Realising the 2030 Vision: A Roadmap for Tackling Scams in Australia

By Eric Pinkerton

I recently had the privilege of addressing the Australian Network Operators Group (AUSNOG) Annual Conference, sharing my insights on the pervasive issue of SMS scams. These scams, also known as "smishing," continue to plague Australians, despite concerted efforts to combat them.

The backdrop to this is that last year the Government unveiled the 2023-2030 Australian Cyber Security Strategy, which outlined its vision that by 2030 Australia will be a world leader in cyber security.??

Now I have a soft spot for our former Cyber Security Minister, and genuinely felt optimistic that we could move the needle on this. So, when she became Minister for Housing and Homelessness in July, I thought while there is now much less chance we will all be homeless by 2030, our cyber security ambitions may fall short.

So, what can we do to become the world’s most cyber secure country in under six years? Well, I did some research, and it turns out that the most cyber secure county in the word today is Denmark.

This is based on something called the ITU’s Global Cybersecurity Index or GCI. The ITU maps 82 countries on cyber security commitments across five pillars: legal, technical, organisational, capacity development, and cooperation.

This is not a level playing field however - because the thing about the Danes is, they tend to speak Danish.

That means that when a scammer hits up Karl Kristensen, pretending to be from Danske Bank, if his Danish is not perfect, Herre Kristensen will quickly know something is amiss.

While this point may seem trivial, it is a good example of how factors that are well and truly outside of our control can actually be critical to understanding our overall threat environment. Take for example scam reporting by age group:

In 2023, Australia lost $2.74 billion Dollars to Scammers according to the Australian Competition and Consumer Commission (ACCC), down from $3.15 billion in 2022. It is thought that 30% of victims do not report scams, so to put that number in perspective, with a current population just shy of 27 million, it is the equivalent of every single person in Australia losing $125 per year.

By far the most reported attack vector from 2023 was text messages: more than 47% of Australians reported exposure to fake or deceiving text messages in the last year. To me, this means that 53% of people are not even bothering to report them.

If you look at the graph above, it is clear that the older you are, the more likely you are to get scammed. However, the volume and dollar value of scams reported is clearly not the same as the severity of scams, and therefore does not tell the whole story.

For example, there is a common misconception that it is boomers that are most at risk due to the number of scams reported. In reality, sextortion scams are quite literally killing our kids at the moment, and they are getting worse.

So, with more nuance to simply trying to reduce the total number of reported scams (which itself may be an indicator of scam awareness), what are the ways in which the Government can potentially make a difference? After all, there are only so many levers available to the Government to try and move the bar.

One of those is education; and for anyone that has been tasked with implementing a cyber education program, we all know how difficult that can be. If you look at how successive Australian governments have tried to educate the general population, you will see that it skews towards boiling a message down into a single snappy rhyming sentence.

Think “Slip, Slop, Slap”, or “don’t drink and drive”. “Decide to survive”.

Scams did not escape this fate, and in about 2019, someone in Canberra came up with this banger:

While the ScamWatch Website has since changed this to “Stop, Check, Report”, the number and depth of resources available is undoubtedly much better than it once was.

This truly kicked off in July 2023, when the ACCC established a taskforce called the National Anti Scam Centre (NASC) who set out a three-year plan to “bring government, industry, other regulators, law enforcement bodies and community organisations together with the goal of making it more difficult to scam Australians”.

The tail end of August 2024 saw Scams Awareness Week, the theme of which was ‘#ShareAScamStory’, in which the public were asked to share their stories of being scammed or nearly scammed with friends and family, to destigmatise being a scam victim and help promote awareness of common scams.

I thought this was a really great idea.

Out of interest, I asked the delegates of the conference how many of them had been aware of this initiative, and disappointingly only 2 in a room of 400 people admitted to knowing about it.

I think an area where the government could actually move the needle is what I would call Media Outreach. Whilst I often see stories about scams on TV shows like The Project or A Current Affair, the advice given is sometimes a bit cringe, and it is often apparent that the journalists covering the story do not really understand the topic.? Worse is when they interview an expert, and then cut the interview down to a single snappy soundbite that misrepresents the message.

I think coaching journalists about how to provide timely and effective guidance for cyber security and preventing scams could really go a long way towards lifting the general awareness of the population for relatively little investment. It is also a good opportunity to target key demographics that are disproportionately represented in scam data with tailored messaging, rather than simply casting the net wide with generic slogans.

Next up we have collaboration; after all, nothing impactful happens in a vacuum. Whilst there have been efforts to improve information sharing between banks, telecommunications providers, technology companies and government agencies like ASIC, ACMA, ACCC, ACSC, and law enforcement, there are ample opportunities for improvement.

Conceptually, a telco that detects an SMS message with a phishing link should be able to not only detect and stop those messages, but also block traffic to that site, inform other carriers, and coordinate with the government so that traffic to that site is stopped, the site is taken down, and banks can be notified of potential victims.

In my experience, the level to which this happens today is sadly lacking.

Next is law enforcement, which itself is split between state policing, the AFP, and international partners. To be fair, our law enforcement agencies have been doing a pretty good job both domestically and in collaboration with our overseas partners. For example, in July 2024 the AFP impounded up to 30 SIM boxes alongside the arrest of 6 people across Australia linked to Smishing campaigns. The challenge is that scammers are adept at falling between the cracks of state and federal jurisdictions, and exploiting the inevitable challenge of coordinating between different agencies in different countries.

