are often stolen from letterboxes too. Mail theft is still a very prevalent way to steal identities, according to the Australian Federal Police.

What to do

  • Get a lock for your letterbox, and use it.
  • A good personal paper shredder costs $50–$150; a pair of scissors costs less.

Threat 9: Spam

Only one in 28 emails is legitimate, according to IT security company Sophos. The rest are spam, and may include dangerous code, links and attachments. Once installed, this code could steal details or even turn your computer into a ‘bot’ that attacks other computers, passing the stolen details to the original fraudster.

“Email spam is almost always sent from innocent third-party computers which have been hijacked by hackers,” says Sophos. “These botnet computers are owned by innocent parties, who are unaware that cybercriminals are using them for financial gain. Typically they are home users who haven’t been properly protected with up-to-date anti-virus software, firewalls and security patches.”

What to do

  • Install spam filtering software.
  • Don’t open attachments or click on links unless you know and trust the source of the email. Attachments with the following file extensions should set alarm bells ringing: .exe, .com, .pif, .scr, .vbs, .js, .ocx, .shs, .reg and .bat.

Threat 10: E-Commerce

64% of Australians use e-commerce — to buy books, gifts, travel, accommodation, tickets and groceries. But the conveniences mask a serious vulnerability to fraud, as criminals obtain credit card numbers en masse from merchants’ databases, without customers knowing. And ‘card not present’ fraud – where merchants are duped by criminals presenting stolen customer details online – accounts for most of the 380,000 card fraud victims in Australia each year.

What to do

  • Always look for the security padlock symbol at the bottom of e-commerce and internet banking sites. Don’t enter credit card details unless you see the padlock.
  • Never provide card details in reply to an email – you’re probably being ‘phished’.
  • Never provide your ATM PIN over the internet – it’s only valid in ATM and EFTPOS terminals.

A UK government report found that clearing your name after an identity theft can take months of work –- you could need to spend close to 50 hours. Where a total ‘identity hijack’ has occurred, involving 20 to 30 organisations, the victim could need to spend over 200 hours and ₤8000 (over $16,000) before things are back to normal. In Australia, there’s no single place you can go — you’ll need to devote a lot of time to fixing the problem.

  • Contact your bank and other financial institutions. You may need to change passwords and PINs, stop payment on lost and stolen cheques, and even close your accounts.
  • Report the identity theft to the police.
  • Notify credit reporting agencies (see Useful contacts), put a fraud alert on your credit file and check the file is accurate.
  • Contact agencies such as your local post office (to ask whether mail has been diverted), Centrelink and the Australian Passport Office.
    Taking these steps won’t guarantee your problems are over — once your details are stolen, you’ve no way of knowing whose hands they’re in, or how they’re being used. The Privacy Commissioner says, “With a piece of jewellery, the thief may try to sell the item. End of story.

With a stolen identity, the consequences can be far less obvious, with the thief using the information to perpetuate further crimes, sometimes over months or years. The virtual footprints one leaves are often difficult to erase and it is impossible to know who will have access to your information down the track.”

How to protect your ID

According to a survey by Veda Advantage (one of the Australian companies that holds consumers’ credit records), most people don’t take the necessary steps to protect their identity from theft, even after they’ve been victims. We could probably fill a magazine with the tips for protecting your identity, but briefly, here are some important ones:

  • Practise safe computing.
  • Check your credit file regularly. It’s free if you’re prepared to wait ten days; there’s a fee if you’re in a hurry.
  • Safeguard documents — make sure your postbox is locked, and shred bank statements and letters.
  • Make sure your credit card and bank statements are received, and check they’re correct.
  • Report problems to the authorities.

For more information, check out the government’s ID theft toolkit on Attorney-General Department's website (type ‘identity fraud’ in the search box).

Jim's story

Criminals assumed Jim’s identity, told his bank he’d emigrated and redirected his credit card statements to a false address. Then they took his card on a spending spree.

