Online Security Hub

Spam refers to unsolicited junk emails that are sent to large numbers of people at once. Spam emails are typically advertising fake products or get rich quick schemes.

Don’t bother unsubscribing from spam emails; this just confirms to spammers that your email address works and that they should keep spamming you.

The most effective way of managing spam emails is to use your email settings to send these emails to your junk folder.

Phishing (pronounced fishing) emails are more sinister than spam. They're designed to convince you to provide personal information like:

• a mobile phone number

• usernames and passwords

• credit card details or bank details.

Criminals use email for the same reason legitimate business do, it’s a cheap way to get to a lot of people.

The phishing email you receive was probably sent to several thousand other people as well. You can outsmart these criminals by taking a few seconds to look for the signs that something is up.

Phishing emails often pretend to be from legitimate companies such as banks, courier companies, or government departments, and can contain links to fake websites.

These fake sites look very similar to the real ones, including ours, and are designed to convince people to provide their bank details.

Our Security team monitor the Internet for fake websites and request to have them removed from the Internet to protect our customers.

Sometimes the emails will have an attachment that appears to be an invoice, or document. When you try to open the attachment, it installs malware on to your computer without your knowledge.

Here are a few signs the email you received may be a phishing email.

• Sender address this might be unusual, misspelled or slightly different from the correct address.
• Generic greetings and sign offs Phishing emails are sent out to hundreds of people at once so use generic greetings and sign-offs.
• Poor grammar and spelling This can be a tell-tale sign, but it isn’t always the case. Remember, criminals can use spell check too.
• Creating a sense of urgency Phishing emails will often encourage you to click a link or download an attachment to avoid a problem to create a sense of urgency. Always read an email carefully before taking any action.
• Suspicious links and fake websites If you receive an email with a suspicious link, hover over the link with your mouse to see the actual web address the link leads to – it could lead to a fake website. Make sure the website domain is BOQ.com.au.
• Malicious attachment often an attachment will appear to be a PDF, image or Office file, but when you try to open the document, it tries to run a program or script intended to infect your computer with malicious software.
• QR code phishing (‘Quishing’) Criminals are increasingly using QR codes in phishing messages, as they may bypass email spam filters designed to detect malicious content. When scanned by a mobile phone, the QR code image will open a website which may contain malware, or a phishing site designed to encourage people to provide personal details. 

It’s not just email anymore. Cyber criminals are using other channels like SMS to conduct phishing. These fraudulent text messages use the same tactics as phishing emails, often pretending to come from a legitimate company.

Because text messages seem more personal, these messages are often not questioned in the same way as suspicious emails. Criminals can set the sender name of an SMS to anything they like. It’s the same as when you send a letter in the post; you can write whatever sender address you like on the back – it doesn’t have to be your real name or address. Sometimes criminals set the sender name as “BOQ Credit Cards”, meaning that malicious SMS messages can appear in the same message thread as legitimate SMS messages.

This can be confusing - but trust your gut. BOQ Credit Cards will never send you a link to “verify your identity” or ask you to log in directly from an email or SMS. These messages are not a sign that systems have been breached in any way – it simply means a criminal is impersonating our brand.

Increased use of file-sharing services such as Dropbox, Google Drive and OneDrive has led to an increase in fake emails pretending to be links to documents.

In reality, these emails contain links to lookalike file-sharing websites designed to steal your credentials or download malicious software on to your computer.

If you suspect an email or text message, don't respond to requests for information and don’t click on any links or open attachments, even if there’s a sense of urgency.

If you receive a suspicious email or text message pretending to be from us, report it immediately to us by calling 1300 55 72 72.

Your smartphone or tablet connects you to the internet so that you can carry out daily tasks from wherever you are. Your device is a key to access the information about yourself that you store online. That includes online banking passwords, credit card details, personal and work connections, photos and videos and everything that identifies you, as you.

Getting access to this information is a lucrative business for cyber criminals. If they can find a weak spot they could:

• steal your identity
• steal your money
• use your credit card to go shopping
• infect your mobile device with malware.

Even if your mobile device is lost or stolen, and you haven’t backed up or secured your data, you could lose:

• treasured photos and videos
• all of your personal and work contacts’ details.

Set up your mobile device, your social media and other applications (or apps) so that it is tough for anyone to access it.

Set up a password, PIN, passcode or fingerprint pattern to unlock your mobile device.  You’ll need to set up a PIN to unlock your SIM card too as it is removable and its use is what your internet provider will bill you for, so you need to protect it. Check your device’s security settings and select automatic locking to make sure your phone locks itself after a defined period of time.

Never share your passwords, PINs or passcodes with anyone. We also recommend that you do not allow others to setup their fingerprint or facial recognition on your devices either.

