Qantas Money Credit Cards Online Security Hub

Take care of yourself online and everywhere else, when using your credit card.

How to identify spam and phishing messages

Identifying and managing spam

Spam refers to unsolicited junk emails that are sent to large numbers of people at once. Spam emails are typically advertising fake products or get rich quick schemes. Don’t bother unsubscribing from spam emails; this just confirms to spammers that your email address works and that they should keep spamming you. The most effective way of managing spam emails is to use your email settings to send these emails to your junk folder.

What is phishing?

Phishing (pronounced fishing) emails are more sinister than spam. They're designed to convince you to provide personal information like:

• a mobile phone number

• usernames and passwords

• credit card details or bank details.

You’re in control with phishing emails

Criminals use email for the same reason legitimate business do, it’s a cheap way to get to a lot of people. The phishing email you receive was probably sent to several thousand other people as well. You can outsmart these criminals by taking a few seconds to look for the signs that something is up.

Phishing emails often pretend to be from legitimate companies such as banks, courier companies, or government departments, and can contain links to fake websites. These fake sites look very similar to the real ones, including ours, and are designed to convince people to provide their bank details.

Our Security team monitor the Internet for fake websites and request to have them removed from the Internet to protect our customers. Sometimes the emails will have an attachment that appears to be an invoice, or document. When you try to open the attachment, it installs malware on to your computer without your knowledge.

Here are a few signs the email you received may be a phishing email.

• Sender address this might be unusual, misspelled or slightly different from the correct address.

• Generic greetings and sign offs Phishing emails are sent out to hundreds of people at once so use generic greetings and sign-offs.

• Poor grammar and spelling This can be a tell-tale sign, but it isn’t always the case. Remember, criminals can use spell check too.

• Creating a sense of urgency Phishing emails will often encourage you to click a link or download an attachment to avoid a problem to create a sense of urgency. Always read an email carefully before taking any action.

• Suspicious links and fake websites If you receive an email with a suspicious link, hover over the link with your mouse to see the actual web address the link leads to – it could lead to a fake website. Make sure the website domain is qantasmoney.com. 

• Malicious attachment often an attachment will appear to be a PDF, image or Office file, but when you try to open the document, it tries to run a program or script intended to infect your computer with malicious software.

• QR code phishing (‘Quishing’) Criminals are increasingly using QR codes in phishing messages, as they may bypass email spam filters designed to detect malicious content. When scanned by a mobile phone, the QR code image will open a website which may contain malware, or a phishing site designed to encourage people to provide personal details.

SMS phishing

It’s not just email anymore. Cyber criminals are using other channels like SMS to conduct phishing. These fraudulent text messages use the same tactics as phishing emails, often pretending to come from a legitimate company.

Because text messages seem more personal, these messages are often not questioned in the same way as suspicious emails. Criminals can set the sender name of an SMS to anything they like. It’s the same as when you send a letter in the post; you can write whatever sender address you like on the back – it doesn’t have to be your real name or address. Sometimes criminals set the sender name as “Qantas Money”, meaning that malicious SMS messages can appear in the same message thread as legitimate SMS messages.

This can be confusing - but trust your gut. Qantas Money Credit Cards will never send you a link to “verify your identity” or ask you to log in directly from an email or SMS.

These messages are not a sign that systems have been breached in any way – it simply means a criminal is impersonating our brand.

File sharing phishing

Increased use of file-sharing services such as Dropbox, Google Drive and OneDrive has led to an increase in fake emails pretending to be links to documents.

In reality, these emails contain links to lookalike file-sharing websites designed to steal your credentials or download malicious software on to your computer.

What to do if you get 'phished'

If you suspect an email or text message, don't respond to requests for information and don’t click on any links or open attachments, even if there’s a sense of urgency. If you receive a suspicious email or text message pretending to be from us, report it immediately to us via Qantas Money Credit Cards Mobile App or Online Servicing.

Keep your mobile devices and apps secure

Your smartphone is a direct portal to your identity and your life. Your device is likely to hold more personal information about you, your family, friends and work than you would store in your home or office. You must protect it.

Why your mobile device must be secure

Your smartphone or tablet connects you to the internet so that you can carry out daily tasks from wherever you are. Your device is a key to access the information about yourself that you store online. That includes Online Servicing passwords, credit card details, personal and work connections, photos and videos and everything that identifies you, as you.

Getting access to this information is a lucrative business for cyber criminals. If they can find a weak spot they could:

• steal your identity

• steal your money

• use your credit card to go shopping

• infect your mobile device with malware.

Even if your mobile device is lost or stolen, and you haven’t backed up or secured your data, you could lose:

• treasured photos and videos

• all of your personal and work contacts’ details.

