Frequent flyers could soon be frequently scammed, or a little more than normal, as Qantas reports a breach on a platform with the records of roughly six million customers.
Another day, another breach, and this time, it’s happening to Australia’s biggest airline: Qantas has been hacked with a breach possibly affecting millions of customers.
It’s a different type of travel hack, as distinct to a points hack, though perhaps some potential positive news is the damage doesn’t include credit card details or passport information.
What was there, however, suggests cybercriminals potentially still have plenty to work with in terms of what they did make off with: names, email addresses, phone numbers, birth dates, and frequent flyer numbers.
The damage isn’t quite as severe as the medical information lost in Genea’s hack earlier this year, but the release of frequent flyer numbers is a little new, and could see a different approach in scams opened up.
According to Qantas, the breach occurred at a call centre level, with a third-party customer service platform affected on Monday. The system was contained, but the airline is still investigating what was stolen, noting that it expects the amount will be “significant”.
“We sincerely apologise to our customers and we recognise the uncertainty this will cause. Our customers trust us with their personal information and we take that responsibility seriously,” said Vanessa Hudson, CEO of the Qantas Group.
“We are contacting our customers today and our focus is on providing them with the necessary support,” she said. “We are working closely with the Federal Government’s National Cyber Security Coordinator, the Australian Cyber Security Centre and independent specialised cyber security experts.”
With that sort of news out in the world, what can customers expect on the scam front?
What sort of scam fallout will follow the Qantas hack?
While the airline still clearly needs to investigate how this happened and how many records have been breached, citing what was lost early gives an indication as to what scammers could potentially do with the data.
Much of what’s been noted isn’t dramatically new for a leaked data haul. Names, email addresses, and phone numbers aren’t necessarily new, and you’ve probably received a scam attempt or two based on this type of data in the past year as it is.
But frequent flyer numbers are relatively new, and that could see scammers setting up fake Qantas emails targeted to specific users complete with fake versions of a Qantas login, likely with a credit or debit card scam attached.
Frequent flyer accounts tend to be associated with the cost of travel, and it wouldn’t be a huge leap to see scammers attempting to pull a fast one over customers with phishing.
In short, Qantas customers should expect fraudulent Qantas emails and phishing sites built with the Qantas logo and colours.
How to stay on alert in wake of the Qantas breach?
There are countless other ways scammers could use this information. They could:
- Set up a fake call centre and use the combination of name, phone number, birth date, and frequent flyer information to lie about someone using your credit or debit cards in order to gain the real cards (like with Amazon scams)
- Sent out fake PayPal notifications from a real PayPal invoicing system encouraging people with a specific Qantas frequent flyer number to call to cancel an order, (like with PayPal invoicing scams) and
- Impersonate government departments and use the frequent flyer information to convince you to hand over other data (like with myGov scams).
These are just examples based on current scams as it is. They’re not even all that imaginative.
However, to stay on alert, Qantas customers should heed the advice of pretty much any scam attempt, looking out for signs of urgency and making sure you know what you’re looking at.
Scams are typically run with a sense of immediacy and urgency so you don’t have time to think. Scammers are more in the business of “act now, ask questions later”, and so being told to act on a matter of importance is often a dead giveaway that you’re talking to a scammer.
Customers should also pay close attention to the sender email address of any email they get, particularly those featuring the “Qantas” name.
Official emails will come from the qantas.com domain, but unofficial emails won’t. Simply put, scammers can’t just use a domain because they want to. Only emails from Qantas can actually come from Qantas.
Instead, scammers will typically attempt a similar word or name — such as “qaantas” or “qantasau” — or opt for something outlandish and filled with a bunch of extraneous numbers and letters in the hopes that you don’t check.
It’s a similar picture when it comes to clicking on a fake website because, again, scammers can’t use the real Qantas site. They can only use something different and designed for phishing.
Making a website designed to look the same and yet be deceptive is very different, and blindingly easy. Setting up a fake Qantas site with a fake login would be quick for scammers, but falling into it could see you throwing in a bunch of passwords only to have them used against you.
Instead, use the advice for email address checks on your web browser, and check the www dot whatever in the bar of your browser. It works on mobile and it works on desktop (and tablet, too).
Simply glance at the www dot wherever, and check you’re at the real site.
We expect criminals will be using whatever data they’ve gleaned shortly, so pay attention and stay aware. It’s likely we’re about to see some frequent flyer focused fakes in the future.