Set up automatic updates for applications and operating systems, so that your device is always up to date with the latest security features. Install virus protection software to protect you from malware. Always backup irreplaceable data such as photos or emails through reputable and secure Cloud storage solutions. ‘Cloud’ storage means you can get access to your information at any time through the internet. So if your mobile device is no longer in your possession, you can still access your data via the internet.

When you’re not using Bluetooth, turn it off. Ignore offers of free (usually unsecured) public Wi-Fi access and ensure your mobile device is set up to only connect to secure networks you have approved. Get into the habit of regularly deleting your internet browsing history on your mobile device and closing multiple browsing tabs.

Check if your mobile device supports remote locking or wiping functions.  Provided that you regularly backup your data, if you lose your mobile device or it has been stolen, you can lock it remotely, or choose to completely wipe the data. If you don’t have these options, record the International Mobile Equipment Identifier (IMEI) of your handset. Ask your product retailer where to find this number. If your device is lost or stolen, you can report the IMEI number to your billing provider and they can block your device remotely.

Get into the habit of the following behaviours to keep your mobile device secure:

• Log out of websites, such as your online banking account, when you’ve finished using them.
• Close multiple internet browsing tabs.
• Only download apps from trusted online stores such as Google Play or the iTunes Store.
• Review the privacy permissions carefully before you install a new app on your mobile device.
• Never store passwords anywhere other than through a reputable password keeper app downloaded from Google Play or iTunes Store.
• Don’t use a jailbroken /rooted device. This refers to an iOS/Android device which has bypassed the security settings in order to remove software restrictions (usually in order to install software not approved by the App Store or Google Play).  This significantly decreases the security of the device.

If your mobile device is lost, stolen or has been hacked (that is, someone has gained unauthorised access to your device and your data), there are ways to protect your identity and data:

• If you’re sure you can’t recover your mobile device and you’ve set up your remote locking or data wiping functions, activate these functions.
• Contact your telephone service provider immediately to report loss, theft or compromise of your mobile device. They will be able to block your service using your IMEI, or bar the service from using their network and then advise you of next steps.

If you’re concerned your identity may be at risk, check out How to keep your identity safe online for advice on where to go for help.

Short and simple passwords might be easy for you to remember, but unfortunately they're also easier for cyber criminals to crack.

Strong passwords have a minimum of 8 characters and a use mix of:

• uppercase and lowercase letters
• numbers
• special characters like !, &, and *.

Additionally, you must not use a password that contains your date of birth, or any recognisable part of your name. If you do, this may result in fraud and loss of funds.

Use passphrases

You may like to consider using a passphrase instead of a traditional password.

Passphrases are considered more secure than regular passwords, and easier to remember too.

A passphrase is used in the same way as a password but is a longer collection of words that is meaningful to you, but not to someone else.

For example, the passphrase ‘CloudHandWashJump7’ is 17 characters long and contains a range of different characters. This is more complex than the average password.

Depending on the systems you access, you may be limited to a defined number of characters.

Could someone who knows you guess your passwords? For this reason, it’s best to avoid using personal information such as your children, partner or pets name, favourite football team or date of birth as your password.

When trying to hack into an online account, cyber criminals start with commonly found words and number combinations, or they may use information exposed in data breaches.  This could lead to a credential stuffing attack

So, it's best to avoid using:

• dictionary words
• a keyboard pattern like qwerty
• repeated characters like zzzz
• personal information like your date of birth or pet’s name.

Security companies publish lists each year of the most common passwords exposed in data breaches, you can read the list here. Make sure you’re not using them, because it’s likely criminals will try these passwords first.

If you need to reset a password, don’t just change one part of it.

Instead of changing a number at the beginning or end, create something completely new you’ve never used before.

If your original exposed password had a ‘1’ at the end, an attacker would likely try ‘2’ next. That’s why it’s important to change the whole password.

Get into the practice of changing your password often, ideally every few months.

Never share your password with someone, not even with someone you trust.

What about family and friends?

Regardless of whom you share it with, once you share your passwords you lose control of how it’s stored or how and when it’s used.

What if a business or company I know asks for my password?

Reputable companies won’t ask you to give them your password over the phone or via emails or SMS messages. This might be a warning sign of phishing or a scam.

BOQ Credit Cards will never ask you for your password or PIN, either by email, SMS or over the phone. We may ask you to provide a one-time code to verify yourself when you contact us. These messages will clearly state that we will ask you for the code.

You may not be covered for unauthorised transactions

The security of your card and security codes, including your BOQ Credit Cards App and Online Service Centre password, is very important. As a BOQ Credit Cards account owner, you must:

• Keep your password, PINs and any other security codes secret;
• Use care to prevent anyone else seeing your password and other security codes;
• Not let anyone else use your password or security codes; and
• Take reasonable steps to protect a security code from loss or theft.

Compromising the secrecy of your passwords, PINs or other security codes by voluntarily disclosing them may mean you are liable for unauthorised transactions performed on your account.