How to secure your mobile device

Set up your mobile device, your social media and other applications (or apps) so that it is tough for anyone to access it.

Set up device locking mechanisms Set up a password, PIN, passcode or fingerprint pattern to unlock your mobile device. You’ll need to set up a PIN to unlock your SIM card too as it is removable and its use is what your internet provider will bill you for, so you need to protect it. Check your device’s security settings and select automatic locking to make sure your phone locks itself after a defined period of time. Never share your passwords, PINs or passcodes with anyone. We also recommend that you do not allow others to setup their fingerprint or facial recognition on your devices either.

Keep software up to date and backup data

Set up automatic updates for applications and operating systems, so that your device is always up to date with the latest security features. Install virus protection software to protect you from malware. Always backup irreplaceable data such as photos or emails through reputable and secure Cloud storage solutions. ‘Cloud’ storage means you can get access to your information at any time through the internet. So if your mobile device is no longer in your possession, you can still access your data via the internet.

Stay invisible

When you’re not using Bluetooth, turn it off. Ignore offers of free (usually unsecured) public Wi-Fi access and ensure your mobile device is set up to only connect to secure networks you have approved. Get into the habit of regularly deleting your internet browsing history on your mobile device and closing multiple browsing tabs.

Lock out dishonest users remotely

Check if your mobile device supports remote locking or wiping functions. Provided that you regularly backup your data, if you lose your mobile device or it has been stolen, you can lock it remotely, or choose to completely wipe the data. If you don’t have these options, record the International Mobile Equipment Identifier (IMEI) of your handset. Ask your product retailer where to find this number. If your device is lost or stolen, you can report the IMEI number to your billing provider and they can block your device remotely.

Develop secure mobile device habits

Get into the habit of the following behaviours to keep your mobile device secure:

• Log out of websites, such as your Qantas Money Credit Cards Online account, when you’ve finished using them.

• Close multiple internet browsing tabs.

• Only download apps from trusted online stores such as Google Play or the iTunes Store.

• Review the privacy permissions carefully before you install a new app on your mobile device.

• Never store passwords anywhere other than through a reputable password keeper app downloaded from Google Play or iTunes Store.

• Don’t use a jailbroken /rooted device. This refers to an iOS/Android device which has bypassed the security settings in order to remove software restrictions (usually in order to install software not approved by the App Store or Google Play). This significantly decreases the security of the device.

What to do if someone gains unauthorised access to your mobile device

If your mobile device is lost, stolen or has been hacked (that is, someone has gained unauthorised access to your device and your data), there are ways to protect your identity and data:

• If you’re sure you can’t recover your mobile device and you’ve set up your remote locking or data wiping functions, activate these functions.

• Contact your telephone service provider immediately to report loss, theft or compromise of your mobile device. They will be able to block your service using your IMEI, or bar the service from using their network and then advise you of next steps.

If you’re concerned your identity may be at risk, check out How to keep your identity safe online for advice on where to go for help.

Six simple ways to protect your passwords

You use passwords to access your bank accounts, social media, email and more every Day.

Passwords are the keys to our online identity. That’s why protecting them is so Important.

Creating a strong password is the first step to protecting yourself online. This helps reduce the risk of unauthorised access by those willing to put in a bit of guesswork.

To help stay safe online, follow these password tips.

1. Make your passwords strong

Short and simple passwords might be easy for you to remember, but unfortunately they're also easier for cyber criminals to crack. Strong passwords have a minimum of 10 characters and a use mix of:

• uppercase and lowercase letters

• numbers

• special characters like !, &, and *.

Use passphrases

You may like to consider using a passphrase instead of a traditional password.

Passphrases are considered more secure than regular passwords, and easier to remember too.

A passphrase is used in the same way as a password but is a longer collection of words that is meaningful to you, but not to someone else. For example, the passphrase ‘CloudHandWashJump7’ is 17 characters long and contains a range of different characters. This is more complex than the average password.

Depending on the systems you access, you may be limited to a defined number of characters.

2. Make passwords hard to guess and don't re-use passwords

Could someone who knows you guess your passwords? For this reason, it’s best to avoid using personal information such as your children, partner or pets name, favourite football team or date of birth as your password.

When trying to hack into an online account, cyber criminals start with commonly found words and number combinations, or they use may use information exposed in data breaches. This could lead to a credential stuffing attack. 

So, it's best to avoid using:

• dictionary words

• a keyboard pattern like qwerty

• repeated characters like zzzz

• personal information like your date of birth or pet’s name. 

