If you’ve ever wondered how scammers time their fake Australia Post texts to land just as you are expecting a parcel, the online ad industry might be to blame.
As David Niven learned in November 2022, timing is everything when it comes to an effective scam.
“My phone pinged and there was a text message … it said, “Your E-Tag didn’t work, you have an outstanding toll … hit the following link to avoid getting a fine’,” he recalled.
Millions of Australians have likely received a similar message in recent years, but the timing was uncanny for Mr Niven.
“I had travelled on a CityLink toll road within about a week or so of that date … in fact, my E-Tag hadn’t beeped properly,” the 66-year-old Melbourne resident said.
‘”That particular trip was the first time we travelled on CityLink for three to four years.
“So, I was half expecting to get a contact from CityLink to say there was something wrong.”
Mr Niven may be more suspicious than most, having worked as a consumer rights lawyer for almost 40 years.
He’s even helped clients claw back money lost to scams.
But the timing of the text message checked out, and he decided to follow the link.
It drew him into a sophisticated fraud that convincingly mimicked a multi-factor authentication process, dispelling the last of his doubts.
“At that stage, my suspicions had gone away … this had all gone exactly as it should go,” he said.
Finally, the scam sent him to a replica Commonwealth Bank page, which requested his bank details.
Mr Niven still did not suspect the truth, but the consumer lawyer in him was incensed at what seemed an inappropriately cosy relationship between the bank and the road toll company, and he called the bank to complain.
“I eventually got through to a person, very helpful, who said, ‘Oh no, that wasn’t us. It’s a link scam’,” he said.
The bank cancelled the fraudulent transaction, and his understandable, if somewhat misplaced, outrage had saved him from becoming a victim of fraud.
“Who would have thought there’d be a benefit in being an angry old man?” he joked.
A new report from policy advocates Reset Tech said a little-known corner of the online advertising industry, known as Real Time Bidding (RTB), may be to blame for the precise timing in David’s case, and many others like it.
“RTB probably wasn’t intended to become a surveillance behemoth,” executive director Alice Dawkins said.
“It’s a mechanism to sell ads, but as a consequence, you can build very detailed profiles about people’s preferences, habits, where they are across the day, their movements.”
That data might indicate whether you are expecting a parcel in the post, or if you have recently used a toll road.
As the ABC reported this week, a recent investigation by the Irish Council of Civil Liberties (ICCL) found the RTB system sends information about an individual Australian 449 times a day on average.
The RTB ecosystem produces detailed psychographic profiles on individual internet users, containing an often disturbing level of personal information, such as whether a person has depression, whether they are a survivor of sexual abuse, their financial circumstances, and how much alcohol they drink.
“We were looking in the report at some kind of funny ones, like whether you prefer Fanta or Sprite,” Ms Dawkins said.
“But then there’s information about whether you’ve been purchasing sexual health goods, and maybe that’s great if you’re selling condoms, but that little piece of data could quite obviously be misused.”
The federal opposition described the RTB system as a “serious national security risk” after the ICCL’s investigation found the data could expose senior officials to blackmail attempts by foreign actors.
“There’s a whole chunk of data that’s freely available [where] I can’t think of a legitimate use … other than something nefarious,” Ms Dawkins said.
A July poll by Reset Tech and YouGov found that 70 per cent of Australian adults had been targeted by a road toll scam and 80 per cent had been on the receiving end of an Australia Post parcel scam.
Ms Dawkins pointed out that the sharp increase in scams has coincided with the growth of RTB in online advertising, and while there was no way to confirm that’s how David Niven was targeted, the overall pattern is a major concern.
“You’re going to have to go to a scammer to find out precisely what they’re doing … but we’ve looked at this logically,” she said.
“There’s this narrative that all of your scam approaches are coming from an [illegal] data breach … [but] why would you be trying to buy that data when the RTB system is much more accessible, and it’s currently legal?
“There’s certainly an argument that RTB represents the biggest data breach ever.”
The federal government is in the process of updating the Privacy Act, with a bill currently before parliament.
But changes to data privacy rules, which would rein in the RTB system, have been deferred until a later date, with no timeline announced.
“What we need to see are proactive obligations put on industry that set really clear expectations for the limits for data collecting and trading,” Ms Dawkins said.
She called on the major parties to make commitments to address the issue ahead of the next election.
In the meantime, she said it was “good practice” to use whatever legitimate privacy tools are available, such as free widgets like Privacy Badger or uBlock Origin.
“Privacy Badger, as I understand it, is great for insulating against [the collection of] browser-based data,” she said, but warned those measures would only ever offer partial solutions.
“Changes to the Privacy Act could limit unauthorised collection, sharing, sale and use of our personal data,” she said.
“It’s completely within reach for Australia to be one of the safest and most secure jurisdictions for internet users”.
Loading…