How much does it cost for a scammer to hack your email? The answer is probably less than you think

How much does it cost for a scammer to hack your email? The answer is probably less than you think
  • PublishedMarch 25, 2024

Inflation is hitting everyone hard it seems — even scammers.

New data reveals the cost of fake or stolen documents like passports and driver’s licenses on the dark web has gone up significantly, as demand increases and the number of people being scammed decreases.

According to a report from accounting firm BDO, the average cost of buying a fake or stolen passport on the dark web is now $2,372 (up from $1,399 in the previous quarter), while a driver’s license will set you back $844 (up from $465).

But it’s a competitive market and in some cases prices have dropped. The average cost to hack into someone’s email is now just $262 (down from $668), according to BDO.

An image of what the seller purports to be a fake Australian passport for sale on the dark web. The price is in US dollars.(supplied)

“It’s quite commercial”, explained former undercover police officer and forensic investigator Stan Gallo, describing the criminal shopfronts on the dark web where such fraudulent items are sold.

“People are making it easy to buy what it is that they’re selling. And there is a significant demand.”

Mr Gallo is now forensic services partner with BDO, where he monitors activity on the dark web and helps clients who have been affected by fraud, scams, theft and data breaches.

BDO’s Stan Gallo said the dark web is “like any other market environment where there’s supply and demand”.(ABC: Nadia Daly)

He believes increased awareness of scams over the past year, high profile crackdowns and more embedded security measures in some ID documents has made it harder for criminals to get away with obtaining, selling and using fraudulent documents and has therefore pushed the price up.

“It’s like any other market environment where there’s supply and demand,” he told the ABC.

“And if there’s a restricted supply and the demand is still there, then the price goes up. If things are easier to get, then the price will come down because it will drive competition.”

He notes anyone who tries to buy fake passports or conduct other illegal activities on the dark web must accept a significant risk and face repercussions including possible imprisonment.

‘Are you sure you’re not falling for a scam?’

Melbourne resident Andy (not his real name) knows all too well the feelings that come up when you realised you’ve been scammed.

man behind dog
‘Andy’ (pictured behind his dog Hunter) was scammed around $9,000 when he clicked on a fake ‘Kochie’ crypto scam.(Billy  Draper)

In June of 2022 he was scrolling Facebook when an advertisement caught his eye, featuring what appeared to be a photo of a prominent Australian.

“It was about Kochie being interviewed. And during that interview he mentioned that he has made a lot of money through this investment. And I became interested reading that, and there’s a link, and then I clicked on the link,” he told the ABC.

Almost immediately after registering his interest, Andy received a call from a man claiming to be from the investment company — a cryptocurrency trading platform — and he signed up and transferred money to the account where he soon watched his investment grow.

It was a few months later when he tried to withdraw the money that he realised the whole thing was a scam: the crypto platform was fake as was the article quoting Kochie that had endorsed it.

Australian TV presenter David ‘Kochie’ Koch had no part in it and certainly did not endorse the fraudulent scheme or the use of his photo in the scam.

Scams using Mr Koch’s photo and fake quotes by him to promote the fraudulent investment schemes have caused huge headaches for the presenter who has warned his social media followers not to fall for it.

The ACCC even took Meta (the owner of Facebook) to court over the scams, which often involve Kochie and other celebrities, saying Meta has not done enough to prevent the false and misleading ads being published on its platform.

The case is still before the Federal Court.

Unfortunately when Andy realised he had fallen for the scam it was too late and he had lost $9,000.

He is also concerned about all of the personal data he handed over in the process of signing up for the ‘investment platform’: his driver’s license, credit card and full name and address.

“I don’t feel safe now,” he said.

“I feel really stupid. Because when I told my wife about this investment, she [said] ‘are you sure you’re not falling for a scam?’ And I said, ‘No’.”

When Andy contacted his bank, ME Bank, to report the scam and try to recover the money he had lost, he was told they would not be able to get the money back as it had long been withdrawn from the scammer’s account and they would not compensate him as Andy had chosen to transfer the money into the scammer’s account.

In a statement ME Bank said “We acknowledge the impact that investment scams are having on customers and the community broadly. We continue to encourage our customers to remain cautious and question their investment in digital currency platforms.  Unfortunately, it is often too late for banks to recover funds once they are sent to a digital currency scam.”