Using different passwords means that if one of your accounts is breached, criminals won’t have access to other accounts that use the same password.

Make each of your passwords for online logins unique. This will help protect you from attacks like ‘credential stuffing’.

Credential stuffing

Credential stuffing is an automated technique used by criminals. They test a user's known username and password combinations across multiple online accounts.

As many people use the same credentials for multiple sites, it can give criminals easy access to multiple accounts.

This gives criminals an opportunity to gather more information about you, which they might use to impersonate you online to access accounts under your name.

For example, it’s not a good idea to use the same password for an online pizza delivery website and your business email. If the pizza delivery site is compromised, you don’t want someone to also have access to your business email account.

Writing passwords down is never recommended. You could lose them, or someone else could see them and use them.

Password management tools

There are programs and apps known as password managers that will store all your passwords in a secure vault.

A password manager only needs one strong password to access it and has extremely strong protection to make sure that only  you  can access it.

This means you only need to remember one password to have access to all your passwords.

Password safes can even generate and store new, complex passwords for you when you create new online accounts.

Don’t allow web browsers to store your password

Some web browsers may display a pop-up message, asking whether you want the browser to remember your login details.

For the protection of your personal information, we recommend that you select 'Never for this site' if you see this message when using myBOQ Internet Banking.

For more information, check out the Australian Cyber Security Centre’s guide on creating secure passphrases.

MFA is an added layer of security designed to confirm your identity when logging into an online service or account. This helps protect your accounts from being compromised by cyber criminals. MFA requires that you enter additional information to gain access to your account. It’s also referred to as ‘two-factor authentication’ or ‘2FA’.

Using MFA makes it harder for cyber criminals to break into your account than if you only use a password. With MFA turned on, if your account is compromised and the criminal has your password, they will need to enter additional information that only you can provide.

Online accounts such as banking, social media and email can contain a lot of valuable information about you. Information that could be accessed includes:

• Personal identifiable information
• Banking details
• Employment details
• Information from government agencies such as Medicare or myGov
• Personal photos and messages.

If a cyber criminal gained access to any of your accounts, they could:

• Sell your data on the black market. This could include credit card numbers, names, addresses, emails, date of birth and so on.
• Gain access to social media accounts by resetting your password.
• Send phishing emails to your contact list. These could convince your friends and family to give out personal information or install malware onto their devices.
• Send fraudulent email requests for payment. Learn how to avoid email scams.

One-factor authentication

One-factor authentication is something that only you know, like your password or PIN. Systems that use one-factor authentication only require a username (such as an email address) and a password to access them.

Two-factor Authentication

Two-factor authentication is something you know (password), plus something you have. Systems that use two-factor authentication require a username and a password, plus a one-time password or code (sent to your mobile phone, for example) to access them.

Three-factor Authentication

Three-factor authentication is something you know, plus something you have, plus something you are (a biometric input, such as a fingerprint scan to unlock your phone). Systems that use three-factor authentication require a username and a password~~,~~ a one-time password or code, and some other unique biometric that identifies you.

Below are some of the common ways to set up MFA on your accounts.

Set up MFA on Office 365

You can set up MFA on your Office 365 in the Admin centre. This will generate a phone call, text message or an in-app notification to verify your identity. Find out how to set one up on Microsoft’s step-by-step guide.

Set up MFA on Apple devices

You can enable MFA on your iOS and macOS devices. For more information and instructions, visit Apple’s guide on MFA.

Set up MFA for other accounts

To help you set up MFA for other accounts such as social media or Gmail, the Australian Cyber Security Centre has a list of helpful guides to assist you in improving your online protection.

• Choose a reputable Internet Service Provider (ISP) to provide your internet access.
• Keep your operating system up-to-date by switching on automatic updates and install them as soon as they become available. Check out Microsoft Download Centreor Apple security updates pages.
• Always type the address of the site (the URL) you want to visit in the browser’s address bar, especially when you want to shop and bank online.
• Keep your computer’s security software up-to-date, including anti-virus, anti-spyware, anti-spam and firewall products.

It’s best to use the latest version of a web browser, as these will have the latest security features.

If you’re banking or shopping online, it’s worth checking if the site supports the browser you’re using to make sure you’re getting the highest level of security encryption.

Only access secure sites when shopping or banking online. You can set up your browser settings to prompt you every time you leave a secure site. Go to your browser’s Help menu to find out how.

To help your browser work better (and for security) you should clear your cache periodically. Also, for privacy reasons, you might want to clear your cache, cookies and history manually. This is always recommended if you’re using a computer in a shared public space like internet cafes, hotels or airport lounges. Go to your internet browser’s security or safety settings to choose options to clear your cache.

The safest way to access a site is to type the address into your browser. Following a link may lead you to a fake website designed to convince you to entering personal details.