Security companies publish lists each year of the most common passwords exposed in data breaches, you can read the list here. Make sure you’re not using them, because it’s likely criminals will try these passwords first.

3. Create new, unique passwords

If you need to reset a password, don’t just change one part of it. Instead of changing a number at the beginning or end, create something completely new you’ve never used before.

If your original exposed password had a ‘1’ at the end, an attacker would likely try ‘2’ next. That’s why it’s important to change the whole password.

Get into the practice of changing your password often, ideally every few months.

4. You must take care of PINs and other Security Codes

Never share your password with someone, not even with someone you trust.

What about family and friends?

Regardless of whom you share it with, once you share your passwords you lose control of how it’s stored or how and when it’s used.

What if a business or company I know asks for my password?

Reputable companies won’t ask you to give them your password over the phone or via emails or SMS messages. This might be a warning sign of phishing or a scam.

Qantas Money Credit Cards will never ask you for your password or PIN, either by email, SMS, over the phone or at a branch. We may ask you to provide a one-time code to verify yourself when you contact us. These messages will clearly state that we will ask you for the code.

You may not be covered for unauthorised transactions

The security of your card and security codes, including your Qantas Money Credit Cards Mobile App and Online password, is very important. As a Qantas Money Credit Cards account owner, you must:

- Keep your password, PINs and any other security codes secret;

- Use care to prevent anyone else seeing your password and other security codes;

- Not let anyone else use your password or security codes; and

- Take reasonable steps to protect a security code from loss or theft.

Compromising the secrecy of your passwords, PINs or other security codes by voluntarily disclosing them may mean you are liable for unauthorised transactions performed on your account.

5. Use different passwords for each of your online accounts

Using different passwords means that if one of your accounts is breached, criminals won’t have access to other accounts that use the same password.

Make each of your passwords for online logins unique. This will help protect you from attacks like ‘credential stuffing’.

Credential stuffing

Credential stuffing is an automated technique used by criminals. They test a user's known username and password combinations across multiple online accounts. As many people use the same credentials for multiple sites, it can give criminals easy access to multiple accounts.

This gives criminals an opportunity to gather more information about you, which they might use to impersonate you online to access accounts under your name. For example, it’s not a good idea to use the same password for an online pizza delivery website and your business email. If the pizza delivery site is compromised, you don’t want someone to also have access to your business email account.

6. Store passwords safely

Writing passwords down is never recommended. You could lose them, or someone else could see them and use them.

Password management tools

There are programs and apps known as password managers that will store all your passwords in a secure vault.

A password manager only needs one strong password to access it and has extremely strong protection to make sure that only you can access it.

This means you only need to remember one password to have access to all your passwords.

Password safes can even generate and store new, complex passwords for you when you create new online accounts.

Don’t allow web browsers to store your password

Some web browsers may display a pop-up message, asking whether you want the browser to remember your login details.

For the protection of your personal information, we recommend that you select 'Never for this site' if you see this message when using Qantas Money Credit Cards Online Servicing.

For more information, check out the Australian Cyber Security Centre’s guide on creating secure passphrases.

Secure your accounts with Multi-Factor Authentication

What is MFA?

MFA is an added layer of security designed to confirm your identity when logging into an online service or account. This helps protect your accounts from being compromised by cyber criminals. MFA requires that you enter additional information to gain access to your account. It’s also referred to as ‘two-factor authentication’ or ‘2FA’.

Why MFA is important

Using MFA makes it harder for cyber criminals to break into your account than if you only use a password. With MFA turned on, if your account is compromised and the criminal has your password, they will need to enter additional information that only you can provide.

Online accounts such as banking, social media and email can contain a lot of valuable information about you. Information that could be accessed includes:

• Personal identifiable information

• Banking details

• Employment details

• Information from government agencies such as Medicare or myGov

• Personal photos and messages.

If a cyber criminal gained access to any of your accounts, they could:

• Sell your data on the black market. This could include credit card numbers, names, addresses, emails, date of birth and so on.

• Gain access to social media accounts by resetting your password.

• Send phishing emails to your contact list. These could convince your friends and family to give out personal information or install malware onto their devices.

• Send fraudulent email requests for payment. Learn how to avoid email scams.

Different types of authentication

One-factor authentication

One-factor authentication is something that only you know, like your password or PIN. Systems that use one-factor authentication only require a username (such as an email address) and a password to access them.

Two-factor Authentication

Two-factor authentication is something you know (password), plus something you have. Systems that use two-factor authentication require a username and a password, plus a one-time password or code (sent to your mobile phone, for example) to access them.

