Second man charged over SMS phishing scam

The AFP has arrested a second man, 30, for his alleged role in a Sydney-based criminal syndicate accused of stealing banking and identification details from thousands of Australians in a bid to access their accounts.

The Sydney man is expected to face Sydney Central Local Court today (11 August, 2022) charged with seven offences as a result of an AFP cybercrime investigation, which is still assessing the scale of the fraud.

Operation Iasion began in September 2021 to identify the criminals responsible for sending hundreds of thousands of automated text messages that contained links to replica Australian banking and telecommunication websites.

The SMS phishing scam is alleged to have started in 2018 to target customers of the Commonwealth Bank of Australia, National Australia Bank and Telstra, among others.

Another Sydney man, 39, was arrested in November 2021 for his alleged role in the same scam – Sydney man charged over SMS phishing scam.

People who fell victim to this scam would click the link in the text message, which took them to a fake website where they were prompted to enter their password and credentials.

The information was then allegedly used by the syndicate to try to access the victims’ bank accounts and steal their identification.

Police have allegedly identified victims who had several thousand dollars stolen from their accounts and investigations are continuing.

The AFP allegedly identified the messages had been sent automatically through a SIMBOX, which was operated from the Sydney man’s home in Ryde and another property in St. Ives.

AFP Detective Superintendent Bradley Marden said police allege the SIMBOX controlled by the syndicate was regularly moved in an attempt to avoid detection by law enforcement.

“One SIMBOX can hold in excess of 100 sim cards and send hundreds of thousands of text messages a day, simultaneously, to Australian mobile users,” Det-Supt. Marden said.

“The damage this scam has cost Australians is still being determined, with our cybercrime investigators continuing to identify victims and piece together the extent of the fraud.”

“These scam messages are a great burden to Australians, who receive them on a daily basis. We encourage people not to click on any links in a text message or email purporting to be from a bank or telecommunications company. Instead, go to their website or contact them directly.”

“If you believe you are a victim of a phishing scam, or see any discrepancies in your bank account, please contact your bank and report the matter to Report Cyber.”

AFP Cybercrime investigators executed a search warrant at the man’s Ryde home yesterday (10 August, 2022) and seized in excess of $20,000 in cash, electronic storage devices allegedly containing more than 500 fraudulent identity documents in the names of numerous victims, multiple mobile phones, an encrypted desktop computer and a Huawei internet dongle.

Police will allege these electronic items enabled the man to exploit victim’s credentials and finances.

He was arrested and charged with seven offences:

  • Caused an unauthorised access to restricted data intending to cause that access and knowing that the access was unauthorised, contrary to section 478.1 of the Criminal Code 1995 (Cth). The maximum penalty for this offence is 2 years imprisonment;
  • Possessed data with the intention that the data be used, by him or another person, to commit or facilitate the commission of an offence against Division 477, contrary to section 478.3(1) of the Criminal Code 1995 (Cth), where the Division 477 offence is unauthorised access, modification or impairment with intent to commit a serious offence, contrary to section 477.1 of the Criminal Code 1995 (Cth). The maximum penalty for this offence is 3 years imprisonment;
  • Dishonestly obtained or dealt in personal financial information belonging to another, without the consent of that person, contrary to section 480.4 of the Criminal Code 1995 (Cth). The maximum penalty for this offence is 5 years imprisonment;
  • Controlled a thing, a web service database, with the intention that the thing be used by him or another person, to commit, or facilitate an offence against section 480.4 of the Criminal Code 1995 (Cth), contrary to section 480.5 of the Criminal Code 1995 (Cth) or to facilitate the commission of that offence. The maximum penalty for this offence is 3 years imprisonment;
  • Dealt with money or property that was proceeds of indictable crime and at the time of the dealing the value of the money or property was $1000 or more, contrary to section 400.7 of the Criminal Code 1995 (Cth). The maximum penalty for this offence is 5 years imprisonment;
  • Obtained identification information, namely victim credentials, using a carriage service and dealt in that identification information, with the intention that any person would use the identification information to pretend to be or to pass themselves off as another person for the purpose of committing an offence or facilitating the commission of an offence, contrary to section 372.1A(3) of the Criminal Code 1995 (Cth), where the offence is an indictable offence against a law of NSW, namely fraud contrary to section 192E Crimes Act 1900 (NSW). The maximum penalty for this offence is 10 years imprisonment; and
  • Failing to provide information and assistance that was reasonable and necessary to allow access to data held in accessible form from a computer that was on warrant premises, contrary to section 3LA (6) of the Crimes Act 1914 (Cth). The maximum penalty for this offence is 10 years imprisonment.

/Public Release. This material from the originating organization/author(s) may be of a point-in-time nature, edited for clarity, style and length. The views and opinions expressed are those of the author(s).View in full here.