Written by Medibank
February 2024
In the 21st Century, text messaging has become an important tool for communication, enabling us to stay connected with loved ones, colleagues, and healthcare providers. However, this convenient mode of communication has also emerged as a breeding ground for scammers, who employ deceptive tactics to trick us into revealing personal information or clicking on malicious links.
Scammers are masters of disguise, often posing as legitimate organisations or individuals we trust. They may send text messages claiming to be from your bank, healthcare provider, or even government agencies, often containing urgent warnings, enticing offers, or requests for personal information. These deceptive messages are designed to gain your trust and compromise your security.
The growing threat of "smishing" scams
Did you know that text message scams, also known as "smishing", are one of the fastest-growing types of fraud in Australia? In fact, in 2022, Australians lost over $3 billion to scams, with smishing scams accounting for a significant portion of that total.
What is "smishing"?
The term "smishing" is a combination of the words "SMS" and "phishing" and is a type of cyber-attack that targets individuals through SMS or text messages.
In a smishing attack, cybercriminals send deceptive text messages to lure victims into sharing personal or financial information, clicking on malicious links, or downloading harmful software or applications.
Smishing scams are particularly dangerous because they can be very difficult to spot. By using sophisticated software, scammers can steal the identity of a real business or organisation and make messages look genuine.
Identifying and protecting against smishing scams
Protecting yourself against text message scams is easy and doesn’t have to prevent you from engaging in digital activities.
1. Platform protocol: sticking to the proper channels
How have you been contacted? We’ll only contact you via phone, SMS, email, post or My Medibank push notifications (depending on your communication preferences). For external apps, we will only send you messages from our official Messenger accounts if you contact us on those platforms first. Some of these platforms include WhatsApp, Messenger, iMessage, WeChat, X (Twitter), Product Review and Xiaohongshu* (“Little Red Book”). If you’re concerned about a message you can contact us directly on 132 331.
*Xiaohongshu communication is currently only available to OSHC customers.
2. Suspicious numbers or address alert: dodge deceptive disguises
Does the sender's name have “From Medibank”? We don’t use “From” as a first name. One of the first signs of a potential phishing scam is an unusual or long phone number from the sender. Scammers often use phone numbers from other countries or employ spoofing techniques to disguise their true identity, making it difficult to track them down. Scammers might also spoof Medibank’s common phone numbers to try to convince you that you’re receiving a legitimate call or message from us. If you’re ever unsure about a message you’ve received from us, call us on 132 331.
3. Spelling slips: spot the fake
Do you notice poor grammar? Genuine communications from us will have correct spelling, grammar and formatting.
4. Message content: beware of unsolicited attachments and links
Are there any unsolicited links, photos or files? What is the message about? Scammers can embed malware (malicious software) in attachments, which can be downloaded onto your device as soon as you open them. Our text messages will always relate to your relationship with us. This can include your health insurance policy, other types of insurance, claims, account matters, health-related services, Medibank partner offers or Live Better rewards.
5. Tone twister: recognising scammer tactics
Is the message threatening? Is there a sense of urgency? Or are you being offered something that seems too good to be true? We’ll never contact you to demand money, ask for your password or sensitive information, or call you outside our business hours unless we’ve previously arranged it with you. (Keep in mind though that if you have previously placed a security question or PIN on your Medibank account, we’ll use this to confirm your identity every time you contact us.)
6. Beware of unrealistic discounts
Another common tactic that scammers use is offering attractive discounts on health insurance or other health services. Scammers know that people are always looking for ways to save money, and they use this knowledge to lure individuals into their schemes. If you’re unsure about a message you can contact us directly on 132 331.
7. Impersonation and urgency: gaining trust and creating haste
Scammers can go to great lengths to gain trust by impersonating legitimate companies or people you may know. They may even insert themselves into your existing chat history so that it looks like the text actually came from us. This can happen when a scammer uses the sender name “Medibank” and spoofs our number so that your phone groups the spoofed SMS with legitimate messages you previously received from us.
Scammers also often create a sense of urgency by pressuring you to act quickly. They want you to make decisions without thinking clearly, increasing the likelihood of you falling for their scam.
Spotting a smishing attempt: a Medibank scam example
Here’s an example of a smishing message. How many red flags can you spot?
The person who received this message has been asked to click on a link to “verify Medicare” for rebate. The message with the verification code is a legitimate message from us, so at first glance it looks like the following message could be too. Looking closer at the second message though, you start to spot the red flags:
Grammar and punctuation: this message has grammar and punctuation errors throughout. Genuine communications from us will have correct spelling, grammar and formatting.
Addressing the receiver: we don’t begin our communications with “From Medibank” or have “From Medibank” as our sender name.
Suspicious link: the message contains an unsolicited link that does not go to our website. This could lead to a fraudulent website designed to steal your information.
If you receive a message from us that looks suspicious, log into My Medibank either online or on the app to check your profile or call us directly on 132 331. Do not click on any suspicious or unsolicited links via text.
Similar smishing scams to look out for
1. Expiring insurance policy scam
"Your healthcare insurance policy is about to expire. Click here to renew."
The aim of this message is to create a sense of urgency and fear, prompting you to click on the suspicious link without thinking. Scammers often use phrases like "urgent action required" or "your policy will be terminated" to manipulate your emotions and rush you into making a mistake.
2. Refund scam
"You are eligible for a refund on your healthcare insurance premiums. Click here to claim your refund."
The aim of this message is to appeal to a common desire: saving or getting money. Scammers often entice you with the promise of a substantial refund, hoping you'll overlook the red flags and click on the malicious link. Remember, if something sounds too good to be true, it probably is.
3. Identity verification trap
“We need to update your healthcare insurance information. Please reply with your date of birth and credit card number to confirm your identity.”
The aim of this message is to trick you into revealing sensitive personal and financial information by posing as a legitimate healthcare provider.
If you have any concerns about the legitimacy of a message from us, contact us directly on 132 331.
Your best defence: vigilance
Staying vigilant is your strongest defence against scam text messages. By staying alert, analysing the sender's information, and refraining from clicking on suspicious links, you can safeguard yourself from smishing scams and navigate the online world with confidence.
If you ever feel unsafe online, file a report at ReportCyber.
To help inform others about new and emerging scams, report to Scamwatch.