Finally, we have legislation. Between 13 September 2024 – 04 October 2024, we saw the Government release a proposed scams prevention framework for industry discussion. This was intended to apply to telecommunications providers, banks, and digital platform service providers – beginning with social media, paid search engine advertising and direct messaging services.

While an ongoing challenge for platform service providers (many of whom are headquartered internationally with varying levels of interest in the Australian scam landscape), the telcos have seen a fair bit of regulation already, from Industry Code C661:2022 through to the proposed ACMA SMS Sender ID Registry.?

Telecommunications providers in Australia have generally been amenable to regulation, however I believe the next logical step is to force the implementation of SHAKEN/STIR -? a standard that uses digital certificates to validate a sender, making it far easier to trace scammers back to the source of their messages.?

In response to a robocalling epidemic, the US Federal Communications Commission (FCC) mandated all carriers in the US to implement SHAKEN/STIR, and since June 2023 SMS spam in the US has seen a marked decline. However, scammers subsequently (and predictably) moved to Over the Top (OTT) services such as iMessage, WhatsApp, Signal, Telegram, Facebook, Snapchat, Instagram, and the like.

Because these OTT services are encrypted, the push towards SHAKEN/STIR has had the unintended consequence of making those communications completely opaque to the carriers, and places the entire burden for detection and blocking in the hands of technology companies who often use end-to-end encryption as a get out of jail free card for any form of responsible disclosure of scam activity.

The Australian Government has also had variable success in its attempts to regulate technology companies. For example, the News Media Bargaining Code resulted in Facebook briefly blocking news content in Australia, and attempts to get Twitter (now X) to block a video depicting a terrorist attack resulted in the platform simply geoblocking the content for Australian users.

The other option is to regulate banks to make it harder for the scammers to get paid; but Australian banks have traditionally proven far more adept at negotiating compromises to regulatory controls than telecommunications providers. As a case in point, in 2022 the ACCC called on the banking sector to establish an ‘industry-wide account name checking system’. In response, in July 2023 the Australian Banking Association (ABA) announced the Scam-Safe Accord, a series of initiatives aimed at combating scams.

One of the key measures was the introduction of PayID name matching. In simple terms, if you are about to make a payment to an account and the name of the account varies differently to the one you have been given (as is common in many scams) it will alert you that something looks suspicious.

Many are horrified to learn that banks do not routinely check account names when transferring funds and unfortunately it is more complex than it may seem at first glance to implement well, and for fairly innocuous reasons. People routinely get account names wrong (not including a middle initial, for example) and if banks simply blocked all transactions where the account name was not a perfect match, millions of transactions would need to be resubmitted and this would be painful for banks and customers alike. The solution is to crowdsource this, effectively asking the payee to make the comparison; but to do this, the bank needs to know not only the account names of their own customers, but also the account details of all of their peer institutions, which requires some sort of lookup to return an account name for a given account number.

Instead of working together on an industry-wide account name checking system, they appear to have all set about inventing their own wheels. CommBank were first over the line with ‘Namecheck’ in February 2023, followed by Westpac with ‘Verify’ in March, and NAB with ‘Payment Prompts’ in April. ANZ is presumably still in the process of releasing their solution, likely because all the good names were already taken.

“Why did this happen?” you may ask – well, a clue is that in May, CommBank offered NameCheck to government organisations, payment processors, and other companies, with Bendigo Bank being one of the first to sign up. So, in two years since being told to tackle this issue, to my knowledge only 4 out of a total of 97 banks have managed to do it.

An interesting statistic from NAB is that around 12% of payments (or approximately $290,000 worth of payments) were ultimately cancelled every day as a result of the payment prompts message questioning the validity of the transaction.

The UK banks in contrast started implementing an account name checking service, known as Confirmation of Payee (CoP), in a phased approach starting in 2020. There were 32 banks involved in the initial phase, with around 140 banks in the UK now using it.? Why? Because it was ‘an industry-wide account name checking system’.

I think it’s highly likely that fraudsters and romance scammers are not unaware of this disparity, and have switched from targeting the UK to Australian victims as a direct result.

Off the back of this, the UK’s Payment Systems Regulator (PSR) has said that banks and other payment firms in the UK must reimburse defrauded customers to a maximum of GBP ￡415,000 (AUD $529,000) from October 2024. Under the requirements, the costs of reimbursement will be split 50:50 between the firm behind the customer’s account sending the funds and the company receiving them.?

The ABA have pushed back strongly on this approach, ironically saying it will create a honeypot and make Aussies more at risk.

So, if we want to be the most secure country in the world by 2030, and we are not game enough to all try our hands at speaking Danish, our best plan will be to increase government spending on education, with professional ad campaigns targeting specific age groups on relevant threats, including sextortion, crypto, invoice, and romance scams that is not simply Healthy Harold the Giraffe reciting a three word rhyming slogan.

We should double down on the great work we have seen amongst law enforcement agencies, where ambitious operations combined with international coordination, communication and cooperation has enabled Australia to punch well above its weight, as evident in the great success of Operation Ironside.

We should try our best to drive greater cooperation with technology companies, but temper our expectations for organisations with complex geopolitical drivers and financial incentives to do nothing above the bare minimum.

Finally, we need to acknowledge that for too long, the focus on profit within the Australian banking industry may have overshadowed the pursuit of truly effective solutions in this area.

We now have an opportunity to re-evaluate priorities and foster a more balanced approach – making the 2030 vision more than just another slogan.

?