Andy wants Australian banks to do more due diligence before allowing customers to transfer to a new bank account and to check that names match those on the account.

Some Australian banks now have features where customers will receive a prompt to confirm that they want to transfer to a new account and alert them to the possibility of scams.

Person holding out a credit card card against their laptop
Some Australian banks are rolling out features to prevent customers from falling victim to scams online.(Pexels: Karolina Grabowska)

Andy almost got scammed a second time when someone purporting to be from an Australian government department investigating scams called him out of the blue.

“He knew the exact story that had happened to me … so initially I believed him,” Andy said.

“OK, that’s good, I thought, finally I found someone that can help me. I was very excited.”

But when the man on the phone said that in order to help Andy he would need to hand over his crypto wallet details (details for a legitimate cryptocurrency account Andy held) the pin dropped.

“And I said, ‘No way. I think this is another scam’.”

To this day Andy is still regularly phoned by the scammers who are trying to convince him to deposit more funds in order to get his money back, so he no longer answers calls from unknown phone numbers.

“They told me that in order for them to release the money I need to pay some more money because of the need to pay tax and I said no, I don’t think that’s how it works.”

Minister wants social media sites to compensate victims

Reports of scams to government agency Scamwatch have been on a sharp rise since 2020 but seem to have peaked in 2022, with scams via phone and social media incurring the biggest losses for Australians.

There was a decline of 24 per cent in the total dollars lost to scams in the last quarter of 2023 compared to the three months before, but despite that, Australians reported over $82 million in losses to scams in that period.

Because the data only captures those who reported their scams to the agency, the real figure is likely to be much higher.

The Minister for Financial Services Stephen Jones is keen to bring those numbers down, and he has social media giants in his sights.

Stephen Jones 2 photo by Mark Moore
The Financial Services Minister Stephen Jones wants social media sites like Facebook (owned by Meta) to compensate victims who lose money through scams advertised on their platform.(ABC News: Mark Moore)

“The problem at the moment is nobody’s doing enough,” he told the ABC.

“There’s a lot of grey area there, we want to remove the grey area, [and have] clear responsibility.”

To do so, he is proposing a raft of changes in a new mandatory code of practice for social media companies that he said would include a requirement that they verify advertisers on their platforms, ensure ads comply with local laws and remove illegal content more quickly.

Mr Jones also said he intends to compel social media sites like Facebook (owned by Meta), through the new code, to compensate victims who lose money through a scam advertised on their platform.

“These social media platforms, they’re some of the biggest and most profitable companies in the world, and they have an obligation to keep their networks safe as well. And if they don’t, and people are losing money, then liability should follow,” he said.

“They’ve got to do a better job of compensating victims who lose money because they haven’t kept the network safe.”

In a statement Meta told the ABC: “Scammers present a challenge in many environments, including social media, and they are constantly finding new ways to deceive people. Meta adopts a multi-faceted approach to tackle scams” and encouraged users to use in-app reporting tools to report suspicious activity.

“In the final quarter of 2023, we removed 691 million fake accounts globally,” Meta said.

While in countries like Great Britain banks are generally required to pay customers money back if they have been scammed, Mr Jones said he didn’t think the same needed to be in place in Australia and instead intends to focus on social media platforms where scams are often advertised and reach victims.

Online security a joint responsibility

Stan Gallo said consumers and business can take a few basic steps to reduce security risks such as ensuring passwords on accounts and emails are strong and changed regularly, training staff to spot phishing emails “or to question sudden directions from the CEO to make a large overseas payment”.

“The human firewall is one of the best defences you’ll have,” he said.

He also recommended all businesses have a plan for what happens if they experience a data breach or scam.

“So, when they are breached, what do we do in response? What are our legal obligations? What are our compliance obligations? How do we get the business back up and running as quickly as possible? Do we pay the ransom or don’t we? If that’s the case? How do we find out where the data was accessed?

“And all of that’s got to be addressed while you’re still trying to make your day to day budgetary activities, which makes life very stressful for those organisations.”


Leave a Reply

Your email address will not be published. Required fields are marked *