Two Sydney men have been arrested over their alleged involvement in a large-scale SMS phishing scam that targeted the personal and financial information of tens of thousands of Australians.
The Australian Federal Police arrested the men on Tuesday following a year-long investigation, codenamed Operation Genmaicha, by its cybercrime operations teams and NSW Police.
The investigation began after reports that an Australian-based fraud syndicate was allegedly sharing information about conducting fraud and phishing attacks on Australian banks and their customers.
Police allege the pair controlled several SIM boxes, which were used to send messages that imitated banks and telcos to dupe victims into providing personal or financial information.
SIM boxes, or SIM banks, are devices capable of sending bulk text messages to tens of thousands of recipients in one go using multiple SIM cards.
Over a recent two-week period, the SIM boxes are said to have been used to send more than 10,000 SMS phishing – or ‘smishing’ – messages.
At least 45 customers from one bank are known to have been impacted, with $30,000 stolen in one instance.
The AFP is continuing to investigate the full extent of the scam with Westpac, the Commonwealth Bank and ANZ, as well as TPG Telecom, and a number of other unnamed private sector partners.
Working with NSW Police, investigators executed search warrants on Tuesday at addresses in Macquarie Park and Burwood, seizing nine SIM boxes and hundred of SIM cards in the process.
Multiple electronic devices, including mobile phones, laptops and hard drives, as well as fake ID documents, more than $50,000 in cash and drug paraphernalia were also seized in the raids.
A 50-year-old man has been charged with multiple offences, including eight counts of false or misleading information and one count each of using a telecommunications network with intent to commit a serious offence and dealing in identification information using a carriage service.
He was denied bail and will next appear in Sydney Central Local Court on November 18.
The second man, a 36-year-old from Burwood, has not yet been formally charged by police, but is expected to face similar charges.
Commenting on the sophistication of the scam, AFP cybercrime operations commander Chris Goldsmid said one telco provider identified that more than 49,000 messages sent to its customers in just one week.
“This fraud syndicate had absolutely no regard for the hardworking Australians they stole from, victims who may be struggling since the bushfires and COVID-19 hit the nation,” he said.
“The success of Operation Genmaicha has prevented further Australians from seeing their hard-earned savings siphoned off to criminal entities.”
NSW Police cybercrime squad commander, detective superintendent Matthew Craft, said law enforcement was increasingly pooling resources to shut down offenders that work across state boundaries.
“The ability of offenders to adapt technology for all the wrong reasons is a growing issue; however, police are equally up to the task of detecting and investigating these criminal syndicates,” he said.
“This technology, while not frequently encountered by law enforcement, was on this occasion successfully deployed against victims as part of this SMS phishing scam.”
Craft added that phishing “scams become somewhat redundant when the community heeds the advice to never provide confidential personal information to people you don’t know”.
“Legitimate businesses will never call or SMS customers seeking confidential information. Always be suspicious when you receive such requests,” he said.
In a bid to stop phishing messages from reaching customers, Telstra last week revealed it had recently piloted a blocking service on its network to identify and reject unofficial messages.
While the service is currently limited to messages that appear to be sent from Services Australia, including myGov and Centrelink, it could be rolled out more broadly in the future.