Cyber Security News

Gmail Gaff or Identity Theft? [podcast]

Imagine you receive confirmation of a booking for two business class seats to Paris in your name from Singapore Airlines...

But you didn’t book any flights.

In this episode, you’ll hear the mysterious story of one of our team, James.

Not only will the series of emails and odd circumstances cause you to question, ‘What would I do?’ but it also brings into question the seemingly low levels of security and scrutiny surrounding your airline frequent flyer accounts.

On the Cyber Heroes Podcast, we talk about how to protect your people and reputation, strengthen your cyber posture, create a culture of cyber savviness, and the many cybercrime lessons being learned around the world every day.

We tell these stories because statistics show that most people on the planet will, at some stage, become a victim of cybercrime and we don’t want you to one one of them.

Listen on Apple Podcasts

If you like what you hear, feel free to share this episode and help us expand the world's community of Cyber Heroes.

Transcription of Episode

So I did my best to locate this person and have a conversation with them. But I was unable to actually find them, or get anybody to speak to me in a way that would actually allow me to confirm whether we had a case of mistaken identity or a case of stolen identity. I'm not the only person with my first and last name on the planet. I'm fairly sure of that. But it was a bit strange that my email address has been used for this.

So I spent a few days doing those investigations, and nothing more came out of it. So I decided to leave it there at that, and not do anything else about it. That was in April this year. I did notify my work at the time that I had some suspicions about having my identity taken and being used by somebody else. And it never really went further than that until in late August this year, I received another email for yet another series of flights. The dates were very similar, again, going to Paris, this time, it was a single seat, going to Paris on the same dates and returning on the same dates. But they were in economy. And the email was very strangely worded. It was the subject line, if you do not change the seats, I am not going which was just odd. And it was almost like I was being taunted into taking action, though. Again, I contacted the airline, the airline confirmed it was a legitimate booking, I'm even now still able to go online following the links in both of those emails and manage the bookings. Now, neither of the bookings had the full passenger details in them. So they had the first name, the last name, they had phone numbers, and they had email addresses. You could see the credit card number that have been used for both bookings ended in the same four digits. And but the frequent flyer details had been entered, and they were different.

But there were no passport details. And there were no other identifying details that I could take to anybody that would actually help me identify who in fact was doing this or in fact, if it was being done in my name with the idea of creating some kind of liability in my name, and that was my main concern is that somebody set up a financial instrument in my name that I can then be billed for. So I'm still waiting for the credit card account to come to me. I'm still waiting for other financial instruments or loans or debts to arrive in my name that I am apparently liable for So they're my primary concerns about this entire situation. So when the August email arrived, I was on holidays in Queensland. So I actually contacted Queensland Police. And they suggested that because I was a New South Wales resident, that I needed to go to New South Wales Police.

I was due to fly home the next day. So I did do that. And on the evening, I arrived home, I actually did toggle down to the local police station. And I went and had a conversation with them about it. Now this was after having spoken to the police assistance line in both Queensland and New South Wales police assistance line. And both of them said you need to go and present to your local police station and make a formal notification. Now the reason for doing that was so that should there be any untoward outcome about this, if I do have a debt in my name, I've got evidence that I was aware of it that I've taken the steps to try and resolve it or prevent it. Now on arriving, bearish, I assumed they would have wanted you to demonstrate your identity.

crazily enough? Yes. So when I went to the police station, I in fact, took my passport. And I took a number of points of identification so that I could in fact, prove who I was, unfortunately, the local police station was less than willing to assist. And their take on the situation was unless you've had something tangible, stolen, or you've actually suffered actual loss, there is no nothing that they can do, which was really frustrating. And I went to pains to speak to the person and suggest to them that in fact, my identity is probably my most valuable asset. But there's no convincing them. They are or will be honest, ill-equipped from a knowledge perspective and an understanding perspective to be able to address these kinds of issues. And that's where I guess cyber security really falls into a grey area when it comes to the authorities and, and policing such matters. What they did do is they actually directed me to the website. And I did find there after going in quite a few circles that I was actually able to make a statement and create a case. And I went ahead and did that. It's something that appears to then be forwarded to the Australian Federal Police. And there's an option when you're doing that to actually say, Yes, you want it to be investigated by the police. And I have done quite a bit of my own investigation into this situation to make sure that I'm, you know, I'm satisfied that we're in a fraud scenario, or it's a genuine case of mistaken identity. But I don't, I haven't been able to come to any conclusions there. And certainly when I made the case on That was literally that last I heard about it from the government. I've got a case number. And it's been radio silence

