Second man charged with text phishing scam

Editor’s note: Audio captures of AFP Detective Superintendent Brad Marden are available via hightail.

AFP has arrested a second man, 30, for his alleged role in a Sydney-based criminal syndicate accused of stealing the bank and ID details of thousands of Australians in an attempt to gain access to their accounts.

The Sydney man is due to appear in Sydney Central Local Court today (11 August 2022) charged with seven offenses following an AFP cybercrime investigation, which is still assessing the scale of the fraud .

Operation Iasion began in September 2021 to identify criminals responsible for sending hundreds of thousands of automated text messages containing links to replica Australian banking and telecom websites.

The SMS phishing scam reportedly began in 2018 to target customers of Commonwealth Bank of Australia, National Australia Bank and Telstra, among others.

Another Sydney man, 39, was arrested in November 2021 for his alleged role in the same scam – a Sydney man charged with text phishing scam.

People who fell victim to this scam clicked on the link in the text message, which took them to a fake website where they were asked to enter their password and credentials.

The information was then allegedly used by the syndicate to attempt to access the victims’ bank accounts and steal their identities.

Police have reportedly identified victims who had several thousand dollars stolen from their accounts and investigations are ongoing.

AFP reportedly identified that the messages were sent automatically through a SIMBOX, which operated from the Sydney man’s home in Ryde and another property in St. Ives.

AFP Detective Superintendent Bradley Marden said police allege the union-controlled SIMBOX was regularly moved in an attempt to avoid detection by law enforcement.

“A SIMBOX can hold over 100 SIM cards and send hundreds of thousands of text messages a day, simultaneously, to Australian mobile users,” Det-Supt said. Marden said.

“The damage this scam has cost Australians is still being determined as our cybercrime investigators continue to identify victims and piece together the extent of the fraud.”

“These scam messages are a heavy burden on Australians, who receive them daily. We encourage users not to click on any links in a text message or email claiming to be from a bank or telecommunications company. Instead, go to their website or contact them directly.

“If you believe you have been the victim of a phishing scam or if you see any discrepancies in your bank account, please contact your bank and report the issue to Report Cyber.”

AFP cybercrime investigators executed a search warrant at the man’s home in Ryde yesterday (August 10, 2022) and seized more than $20,000 in cash, electronic storage devices containing more than 500 documents of identity in the names of numerous victims, several mobile phones, an encrypted desktop computer and a Huawei Internet dongle.

Police will claim that these electronic items allowed the man to exploit the victim’s credentials and finances.

He was arrested and charged with seven offences:

  • Caused unauthorized access to restricted data by intending to cause such access and knowing that the access was not authorized, contrary to section 478.1 of the Penal Code 1995 (Cth). The maximum penalty for this offense is 2 years imprisonment;
  • Possessed data with the intent that the data be used, by him or another person, to commit or facilitate the commission of an offense under Division 477 contrary to section 478.3(1) of the Penal Code 1995 (Cth), where the violation of Section 477 is unauthorized access, modification, or alteration with intent to commit a serious offense contrary to Section 477.1 of the Penal Code 1995 (Cth). The maximum penalty for this offense is 3 years imprisonment;
  • Obtaining or dishonestly handling personal financial information belonging to another, without that person’s consent, contrary to section 480.4 of the Penal Code 1995 (Cth). The maximum penalty for this offense is 5 years imprisonment;
  • Controlled a thing, a web service database, with the intent that the thing be used by him or another person, to commit or facilitate an offense under section 480.4 of the Penal Code 1995 (Cth), contrary to section 480.5 of the Penal Code 1995 (Cth) or to facilitate the commission of this offence. The maximum penalty for this offense is 3 years imprisonment;
  • Dealed with money or property that was the proceeds of crime and, at the time of the act, the value of the money or property was $1,000 or more contrary to section 400.7 of the Penal Code 1995 (Cth). The maximum penalty for this offense is 5 years imprisonment;
  • Obtained identifying information, namely the identifying information of the victim, by using a transportation service and exchanged such identifying information, with the intention that anyone use the identifying information to pretend to be or to impersonate another person for the purpose of committing an offense or facilitating the commission of an offense contrary to section 372.1A(3) of the Penal Code 1995 (Cth), where the offense is an indictable offense against a law of NSW, namely fraud contrary to section 192E Crimes Act 1900 (NSW). The maximum penalty for this offense is 10 years imprisonment; and
  • Failing to provide reasonable and necessary information and assistance to enable access to data held in a form accessible from a computer that was on the premises of the mandate, contrary to Article 3LA (6) of the Crimes Act 1914 (Cth). The maximum penalty for this offense is 10 years imprisonment.

Media inquiries

AFP media: (02) 5126 9297

Connect with AFP: Follow our Facebook, TwitterLinkedIn, Instagram and Youtube pages to find out more about what AFP is doing to keep Australia safe.

Comments are closed.