How to spot a scam: tips for NDIS participants

Scammers are getting more sophisticated in their attempts to steal people’s private information and move their National Disability Insurance Scheme (NDIS) funding into their own pockets. This can be done using a variety of simple but increasingly common tactics, like a text message, email or phone call from a scammer masquerading as a disability provider.

You have to be careful to keep your funding secure, so we’re here to guide you on some of the most common scams reported.

Phishing attacks

Scammers use phishing to steal confidential information through fraudulent messages so they can commit a crime.

In phishing attacks, people typically receive a text message, email or phone call claiming to be from their bank, a company, or a person – and they’re usually asked to click a link to transfer funds or provide information, like a credit card number.

If you’re contacted in this way and asked to provide confidential information – like your NDIS participant number – it could be a scam. Be sure to report it to the National Disability Insurance Agency (NDIA) by calling the NDIS Fraud Reporting and Scams Helpline on 1800 650 717 or by emailing [email protected].

Watch out for:

• Unexpected requests for information – legitimate companies will never ask for private information, including passwords and PINs, in an unsolicited text message, email or phone call.
• Urgency – if the text message, email or phone call creates urgency to act, it’s likely to be a scam. Scammers create urgency because they want their target to act quickly and not think too much about what they’re being asked to do.
• Suspicious content – if you receive a text message or email that contains spelling errors or incorrect details, or if it doesn’t look quite right, it could be a scam.

Compromised email attacks, impersonation scams and accounting fraud

A compromised email attack is type of phishing attack that involves a scammer taking over the email account of a business and tricking a person into sending them money or providing confidential information. For example, a scammer may pretend to be a disability provider and send you an email to ask for your myGov password or your NDIS participant number.

When a scammer claims they’re someone they’re not to get hold of confidential information, money or funding, this is known as an impersonation scam.

Scammers are also known to set up fake email addresses that look legitimate but aren’t. Often, they include the name of a well-known company to help to convince a person to share private information.

Another type of cybercrime is email spoofing, which involves a scammer changing an email template to make it look the same as an email from a legitimate sender. They do this so they can get confidential information or money.

When a cybercriminal uses email spoofing to submit fake invoices to a plan manager, this is known as accounting fraud.

Watch out for:

• Emails claiming to be from legitimate companies, that request private information (like your NDIS participant number or credit card details), or that ask you to make a payment – these emails are usually written in a way that creates urgency to act.
• SMS notifications from My Plan Manager that alert you to an invoice you weren’t expecting, or which doesn’t seem quite right – if this happens, please call us on 1800 861 272 from 8am-6pm (SA time), Monday to Friday, so we can investigate. If you aren’t currently receiving SMS notifications from us, you can call and ask us to switch them on.

Remote access scams

When a scammer – claiming to be from a legitimate company – contacts a person and convinces them to hand over control of their electronic devices remotely (by installing malicious software or enabling remote login), that’s known as a remote access scam.

Remote access scams can be initiated via a phone call, email, or text message, or even through pop-up ads that claim the user has a virus and include a phone number to call to fix it.

Remote access scammers gain access to personal information of the person they contact – information like their NDIS participant number, bank account details or credit card number. Often, they try to intimidate the person or use technical words to confuse them and create a sense of urgency.

Watch out for:

• Unsolicited contact – remote access scams typically start with a text message, email or phone call to try to convince the person there’s a problem with their device or a payment.
• A pushy or agitated caller – if you receive a call from someone who becomes noticeably frustrated or forceful when you question what they ask you to do, there’s a good chance it’s a scam.
• Unusual requests – if you receive a call, email or text message asking you to log into a bank account, make a payment, or provide security codes or passwords, it’s likely it is a scam.

For more information on scams, click the links below.

• What are scams?’ from the National Disability Insurance Scheme
• Scamwatch
• Australian Cyber Security Centre
• Australian Competition and Consumer Commission

If you receive a text message, email or phone call that asks you to share your information, and it’s unexpected or doesn’t look quite right, be sure to stop and think before you do anything.

The NDIA explains how to report suspicious behaviour here. Alternatively, you may wish to contact the NDIS Quality and Safeguards Commission.