Coles and Telstra loyalty point phishing scams are circulating. Here's how to spot one
By Hanan DervisevicEver received a text asking you to click on a link to stop your loyalty or reward points expiring?
It's likely to be a scam.
The Australian Communications and Media Authority (AMCA) has reported a sharp rise in shopping points and rewards-based SMS scams, and is warning customers to be vigilant.
Here are some of the brands that have been impersonated, and the steps to follow when trying to spot a scam.
Which companies have been impersonated?
The AMCA said scammers had been impersonating well-known brands including:
- Coles
- Telstra
- Optus
- Woolworths
Data analysts at Australia and New Zealand's national identity and cyber support service IDCARE detected a spike in these scams in May.
"This was particularly evident with IDCARE clients engaging with Coles impersonation loyalty messages," IDCARE's Kathy Sundstrom says.
"Where we normally see a few, there was a sharp increase. But it's still relatively smaller volumes when compared to other scams."
Last year, the Australian Competition and Consumer Commission (ACCC) also warned customers holding loyalty points with major businesses to beware of a new phishing scam.
How does a loyalty point phishing scam work?
Scammers send victims a message, telling them to click on a link to redeem their points before they expire.
The link then takes you to a website designed to look just like the company you have points with — or not. Some people have reported receiving the messages even though they aren't signed up with the loyalty program.
Here, you're prompted to enter your login or financial details.
From there, the cyber-criminal will use this information — such as passwords, credit card or banking details — to carry out fraudulent activities.
The companies named in the AMCA's warning have a list of active or recent scams on their websites. You can find them here:
Why do scammers use loyalty point programs to target customers?
Tyler McGee, from online protection company McAfee, says psychology plays a large role in why scams work.
"Scammers can appeal to your sense of trust by using well-known names, or your fear of missing out by creating a sense of urgency," Mr McGee says.
"Loyalty programs can embody both those emotions.
"By using them as a tactic, they can gather your personal and credit card information, both of which are valuable."
Ms Sundstrom says scammers are known for investing time in studying what makes Australians "tick".
"They research what we like, how organisations communicate with us, and they are masters at trying to mimic the kind of messaging we would expect to see," she says.
"They send messages out en masse because there is a strong likelihood it will connect with someone who may be interested or concerned enough about their loyalty program to not look too closely for the red flags in the messaging and click on a link."
According to Finder, 91 per cent of Australians are members of at least one loyalty program.
And this popularity hasn't escaped the attention of scammers.
How can I spot a scam text message?
The Australian Cyber Security Centre says there are a few dead giveaways.
Suspicious links
Scam text messages with links are a very common tool used in phishing scams.
Any text asking you to follow a link should be treated with caution.
Incorrect website addresses
While the link leads to a web address that may contain the name of the impersonated company, the URL will likely have some inaccuracies such as:
- Misspellings
- Unusual words
- Random letters or numbers
- A different domain, e.g. ".net" instead of ".com" or "Am0z0n.com" vs "amazon.com".
A sense of urgency and scarcity
Are you told you have a limited time to respond?
Scammers will try to rush you by saying that points are about to expire, and you need to act urgently by clicking on a link before time runs out.
You may also be driven to click on a link due to a fear of missing out on a good deal.
Authority
Is the message claiming to be from someone official, like your bank, a government department, a utility company, your doctor or a solicitor?
Criminals pretend to be important people or organisations to trick you into doing what they want.
Last month, Coles confirmed the "3022 points" text message was a phishing scam and was not sent by the supermarket giant.
"Coles will never request personal or banking details in unsolicited communications, and legitimate businesses or government agencies will never request payment in gift cards," the statement read.
How can I protect myself from loyalty point scams?
Here's what Scamwatch recommends you do:
- Delete or ignore any message regarding a loyalty program that contains a link
- Don't click on a link included in a text message
- Never provide any personal or financial details if the sender is unknown or suspicious
- Use the reward program's app or website to independently check on the status of your points
Mr McGee says if it's too good to be true, it probably is.
"Don't let what seems like a good deal turn into a disaster," he says.
Essentially, the best way to protect yourself is to be a cautious customer.
"Expect that every message you receive out of the blue is a scam, until you've checked that it isn't," Ms Sundstrom says.
"It's not too hard to verify messages by checking if the organisation is offering the promotion on their website.
"You can even do a quick Google search, using the wording in the text and asking 'Is this a scam?'"
What should I do if I've been scammed?
If you think you've been scammed, contact your bank immediately and report it to Scamwatch and ReportCyber.
You should also report the event to the specific organisation involved. For example, Telstra customers are able to dob in scam texts via an online form or by forwarding the scam text to 7226.
If it looks like a scammer is impersonating an Australian business, contact the fair trading organisation in your state or territory.
Visit IDCARE for advice on securing your accounts online.
How many scams have been reported in Australia?
According to Scamwatch, over 95,000 scams have been reported in 2024 so far.
Of those, 39,380 reports were to do with phishing scams, leading to the loss of more than $4.6 million.
If you're unable to load the form, click here.