When Jim emigrated from England to WA, he held on to his English credit card for use during trips back to the UK and some internet purchases. Some time later, he received a letter from the provider, Barclaycard, about suspected fraud on the card. “Barclaycard wouldn’t give me any details at first. It was only with probing that they admitted it involved an online flower company,” Jim says. “I'd sent flowers to my Mum through a company that I'd used a few times successfully.

Then another flower company with a different name contacted me by email asking for my full credit card details, including the three-digit security code, to process the transaction. I became suspicious and cancelled the order.” Later, the bank confirmed that Jim’s credit card details had been stolen. It identified that transactions on the card didn’t fit his usual spending pattern, including several items costing over ₤1000 and the purchase of dozens of ₤10 and ₤30 telephone calling cards.

"The crooks had advised Barclaycard that I'd moved back to the UK, and they provided Barclaycard with an address for me in East London. They then increased my credit card limit and proceeded to spend about $15,000 in computer shops around the UK. I was totally unaware of this, of course, because the statements were not coming to my address.”

Although Jim wasn't liable for these fraudulent transactions, he was surprised and annoyed that Barclaycard had allowed the change of address without his signature. He'll also think twice about buying flowers over the internet in the future. " Barclaycard told me that it's relatively easy for crooks to get hold of personal information such as address, date of birth and mother's maiden name.”

Anne's story

When Anne (not her real name) tried to renew her passport recently, she found that someone else had already obtained one in her name. “I had to go through the process of proving that I was the real Anne,” she says. “I needed to produce documents going back to school.

After about three weeks the new passport was issued. But the Department of Foreign Affairs and the Australian Federal Police couldn’t tell me who had stolen my identity or where they’d been [while using my passport]. It still hangs over me — I don’t know who this person is that’s been using my name.”

Most of us probably don’t take the possibility or the consequences of identity fraud very seriously — but the experts CHOICE spoke to for this article certainly do.

  • “Treat your identity like cash, because if you don’t, your identity will be turned into cash.” Warren Gray, National Manager, Economic Operations, Australian Federal Police.
  • “Credit card fraud results in an immediate, but temporary, financial loss. Identity theft is much more serious as the effects may be long-term and go beyond pure financial loss. When somebody has stolen your identity, they can take out a mortgage, have credit cards issued and commit crimes, all in your name.” Dan Svantesson, Associate Professor of Law at Bond University, and Australian Privacy Foundation board member.
  • “Hacking of databases containing personal information is definitely a big threat to privacy. But there are also other ways to steal somebody's identity. With the amount of sensitive personal information people voluntarily make available on online networking websites, such as MySpace and Facebook, they may become vulnerable to identity theft." Dan Svantesson.
  • “E-commerce spending is growing at three to four times the rate of offline spending, and this is very attractive to organised crime.” Nick Ellsmore, CEO of IT security company SIFT.
  • "If the malicious code has installed a back door, gained administrator level access or changed system files, then the integrity (not to mention confidentiality or availability) of your system has been fundamentally damaged. This means you can no longer trust the operating system, applications or data files.” AusCERT, Australia’s national ‘Computer Emergency Response Team’, a not-for-profit team of IT security professionals based out of the University of Queensland.
  • “It’s a very sophisticated full-service economy.” Graham Ingram of AusCERT, talking about trafficking of credit card and other personal data over the internet.
  • “The time has come to treat our identities as seriously as our car keys or house keys.” Stephen Wilson, Lockstep Consulting, a company that helps organisations with ‘identity management’, including combating identity fraud.
  • “Old-style fraud requires more effort and greater risk. In a connected world, fraud is easier, faster and has fewer barriers to entry,” says Benn Dullard of Eunexus, a consultant specialising in online banking fraud prevention. “Fraud occurs across multiple products. It can be very difficult to identify the original point of compromise.”

Useful contacts

To check your credit file (contact all the relevant organisations):

Your say - Choice voice

Make a Comment

Members – Sign in on the top right to contribute to comments