ever since you help us. Nothing more really. Yeah,

basically. And look, I'm all for, you know, helping the government maintain statistics on this sort of stuff. So that's all well and good. So the next step that I have then taken is to go and start talking to the credit reporting agencies. So I went to a third party agency and downloaded my current credit rating. In fact, I'd already done this a few months ago, and my credit rating was very good. When I downloaded my credit rating, again, I was actually a little concerned to see that it had changed. But it hadn't gotten worse, it had in fact gotten better. Now, I don't understand the mysteries of the financial construct of Australian credit ratings. But my understanding is that if you want your credit rating to be better, you need to take out more loans, you need to have more financial instrument instruments in your name. So to see that my credit rating had actually gotten better, was a genuine concern.

When nothing had really changed.

I've taken no credit cards or paid, I've taken no extra loans in life as usual for me. So what I've been able to do this week, and it has been a pretty drawn-out process. But obviously on the back of the Optus Hakon. I am a victim there as well. I've decided to jump into three of the three credit agencies in Australia. So there are three primary agencies in Australia that are responsible for managing credit. And what was able to get my credit report from a company called Ilyon. And that was a free service, I was able to log in create an account and immediately they gave me a digital version of my credit report. And it quite clearly showed much to my satisfaction that there are no unexpected financial instruments, they're in my name. So what I was able to do in that scenario was to put a ban on my credit account as well. So that I don't if any but it does make a query or tries to make a change to my credit rating. In the next month or so, there is a ban across those three agencies that prevents any changes from occurring. And theoretically, I should be alerted if somebody does try and make a change to my credit rating. So if there's a new credit card taken out with my name on it, then I would expect that I will get notified about that. And that they won't be able to take that credit card out because there's a ban. But that's only a short-term measure, you can't keep a ban on your credit rating for so the

at this stage, there has not been any financial loss to

it know, and this is really a case of concern and vigilance. Yeah,

absolutely. Yeah. So you're on the you're on high alert. Yes. What what are the steps have you taken or could you take?

Well, so one of the concerns was that my email account that I have with Gmail is one of the very, very early email accounts. So it's my first name last So it is quite conceivable that somebody who does share my name, could invariably accidentally use my email address instead of one that might be prefixed with a 01, or, or some other variation. What I have done is I've been right back through my emails in that account. And I have noticed that there has been a pattern of other people sending me emails from other organisations around the world, that now when I look more closely at them aren't spam. They are, in fact, legitimate purchases in my name. And so it seems to me that this may have very well been going on for a very long time. I think one of the things that concerns me the most about all of this is that there's actually very little I can do about it until something untoward happens. And at that point in time, it is effectively going to be too late.

Yeah, sure. I mean, when you contacted your employer, what was their process in place? There we go right on by default, let's change all the passwords, that's change, that updates and stuff. In case anything has been compromised, advising the Bank of concerns and all those things?

Again, because there's nothing in my name that's been taken out, there's really no impact on my bank. So there's no, no one's got access to my bank accounts. Nobody. That's one other thing I did do was I actually rang visa, because I could see the credit card being used was a visa. And they told me that unless I could actually provide the full credit card number, they weren't able to give me any information about that. So fair enough. Fair enough. Yeah, you know, I've tried to do my own identity investigation. And there's certain levels of information you just simply can't get access to. So in terms of my employer, and what they were able to do, it was actually again, very limited, we assessed the situation for what it was, it appeared to be related to my name, and my email address. And at that point in time, nothing further. So it doesn't affect anything from a work product perspective, that doesn't affect any accounts that I've got, it doesn't appear that there were any email addresses, or passwords, anything like that compromised, it was all about the use of that email address, and my, my identity or my name, and that's really, as far as it's gone.

