Horror journey after Will Bottom had his identity stolen

When Will Bottom logged onto his bank account one weekend and realised $19,000 was missing, he knew something was wrong – but it was just the tip of the iceberg.

Mr Bottom, 23, discovered two separate large transactions in 2019, which were each described as a “miscellaneous withdrawal”.

“I called the bank to see if they could tell me what it was. Obviously, I was worried,” he told NCA NewsWire.

“They said: ‘No, you need to leave it a couple more days and see. In a few days, it’ll show up what it actually is.”

Despite his insistence he had not made any big purchases, Mr Bottom’s bank did not immediately help.

“I called them two or three days later … someone made a fake license, so that they had all my details, but their photo.

“They went into one bank and took out $10,000 and then went to another bank and took out $9000 – over the counter withdrawals.”

Will Bottom had his identity stolen. The saga lasted about one year. Supplied
Will Bottom had his identity stolen. The saga lasted about one year. Supplied Credit: Supplied

Mr Bottom said he was beside himself and went straight to the police.

“The detectives are also working on frauds of millions of dollars … so to them, $19,000 is nothing in the big scheme of things, but to a 20-year-old it’s a lot of money,” he said.

Mr Bottom later learnt the fraudster had accessed his details via a data breach at Service NSW.

“The scammer had gone to a bank and changed the signature, the phone number wasn’t my phone number anymore, the email wasn’t my email anymore,” he said.

“They’d gone through and changed all the details.”

Mr Bottom put a freeze on his account but the scammer took it off at a different bank – then the crime spree continued.

“They were committing frauds in my name … every second day I was getting a call from a different police station asking ‘did you just try to purchase a Mazda 3 or did you just buy a BMW?’” he said.

“For instance, say if you were selling a BMW for $20,000, the scammer would have a look at it, write you a cheque that was dodgy, or that they knew was going to bounce … then the next day you realise that the cheque bounces.”

Mr Bottom’s ordeal lasted more than one year, which he described as a very stressful time.

“It’s just like someone else is out to get you, really,” he said.

“Because you’re not sure what’s happened, you’re kind of on eggshells.”

Will Bottom said he felt like someone was out to get him. Supplied
Will Bottom said he felt like someone was out to get him. Supplied Credit: Supplied

Police were able to identify the scammer from security footage at the bank.

The offender was eventually caught via a traffic offence and they were sentenced to a prison term, Mr Bottom said.

“There was little he could do as far as preventing the data breach is concerned, because it rests with the organisations holding the information,” Dr Sonny Pham, from the School of Electrical Engineering, Computing and Mathematical Sciences at Curtin University, told NCA NewsWire.

Mr Bottom’s experience is just one of many reported in Australia every year.

Curtin University Associate Professor Nik Thompson told NCA NewsWire that while Mr Bottom’s difficulties were through no fault of his own, he suggested people in general should limit the amount of personal information they shared online.

“Once we share it with a third party, then we have to trust them to protect it indefinitely, and that’s quite a lot to expect,” he said.

“If we are dealing with a government service like Medicare or Service NSW, then of course we have to continue to share our information with them.

“These agencies have legal obligations to protect our data and they have ongoing compliance and security efforts.

“Furthermore, if a breach did occur, then these agencies are motivated and well equipped to resolve the matter and pursue anyone responsible.”

Experts agreed there was nothing Will Bottom could have done in his situation to better protect himself. Supplied
Experts agreed there was nothing Will Bottom could have done in his situation to better protect himself. Supplied Credit: Supplied

Assoc Prof Thompson said the bigger concern was smaller entities, like creators of apps or websites.

“These are the third parties that are less equipped to safeguard our data, so I suggest that this is the bigger risk factor, and the one to limit,” he said.

Assoc Prof Thompson said cyber attacks had been on the rise for several years – and anyone could be targeted.

“It is true that we might be better informed and aware of the dangers, but in reality, it seems that awareness of scams doesn’t always lead to more secure behaviour,” he said.

“Cyber criminals are opportunistic, which means that they won’t only go after big businesses, but will take any chance to target members of the general public.

“Scams involving fake goods or online shopping have been on the increase, and the greatest reported losses here come from the 25 to 34 year age bracket.

“Scammers are also very quick to act and create a new scam to play off current events.

“For example, within days of the start of the conflict in Ukraine, a number of fake websites appeared attempting to solicit donations for humanitarian aid.”

Man wearing hoody sweater with phone in hands. Crime and hacking concept
Cyber criminal are opportunistic, experts warn. Generic Credit: istock

Cyber security expert Lawrence Patrick, from Zirilio, said most people did not realise where their personal data ended up and how much money it was worth.

“Personal data is most commonly stolen through phishing – a process where hackers trick people into giving them access to a company’s customer database and then steal files containing the personal details of thousands of victims,” Mr Patrick said.

“Once the data is stolen, hackers sort the information found into what is most valuable, including details such as names, emails, passwords, personal identifiers, phone numbers and addresses.

“The data is then repackaged and sold to other hackers on the dark web on marketplace websites at a price of anywhere from $20 to $4500, depending on the type of personal details.”

Mr Patrick said healthcare records were the most prized, regularly fetching $400 or more per person.

“Most of the data appearing on the dark web appears to be from hacks of large companies, which shows how important it is that institutions and companies invest in their cybersecurity to protect their customers,” he said.

“On average, it takes companies 212 days to realise they have been hacked and 75 days to contain the data breach.

“This means your personal information is out in the wild being bought and sold and traded by hackers for almost a year before the problem is fixed, and for companies that do not have a cybersecurity partner, these numbers are going up every year.”

There are some things you can do to protect yourself from getting scammed out of money.
There are some things you can do to protect xjmtzywyourself from getting scammed out of money. Credit: News Regional Media

TIPS TO KEEP YOU SAFE:

  • Use strong passwords and change them regularly – and do not re-use the same password everywhere;
  • Turn on multi-factor authentication;
  • Be careful with how you share personal contents on social media – only share information with people you trust and not with the entire public; and
  • Do not follow any suspicious links, even if the message appears to be from a person you know, a bank, a government organisation. Instead, directly type in the web address or call them to double check.