A road trip holiday that should have left Heidi Landford feeling relaxed has instead seen her fall victim to a toll road scam that is affecting hundreds of Australians weekly.
Two weeks after a Fraser Island getaway with her fiance, the Gold Coast ballet teacher received a text message that said she had an outstanding toll.
“I thought it was legitimate because it was the date that we travelled and I thought I must have forgotten to pay it,” Ms Landford said.
After following a link embedded in the message, Ms Landford filled out her details on what she described as a “perfect copy” of the toll operator’s website.
“It had the colours, the logo — everything about it looked exactly like the Linkt website that I’ve paid tolls on before,” she said.
“I just didn’t think anything of it.”
Unfortunately, Ms Landford had been lured in by a phishing scam.
The Australian Competition and Consumer Commission (ACCC) said money lost to phishing jumped from $4.3 million in 2021 to $24.6 million in 2022 — an increase of 469 per cent.
“Scamwatch is aware of a significant increase in phishing scams via text, email and social media [and] received over 74,500 reports of phishing scams in 2022,” an ACCC spokesperson said.
ACCC data shows that of those who report a phishing attempt, one-fifth, or 14,500 people, report being a victim of a toll road scam, with losses totalling more than $664,000.
Ms Landford, who realised the scam and cancelled her credit card before any money was accessed, said the experience made her question texts and emails from nearly all organisations.
“It just makes you second guess everything, even legitimate things that come through,” she said.
Numbers blocked, websites shut down
Griffith University cyber security senior lecturer David Tuffley said scammers phishing for information with websites that “spoofed” those of legitimate businesses had become increasingly slick in recent times.
“A few years ago it was pretty amateurish websites that were put up to fool people,” Dr Tuffley said.
“Now scammers are realising that the more professional the website looks, the more likely they are for people to be taken in by it.”
Transurban, the company that manages Linkt toll roads in Queensland, Victoria and New South Wales, has worked with telcos to block more than 12,000 unique mobile numbers used in the scam.
“We’ve also been able to stop over 1,500 fraudulent websites that these scams link through to, to really mitigate the impact on the community,” Transurban customer experience and operations general manager Chris Jackson said.
“We recognise that some scams will get through, so we’re really focused on education and have emailed over five million customers about the scams.”
A ‘concerning phenomenon’
Mr Jackson says the time between using toll roads and receiving scam texts, which can range between hours, days and weeks, is coincidental, and a result of scammers sending thousands of text messages everyday.
“What the scammers are really banking on is that one or two people will have travelled on the road recently and the message will resonate,” he said.
“It’s like throwing mud at a wall and seeing what sticks.”
But Dr Tuffley said toll road users receiving scam messages within hours or days of their travel was a “very concerning phenomenon”.
“If it’s happening a lot then it certainly would bear a lot of scrutiny on the systems that maintain a link between a person’s identity and the number plate of the car that they drive,” he said.
“I’d be wary of suggesting any impropriety on behalf of the company itself, but data leaks can occur and it would certainly bear a very close inspection of their security.”
‘Millions’ of numbers on dark web
Dr Tuffley said the proliferation of text message scams was likely to continue in the wake of the well-publicised Optus and Medibank data breaches, and other breaches that received less publicity.
“That has released literally millions of people’s phone numbers onto the dark web,” he said.
“That can be purchased by bad actors, by cyber hackers to work their scams.
“I don’t think it’s a coincidence that we’ve seen a big surge in this sort of thing in the months following those really large-scale data breaches.”
Mr Jackson said Transurban had no evidence of any data breach in its system.
“In fact, we get quite a large number of calls from the general public who don’t have accounts with us enquiring in relation to those texts,” he said.