A Brisbane dad is warning others what to look out for after a cyber-criminal stole 288,000 of his hard-earned frequent flyer points, tried to go on a holiday in his name – and then took a further $13,500 from his bank account.
Daniel Tsui, 47, thought something was strange in March when he checked his Virgin Australia account and saw just 10,000 frequent flyer points left on his profile.
Tsui accrued more travel points than most Australians during the pandemic because he must fly between Brisbane and Cairns every week for work.
Puzzled, he looked into his Virgin account more closely and realised that 288,000 of his points had been redeemed and spent on a hotel stay in Bali.
The problem was, he had no plans to travel to the popular tourist destination and certainly hadn't made the booking.
Tsui told news.com.au it was lucky that he is "constantly booking flights" otherwise he might not have noticed he had been hacked until it was too late.
The hackers transferred $13,500 out of his account.
But in the months since then, he's been plagued by other security breaches, including from his bank, PayPal and even a defunct Netflix account.
Now he's worried the hackers will launch a "fresh attack" that will see his finances compromised even further.
Tsui believes the fraudsters broke into his various accounts after obtaining his data illegally.
"I think somehow my passwords got compromised, as Chrome gave me an alert saying, 'You have been involved in a data breach,'" he said.
His Virgin account was hacked on a Sunday and staff warned him they wouldn't be able to do anything about it until the Monday.
He could see that the hacker had redeemed a stay in a Balinese hotel, called the Hamsa Bali resort, just five hours earlier.
"It was a really dingy hotel – if you paid for it in Australian dollars, it would be $30 a night," he said.
288,000 points were taken out in one day.
He's unsure why the hacker tried to use his points in this way, especially as they would need ID to confirm the hotel booking.
The Brisbane resident suspects they were "trying to cause havoc" and potentially even test out his password.
Virgin staff froze the account to stop points from being redeemed. It is still currently frozen, however his points were recovered.
But a month later, the nightmare continued, with the cyber criminals then stealing thousands of dollars from his Commonwealth Bank account.
In April, Tsui received a strange email from the Commonwealth Bank saying someone had logged into his account.
Daniel Tsui has been enduring three months of cyber breaches.
At the time he was getting his home loan refinanced and thought it had to be something to do with that.
"I thought maybe the bank manager had set up a new account," he said.
As it was a public holiday, he waited for 24 hours then contacted the bank.
"The next day I just forwarded the message about the new account and asked the person if she had opened the account in preparation for the home loan.
"She said, 'No that wasn't me.'"
With his concern growing, Tsui combed through his bank accounts and discovered that $13,500 had been transferred out of his offset account.
Luckily, he caught it in time, notifying his bank, changing his password and blocking the transaction.
But later that month, the hackers struck again.
At the end of last month, Tsui noticed some strange payments to his bank account.
PayPal had sent him payments of 10c and 20c.
"When I saw those transactions, I thought they had hacked into my account again," he said.
It turned out the small payments is how PayPal authorises a new trusted bank account to be added to a profile.
"There must have been a delay from PayPal otherwise they [the hackers] could have quickly established the verification of the account and started cycling money out," he said.
Although Tsui has changed all his passwords, the hackers continue to plague him.
Just last week, a Netflix account he shut down years ago was reinstated.
"I don't have an active subscription, they were able to reinstate the account," he said.
"They'll probably just by chance try common things that people sign up to."
He is now on high alert for any other accounts the hackers might try their luck on.
- by Alex Turner-Cohen, news.com.au