Coming soon to the USA! While our services may not be available yet, sign up now to stay in the loop as we bring our innovative crypto solutions to America.
It's , and CoinJar is . Today, we've jumped off the deep end straight into a live impersonation scam, so you don't have to. This blog post will help you spot and identify the common themes of these types of scams and understand the risks that these scams pose.
First, here's a quick primer on green and red flags. A green flag is a reassuring or positive sign that something is genuine. A red flag is the opposite - a concerning or negative sign that something is not genuine.
Everyone knows the trusty national delivery service, Australia Post, which is the postal service formerly known as the Australian Postal Corporation. Over the years, we've all shortened this household name into colloquialisms like 'AP' and 'AusPost'.
But have you heard about the lesser-known name of Australia Post: 'post.expressau.top'?
If you're thinking, "That's completely bonkers. I've never heard this name before in my life," then you'd be right.
Au contraire, here's a text message we received:
It's important to know that thousands upon thousands of these messages can be sent by computers daily: bad humans set the messages up, and unsuspecting robots send them out.
So – how can we catch out the scammers? Let's break down this text message and shine a light on the five immediate red flags:
It's a lot of information to glean from 135 characters – but even a fraudulent text message claiming to be a genuine business contains a wealth of information that can help you identify if it's accurate before you get involved further.
Since we're doing a deep dive, we'll open the link in the text message.
First, however, a word of caution – exploring scam websites is like poking a sleeping bear. It's risky and not a recommended pastime. Do not try this at home.
Unsurprisingly, after clicking the link in the text message, the website looks a lot like the Australia Post website. The font and logo are the same, and the favicon (the browser tab's little icon) also matches. So what are the red flags?
Let's focus on the problem areas.
Based on the text message, we already know that this website is impersonating the real Australia Post. Even without knowing that, there are a few things that stand out as red flags:
The one "green flag" is that the Australia Post logo is the genuine logo, but that's one green flag amongst four red flags – if the suspicious-looking domain name didn't already convince us, this is even more evidence to show that this website is not genuine.
In the running narrative of a failed delivery, we are asked to enter our personal details. We've filled in the form as an example with fake personal information.
Here's the red flags we can spot:
If we scroll down further into the footer section of the fake website (not included in the screenshots), the links go nowhere and are simply there for decoration.
Here's where this impersonation scam becomes the most significant threat to your personal and financial safety. This impersonation scam quickly morphs into identity theft when we are asked to provide our private identification documents:
You'll note the spelling and grammatical errors continue as we progress into the scam. Let's say we choose "Australian driver's licence", and click Continue. Here's what we see next:
While the fields look standard for providing an identity document, remember that this is a fake website impersonating a genuine brand. Note the checkbox at the bottom of the page. It mentions "ID Masuer", which is not a real business, and it also mentions "Vodafone's identification partners."... but isn't this an Australia Post scam?
For research purposes, we submitted fake details for a person and included no images (as the form didn't require these). In a bizarre turn of events, once the fake details were submitted, the fraudulent site redirects you back to the official Australia Post website.
Let's summarise
That's it. In four short steps, you go from getting a text message about a parcel to having your identity stolen and misused. Not only did our identity get stolen in this example, but we were redirected back to the official Australia Post website, making the scam seem legitimate. It can happen to anyone, and it's essential to be vigilant.
There's so much more we could say about what we've learned on our journey through an impersonation scam, but these are the key things to remember:
Australian businesses are working hard to protect you from scams every day, but bad actors are working hard to circumvent the protections to stop them.
In Australia Post's case, they diligently maintain a that you can visit anytime to get the most up-to-date information. Our research also shows that Australia Post identifies and purchases fraudulent domain names, which are then redirected to the official Australia Post site – you have to admit that's some top-notch 'Uno reverse cards' in the fight against scams, and we salute their hard work.
Scams can be stopped, but we need your help to do it. You can help prevent the scam and help warn others by .
By reporting scams to Scamwatch, you help protect others and disrupt and stop scammers. The reality is that 30% of scams currently go unreported.
The information you share with Scamwatch helps the National Anti-Scam Centre identify the scams causing the most harm to Australians.
Your scepticism and diligence are paramount in this digital masquerade ball, where scammers are constantly evolving their tactics. Always remember, in the face of impersonation, it's not just about spotting the scam; it's about outsmarting it. Stay alert, stay informed, and stay safe.
If you need clarification on something, contact . We're constantly monitoring suspicious wallets and websites and can help you determine whether something is a scam.
Stay safe,
UK residents: Don’t invest unless you’re prepared to lose all the money you invest. This is a high‑risk investment and you should not expect to be protected if something goes wrong. Take 2 minutes to learn more: .
Cryptoassets traded on CoinJar UK Limited are largely unregulated in the UK, and you are unable to access the Financial Service Compensation Scheme or the Financial Ombudsman Service. We use third party banking, safekeeping and payment providers, and the failure of any of these providers could also lead to a loss of your assets. We recommend you obtain financial advice before making a decision to use your credit card to purchase cryptoassets or to invest in cryptoassets. Capital Gains Tax may be payable on profits.
CoinJar’s digital currency exchange services are operated in Australia by CoinJar Australia Pty Ltd ACN 648 570 807, a registered digital currency exchange provider with AUSTRAC; and in the United Kingdom by CoinJar UK Limited (company number 8905988), registered by the Financial Conduct Authority as a Cryptoasset Exchange Provider and Custodian Wallet Provider in the United Kingdom under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended (Firm Reference No. 928767).
Join more than 150,000 subscribers to CoinJar's crypto newsletter.
Your information is handled in accordance with CoinJar’s .
Copyright © 2023 CoinJar, Inc. All rights reserved. The products and features displayed on this website are representative of our Australian and UK services and certain features may not be offered to customers residing in the United States, depending on applicable state and federal regulations.
Google Pay is a trademark of Google LLC. Apple Pay and Apple Watch are trademarks of Apple Inc.
This site is protected by reCAPTCHA and the and apply.