Three-factor Authentication

Three-factor authentication is something you know, plus something you have, plus something you are (a biometric input, such as a fingerprint scan to unlock your phone). Systems that use three-factor authentication require a username and a password, a one- time password or code, and some other unique biometric that identifies you.

How to set up MFA on your accounts

Below are some of the common ways to set up MFA on your accounts.

Set up MFA on Office 365

You can set up MFA on your Office 365 in the Admin centre. This will generate a phone call, text message or an in-app notification to verify your identity. Find out how to set one up on Microsoft’s step-by-step guide.

Set up MFA on Apple devices

You can enable MFA on your iOS and macOS devices. For more information and instructions, visit Apple’s guide on MFA.

Set up MFA for other accounts

To help you set up MFA for other accounts such as social media or Gmail, the Australian Cyber Security Centre has a list of helpful guides to assist you in improving your online protection.

Handy tips for using your Card securely online

You can enjoy the benefits of living life online, by simply staying in control of who can access your information when you’re connected to the internet.

Set up the basic computer security

• Choose a reputable Internet Service Provider (ISP) to provide your internet access.

• Keep your operating system up-to-date by switching on automatic updates and install them as soon as they become available. Check out Microsoft Download Centre or Apple security updates pages.

• Always type the address of the site (the URL) you want to visit in the browser’s address bar, especially when you want to shop and bank online.

• Keep your computer’s security software up-to-date, including anti-virus, anti- spyware, anti-spam and firewall products.

Review your browser settings

It’s best to use the latest version of a web browser, as these will have the latest security features.

If you’re using your Card online, it’s worth checking if the site supports the browser you’re using to make sure you’re getting the highest level of security encryption.

Get warnings when accessing secure and unsecure web pages

Only access secure sites when shopping or banking online. You can set up your browser settings to prompt you every time you leave a secure site. Go to your browser’s Help menu to find out how.

Clear your history, cache and cookies

To help your browser work better (and for security) you should clear your cache periodically. Also, for privacy reasons, you might want to clear your cache, cookies and history manually. This is always recommended if you’re using a computer in a shared public space like internet cafes, hotels or airport lounges. Go to your internet browser’s security or safety settings to choose options to clear your cache.

Make sure you’re in the right place

The safest way to access a site is to type the address into your browser. Following a link may lead you to a fake website designed to convince you to entering personal details.

Look for the green padlock and https (the s is for secure) next to the URL in the address bar of your web browser when using your Card online.

If you’re visiting a new website for the first time, and have received the website address via email or SMS, search for the website on Google, to check that the website is legitimate.

Check the spelling

Fake websites often have slight spelling errors in the address. For example, having the number 1 instead of the letter I.

Use good password management

Disable the option on your web browser to automatically remember user names and passwords. You can check your browser’s help menu for instructions.

Never share or write down a password, and make sure the password you choose is strong and would be difficult to guess. Read our comprehensive list of tips on good password Management.

Take care in public spaces

If you can, avoid using shared computers in libraries, airports, cafes or hotels if you want to work, bank or shop online.

Never leave your computer unattended or unlocked and make sure you’re not observed entering passwords and personal data.

People may peer over your shoulder to read information on your laptop or other device. This is called shoulder surfing and this is how they can steal confidential or personal information while you work or bank online.

Avoid using public Wi-Fi networks

These networks can pose a risk as data can be intercepted by criminals on unsecured networks.

Avoid logging into networks with generic names (for example Netgear) or networks with the same name as you’d log into at home and use VPN (Virtual Private Network) software to protect your activity.

If a wireless network asks you to install software in order to connect, don’t accept.

Cancel these requests even if they look legitimate.

Look for potential signs of malicious activity when connected to public WiFi like prompts

to:

• accept new digital certificates

• install new software of updates.

A great way for older Australians to stay safe

Older Australians can find all the skills and knowledge they need to stay safe online with Be Connected. It is an award-winning Australian Government initiative empowering older Australians to thrive in a digital world. The Be Connected website is a one-stop shop with more than 150 online learning modules and 350 learning activities - and it’s all free. Visit www.beconnected.esafety.gov.au to find out more.

How to spot scam phone calls

What are scam calls?

Criminals may call you, impersonating a government agency such as the Australian Tax Office (ATO), an energy or telecommunications provider, Australia Post, a bank, an online marketplace or the police.

The call may also appear in your phone as coming from a contact number you may recognise, possibly even your bank. Criminals can use technology to change the way their number appears in your phone. This is called spoofing and can also happen via SMS.

What is ‘spoofing’?

These scam calls aim to pressure you into providing your personal information. The caller may threaten you with expensive fines or tax bills, arrest or deportation, to take you to court or disconnect your Internet service.