Look for the green padlock and https (the  s  is for secure) next to the URL in the address bar of your web browser when using shopping or banking sites.

If you’re visiting a new website for the first time, and have received the website address via email or SMS, search for the website on Google, to check that the website is legitimate.

Fake websites often have slight spelling errors in the address. For example, having the number 1 instead of the letter I.

Disable the option on your web browser to automatically remember user names and passwords. You can check your browser’s help menu for instructions.

Never share or write down a password, and make sure the password you choose is strong and would be difficult to guess. Read our comprehensive list of tips on good password management.

If you can, avoid using shared computers in libraries, airports, cafes or hotels if you want to work, bank or shop online.

Never leave your computer unattended or unlocked and make sure you’re not observed entering passwords and personal data.

People may peer over your shoulder to read information on your laptop or other device. This is called shoulder surfing and this is how they can steal confidential or personal information while you work or bank online.

These networks can pose a risk as data can be intercepted by criminals on unsecured networks.

Avoid logging into networks with generic names (for example Netgear) or networks with the same name as you’d log into at home and use VPN (Virtual Private Network) software to protect your activity.

If a wireless network asks you to install software in order to connect, don’t accept. Cancel these requests even if they look legitimate.

Look for potential signs of malicious activity when connected to public WiFi like prompts to:

• accept new digital certificates
• install new software of updates.

Older Australians can find all the skills and knowledge they need to stay safe online with Be Connected. It is an award-winning Australian Government initiative empowering older Australians to thrive in a digital world. The Be Connected website is a one-stop shop with more than 150 online learning modules and 350 learning activities - and it’s all free. Visit www.beconnected.esafety.gov.au to find out more.

Criminals may call you, impersonating a government agency such as the Australian Tax Office (ATO), an energy or telecommunications provider, Australia Post, a bank, an online marketplace or the police.

The call may also appear in your phone as coming from a contact number you may recognise, possibly even your bank. Criminals can use technology to change the way their number appears in your phone. This is called spoofing and can also happen via SMS. Learn more about SMS phishing.

These scam calls aim to pressure you into providing your personal or banking information. The caller may threaten you with expensive fines or tax bills, arrest or deportation, to take you to court or disconnect your Internet service.

They may ask you to buy gift cards, iTunes vouchers, Bitcoin or pre-paid credit cards to pay your fine or debt. In other cases, they may request remote access to your computer and bank accounts to investigate an ‘issue’ or stop a transfer.

Legitimate businesses will never threaten to arrest you or demand immediate payment of a tax debt or fine with unusual payment methods like gift cards or Bitcoin or request remote access to your computer.

Bank impersonation scams involve criminals pretending to be a trusted bank representative to steal your money or personal information. They may create a sense of urgency by pretending to be from the ‘fraud’ team.

• The caller may say they’re from BOQ Credit Cards and there’s an issue with your accounts or devices.
• They may ask you to move money to another account for safe keeping.
• They may ask you to download a program to give them access to your device.
• There’s a sense of urgency and they pressure you to act quickly.

Our fraud team may need to get in touch with you if we’re concerned about your account, so it’s important to understand what we will and won’t ask.

We’ll never ask you to:

• provide your one-time code for authorising transactions, but please note, we may still request a one-time code for verifying your identity from time-to-time.
• transfer money to another account to keep it safe (it’s safe where it is)
• give us remote access to your devices
• provide personal information such as Driver Licence details.

We may ask you to:

• provide your full legal name
• explain or confirm the details of a payment
• provide more details about the person you’re sending funds to and how you communicate with them.

These questions are designed to help us understand the likelihood of you being involved in a scam or fraud, so that we can protect your account.

The Australian Competition and Consumer Commission (ACCC) Targeting Scams report advises there were 55,418 total scam phone calls of any kind, with reported losses of $116 million.

Download the report here.

We may SMS you one-time passcodes for myBOQ app and myBOQ Internet Banking registration, transactions and password resets. In the SMS, we’ll let you know that this is a secret code which should not be shared with anyone, not even BOQ Credit Cards. These codes provide an extra layer of security for your accounts, so it’s important to keep them and your phone secure.

Important: while BOQ Credit Cards does everything it can to recover funds transferred as part of a scam, it is not guaranteed.

• Treat any unsolicited phone calls with caution. If you’re unsure about the legitimacy of a call, hang up and call back on an official phone number.
• Never provide personal or credit card information during an unsolicited call.
• Ensure you carefully read any SMS codes you receive. For example, never share any SMS codes to authorise a transaction with anyone else, not even BOQ Credit Cards. Please note though that we may still request a one-time code for verifying your identity from time-to-time.
• Never give an unsolicited caller remote access to your computer or online bank accounts.

If you’re a BOQ Credit Cards customer and believe you may have fallen victim to a scam, please immediately contact us to reach the Fraud and Scams team.