When you say you logged in and looked at the flight details, I'm going to police mode. Yeah. Where are you logging into?

So the email that came from Singapore Airlines for both bookings actually has a link in it, that if I was to send you the email, you will be able to access those details online yourself. So it's not a secured system. It doesn't require a username and password to go and review that booking and see those flights and in fact, make changes to the details that are there, which I find quite incredible, to be honest. But you know, having spoken to Singapore I wonder if he can, from there, try and log in, reset your password, because it's got your email address? Well, there's no account, and there's no password to reset. Anybody, there's no way on that when you go onto that page is nowhere or login. And try and log in us your details on Forgot Password. It's going to send the password reset to your email address because that's what it's got.

And this was the amazing thing about it was there was actually no requirement to authenticate in there at all. I could have gone or made any changes in the air because I've got the booking details. I've got the booking number, and I've got the reference number. And therein lies the information that's required to access and manage the booking And it was amazing when speaking to Singapore Airlines, they were quite happy for me to take ownership of their booking. In fact, they said to me, if you wanted to cancel the booking, you can ask for a refund.

But my concern about doing that is then of course, if I do cancel somebody else's walking in it is a mistake, a genuine mistake, and it still potentially is. Then I'm I'm I'm basically privy to fraud myself. And, you know, I obviously don't want to be a party to that.

I've ended, I'm not sure it would be fraud if you didn't receive any financial benefit from it, or any benefit at all. In fact, if you offer a refund and got the money shield, yeah, yeah. Yeah. I mean, you'd be ruining someone's day when you get a rocket later this year. And there's no flights for them. Yes, yeah. But it is also odd that they booked and paid for two business-class seats. Now there's an economy first, but it could be a kid right? They could decided to now take a kid but I'm not going to.

And that's exactly what I thought is they've taken a kid they've taken a stepchild with them in the stepchild's got antsy, because he's not filing business card with mom or dad, or mom or dad. So he's written to them and said, unless you actually change my seat, I'm not coming with you. And that is quite possibly the situation.

With Singapore Airlines, given the situation, given your what you're able to tell them, surely, they can phone the person on that account. They can do it, you know, ask Him for anything. I find the person on the account and ask them if they're getting the emails. Yeah. So they,

they said to me, I could find the person. Yeah, the phone numbers are there. They gave me the phone numbers,

because they're worse. Yeah. So I've got all the phone numbers. My difficulty is I don't want to ring these people. Because if it is a scam, all of a sudden, fantastic. Yeah, right.

After this, if you ring them. Fantastic. Yeah. I get scammed and hacked to pieces. It's my own fault.

Absolutely. Yeah. I understand your reluctance? Absolutely. Absolutely disappointing to hear that Singapore

Airlines weren't like, yeah, looking very cool.

I think the most amazing thing there is the lack of security around that kind of situation. It's just very, very strange. And I haven't been into either of those bookings for a couple of a few weeks now. Maybe they are as they're getting close to flight time filling it out with more information about who they are and what they're going to do.

Yeah, but they don't get an email. So they're logging in somewhere.

Yes. Well, that's right. So how are they doing that? Yeah, I don't know. I don't know. So you can feel it? Obviously.

It makes you feel a little afraid, I suppose. You know, it made me feel quite anxious. Especially when I got the April emails, but then certainly that last email from the second walking, you know, desperately anxious, you know, really, what's next, what's going on here? What's waiting for me when I get home from my holiday? You know, the last thing I need is a credit agency ringing me again, you know, we're after you for money, which may very well occur, and it would be the first thing I'd know about it.

No, all you can do is take steps to be able to document the journey. So when if that day comes, you can go yep, here we go. And that's exactly right. And that's the whole purpose behind hitting up the credit agencies and putting bands on downloading that latest credit report and keeping an eye on it making the police reports there's an evidence trail now that I have actually got concerns about this situation. So should the worst come to bear, I have got evidence that I've been proactive in trying to resolve the issue.


booking, credit rating, email, local police station, concerns, email address, details, financial instrument, situation, identity, flights, agencies, fact, credit report, case, log, password, arrived, steps, account