They may ask you to buy gift cards, iTunes vouchers, Bitcoin or pre-paid credit cards to pay your fine or debt. In other cases, they may request remote access to your computer and bank accounts to investigate an ‘issue’ or stop a transfer.

Legitimate businesses will never threaten to arrest you or demand immediate payment of a tax debt or fine with unusual payment methods like gift cards or Bitcoin or request remote access to your computer.

Bank impersonation scams

Bank impersonation scams involve criminals pretending to be a trusted bank representative to steal your money or personal information. They may create a sense of urgency by pretending to be from the ‘fraud’ team.

How to spot an impersonation scam?

•The caller may say they’re from Qantas Money Credit Cards and there’s an issue with your accounts or devices.

•They may ask you to move money to another account for safe keeping.

•They may ask you to download a program to give them access to your device.

•There’s a sense of urgency and they pressure you to act quickly.

Qantas Money Credit Cards may genuinely need to contact you

Our fraud team may need to get in touch with you if we’re concerned about your account, so it’s important to understand what we will and won’t ask.

We’ll never ask you to:

• provide your one-time code for authorising transactions

• transfer money to another account to keep it safe (it’s safe where it is)

• give us remote access to your devices

• provide personal information such as driver’s licence details.

We may ask you to:

• provide your full legal name

• explain or confirm the details of a payment

• provide more details about the person you’re sending funds to and how you communicate with them.

These questions are designed to help us understand the likelihood of you being involved in a scam or fraud, so that we can protect your account.

How big is the problem?

The Australian Competition and Consumer Commission (ACCC) Targeting Scams report advises there were 63,821 phone scam calls reported in 2022. Of these phone scam calls, Scamwatch reported bank impersonation scams cost Australians $20 million.

Download the Targeting scams: report of the National Anti-Scam Centre on scams data and activity 2024.

Keeping your SMS security codes safe

We may SMS you one-time passcodes for Qantas Money Credit Cards Mobile App and Online registration, transactions and password resets. In the SMS, we’ll let you know that this is a secret code which should not be shared with anyone, not even Qantas Money Credit Cards. These codes provide an extra layer of security for your accounts, so it’s important to keep them and your phone secure.

Important: while Qantas Money Credit Cards does everything it can to recover funds transferred as part of a scam, it is not guaranteed.

Simple tips to help prevent phone phishing

• Treat any unsolicited phone calls with caution. If you’re unsure about the legitimacy of a call, hang up and call back on an official phone number.

• Never provide personal or credit card information during an unsolicited call.

• Ensure you carefully read any SMS codes you receive. Never share any SMS codes you receive with anyone else, including Qantas Money Credit Cards.

• Never give an unsolicited caller remote access to your computer or online bank Accounts.

Contact us for help

If you’re a Qantas Money Credit Cards customer and believe you may have fallen victim to a scam, please immediately contact us to reach the Fraud and Scams team.

Other helpful resources

• Australian Government | Australian Cyber Security Centre (ACSC) The Australian Cyber Security Centre (ACSC) brings cyber security capabilities from across the Australian Government together in a single location. It’s the hub for private and public sector collaboration and information sharing to combat cyber security threats. ACSC provides topical, relevant and timely information on how home internet users and small businesses can protect themselves from, and reduce the risk of, cyber security threats such as software vulnerabilities, online scams, malicious activities and risky online behaviours. Learn more about the Australian Cyber Security Centre.

• Australian Government | ReportCyber is a secure reporting and referral service for cybercrime and online incidents which may be in breach of Australian law. The ReportCyber website provides a cybercrime reporting mechanism as well as helpful information about cybercrime. Learn more about ReportCyber.

• Australian Competition and Consumer Commission | Scamwatch provides information to consumers and small businesses about how to recognise, avoid and report scams using publications, videos and other online resources. Learn more about Scamwatch.

• Australian Government | Office of the eSafety Commissioner The Office of the eSafety Commissioner provides online safety education for Australian children and young people, a complaints service for young Australians who experience serious cyberbullying, and address illegal online content. Learn more about the Office of the

eSafety Commissioner.

• Australian Government | Attorney-General’s Department The Attorney-General’s Department website provides helpful information and resources about your rights and protections in regards to identity security, freedom of information and cyber security. The Department has developed a range of resources to assist people protect their identity and recover from the effects of identity crime. Learn more about the Attorney-General’s Department.

• IDCARE is Australia and New Zealand's not-for-profit counselling and support service set up to assist Australians impacted by identity theft and cyber-related crimes. IDCARE can assist customers to navigate through the process when identity details or credentials have been compromised through fraud or scams. IDCARE is a free service for all Australians. Learn more about IDCARE.