Blog/News

Too good to be true? Stay alert for ‘ghost stores’ this EOFY sales season As the end of the financial year approaches, many shoppers will be eagerly looking out for EOFY sales. However, as ‘ghost’ or ‘phantom’ stores become more common online, the Customer Owned Banking Association (COBA) is urging shoppers to remain vigilant. According to ACCC’s Scamwatch, more than 12,000 Australians reported losing money to shopping scams in 2025, with total losses reaching $10.8 million. “These websites are designed to trick even the savviest shopper, and scammers are experts in making fake websites look convincingly like legitimate retailers,” explained Martin Latimer, COBA Head of Financial Crimes and Cyber Resilience. To help shoppers stay safe this sales season, COBA’s financial crimes team share their expert tips on how to spot, and avoid, such scams.   How do ‘ghost’ or ‘phantom’ stores work? Typically, ghost stores can only be found online and do not have a physical presence. Consumers may be targeted through social media ads for these stores. Ghost stores don’t often have registered Australian Business Numbers (ABN) and the websites may not have a privacy policy, terms and conditions, or contact details to contact the business. Many ghost store websites may have AI-generated images of fake founders or customers, or stolen product images. They may resemble legitimate brands or websites in their name or logo. These fake shopping websites tend to use tactics like creating a sense of urgency to get customers to make immediate decisions and payments. This could look like fake countdown timers on products, or limited stock warnings (such as ‘only 2 items left!’) to pressure shoppers into making quick decisions. "Ghost stores often offer expensive goods at dramatically discounted prices up to 90% off. If it's too good to be true, it normally is,” Latimer warned. Beyond the financial damage of such scams - where these fake stores may provide inferior quality goods or no goods at all once shoppers place an order - they also pose serious privacy and security risks. Ghost stores harvest personal information, login credentials, and payment details through phishing-style tactics that seem like legitimate online shopping experiences. Latimer explained: “The prices on these websites can be quite tempting, and many shoppers may be keen to jump on what looks like a bargain. But ghost stores are designed to mimic legitimate retailers so convincingly that shoppers don’t realise they’re handing over more than their money, but sensitive personal and financial data as well.”   How to spot a shopping scam When it comes to shopping scams, it’s important to watch for poor website design and spelling or grammatical errors. Another indicator the store may not be what it seems is a lack of customer feedback or reviews for the seller or product. “When in doubt, it’s useful to double-check the website URL. Often, ghost stores may be using a ‘.com’ and not ‘.com.au’ website domain,” Latimer said. If you are shopping on an Australian website, you can use the Australian Domain Authority’s website register to see which company or trademark registered it. Latimer added: “Additionally, scam websites may encourage you to use untraceable payment methods like cryptocurrency or wire transfers. It’s best to stick to trusted and secure payment methods, which often have built-in buyer protection and fraud prevention features to help safeguard your purchases.”   What to do if you suspect a scam To help yourself and others stay scam-safe, keep in mind the simple, three-step “Stop. Check. Protect” (Scamwatch) method - take a moment before giving your money or personal information to anyone, make sure the person or organisation you’re dealing with is real, and act quickly if something feels wrong. If you suspect a scam, report the suspicious sellers or websites to National Anti-Scam Centre (NASC) – Scamwatch and Cyber.gov.au. If you think you’ve been scammed, it’s important to contact your financial institution or card provider immediately. They can help stop further transactions and explore options to recover funds.

How to manage and protect your passwords to keep you safe online Passwords form the foundation of our online safety, whether that’s banking, healthcare, or even our social connections. If they’re weak or reused, they can make you vulnerable to criminals. “When your data is leaked in a breach, scammers can use it to impersonate you, trick you into clicking malicious links, or try your passwords on other websites. They might even use that stolen information to lock your files and demand a ransom,” COBA Head of Financial Crimes and Cyber Resilience Martin Latimer said. Strong passwords are our first line of defence against cybercriminals, and amid rising data breaches across Australia, there’s never been a greater need for good password hygiene. To help you figure out the best way to strengthen your passwords - and why this matters - COBA’s Financial Crimes and Cyber Resilience team have put together some simple tips.   Why does password hygiene matter? Data breaches can be a goldmine for scammers, providing them with a trove of personal and payment information that can then be exploited. In the first six months of 2025, over 10,000 individuals were affected by cyber incidents, with malicious or criminal attacks comprising the largest source of data breaches, according to the Office of the Australian Information Commissioner. “Having strong passwords is crucial to ensure cybercriminals can’t access your banking, government or healthcare accounts or target you with malware,” Latimer explained.   How to build stronger passwords Strengthening your passwords doesn’t mean making them harder to remember — it means making them harder to crack. Longer, word-based phrases (known as passphrases) are usually a strong choice. Consider a string of random words that only you can stitch together to create a unique phrase (for example: “train hall idea work” or “television table bottle snack”). Avoid using personal information or common, predictable words. “Safe passwords typically have 10 or more characters - the longer, the better! You should further strengthen your password by combining uppercase letters, lowercase letters, numbers and special symbols, including swaps like ! for 1 or @ for A,” Latimer said.   Managing your passwords It’s important not to share your passwords with anyone - including loved ones - and to ensure you are using different passwords for your various accounts. Always enable multi-factor authentication (MFA) wherever it’s available. This adds two or more verification methods to create an extra layer of safety on your accounts. MFA may involve passkeys, one-time passwords (OTPs), or biometric verification. Additionally, pay attention to where your passwords are being saved. “While many may do this for convenience, blindly saving your passwords in your browser to be auto-filled can put your cybersecurity at risk,” Latimer cautioned. Instead, opt for a reputable password manager with a strong master password. Ensure it offers strong privacy and security features such as encryption, MFA, and alerts if your passwords have been exposed in a breach.   What to do if your passwords have been compromised It’s important to be aware of the signs of a data breach so you know if your password has been compromised. Look out for suspicious activity such as unauthorised transactions, unfamiliar log-ins, unsolicited password resets, or alerts from financial institutions or service providers (even those you don’t normally use). You can also check if you were affected by a data breach using platforms such as Have I Been Pwned. If you believe your passwords may have been compromised, take immediate action to secure your accounts. Update your passwords across important accounts and run anti-virus software on your devices (including your phone) to check for ransomware. If you are contacted by someone you suspect is a scammer, report the scam to the National Anti-Scam Centre – Scamwatch to help protect others. For more information on how you can strengthen your online safety and keep your personal information secure, visit Cyber.gov.au.