When Your Identity Is Under Attack: A Practical Playbook for Aussies

When Your Identity Is Under Attack: A Practical Playbook for Aussies

We use online services for everything from banking and shopping to health and government interactions. But when someone starts abusing your Personally Identifiable Data (PID) by trying to open accounts, resetting passwords or taking out loans in your name—it can quickly turn into a nightmare. With plenty of data available on both the public and the dark internet, PID stolen in data breaches at some of Australia's biggest corporate names makes this a real threat to most Australians. This playbook will help you recognise the warning signs, instruct you on how to lock down your accounts, and put robust protections in place.

1. Spot the Warning Flags

  Keep an eye out for any of these signs that someone may be using or abusing your identity:

• Unsolicited login alerts (e.g. “New device signed in to myGov”)
• Verification or activation codes you didn’t request—from BNPL services (Afterpay, Zip, Klarna, Humm, LatitudePay), utilities, Google, Apple, Microsoft, etc.
• “Welcome” or password-reset emails for accounts you never opened (Etsy, Amazon, Gumtree, Airbnb, Woolworths Rewards, Coles Flybuys, Qantas FF, Myer One, David Jones)
• SMS or emails about missed payments or new credit-check requests (ATO, banks, telcos)
• Notices of new credit cards, loans or store accounts in your name
• Post being redirected or “no-longer-at-this-address” letters you didn’t authorise
• Social-media friend requests or calls from strangers claiming to know you
• Calls or letters from debt collection agencies for purchases you never performed

 

2. Immediate Response

 

1. Stop. Don’t reply to or enter any unsolicited codes or messages. NEVER CLICK LINKS.
2. If messages come from a specific service, attempt to log in from a well-protected computer or your mobile phone. If you can, change your password immediately.
3. If locked out, use the service’s “I’ve been locked out” or account-recovery process—and alert their fraud/security team.
4. Document everything: Dates, times, screenshots of messages or emails.

 

3. Lock Down Your Accounts

 

• Adopt a password manager (1Password, Bitwarden, LastPass) to generate and store unique, strong passwords.
• Enable multi-factor authentication (MFA) on every account that holds payment details or sensitive data. Prioritise and work through in this order: – Financial & shopping: Bank apps, PayPal, Afterpay, Zip, Klarna, Humm, LatitudePay, Amazon, Etsy – Government & utilities: myGov/Centrelink, ATO, electricity/gas portals – Telcos: Telstra, Optus, Vodafone – Loyalty & rewards: Woolworths Rewards, Coles Flybuys, Qantas Frequent Flyer, Myer One – Identity hubs: Apple ID, Google Account, Microsoft 365, iCloud, Dropbox
• Review and update all recovery options—secondary email, mobile number, security questions—and make sure they are up to date and private to you only.

4. Notify & Harden Critical Services

  myGov/ATO

• Log in, go to “Manage your sign-in devices” and remove unfamiliar sessions.

• Call the ATO’s fraud line on 1800 467 033. Ask to add extra security flags to your file.

Banks & Credit Cards

• Ring your bank’s 24-hour fraud hotline. Request card freezes or replacements and ask them to place a fraud alert on your file.

Telcos

• Contact Telstra, Optus or Vodafone customer service and request a “port-out freeze” or “SIM-swap block.” This prevents anyone from transferring your number without your consent.

BNPL & Utilities

• Reach out to each provider’s fraud team. Ask them to mark your account as “high-risk” and require extra verification for any changes.

5. Credit Monitoring & Loan-Block (Credit Ban)

  Australia’s three credit bureaus let you lock your file so no new credit can be opened:

• Equifax Credit & Identity Protect (incl. dark-web monitoring): https://www.equifax.com.au/personal/products/credit-identity-protect
• Experian Consumer Ban (initial 21 days, extendable to 12 months): https://www.experian.com.au/consumer/request-a-ban
• illion Credit Report Ban (21 days, extendable): https://www.illion.com.au/credit-report-bans/

  During a ban, lenders can’t access your credit file—so no one can take out a loan in your name unless you lift it. Also, check your free credit report from each bureau once every 12 months to spot unauthorised enquiries.  

6. Ongoing Monitoring & Prevention

 

• Review bank, credit-card and utility statements weekly.
• Subscribe to dark-web monitoring for your email addresses (e.g. HaveIBeenPwned.com).
• Turn on automated activity alerts wherever possible (many banks and apps offer push or SMS notifications).
• Keep your devices patched, use reputable antivirus/anti-malware, and avoid public Wi-Fi for sensitive transactions.

 

7. Additional Resources & Support

 

• Australian Cyber Security Centre (report incidents & get tailored advice) – https://www.cyber.gov.au/report
• Scamwatch (scam alerts & how to report) – https://www.scamwatch.gov.au
• IDCARE (free support for identity-theft victims) – https://www.idcare.org
• Moneysmart (ASIC’s personal-finance hub on credit reports) – https://moneysmart.gov.au/financial-scams/banking-and-credit-scams

  Safeguarding your identity takes effort and requires strong credentials and proactive monitoring. By following this playbook, you’ll greatly reduce the chances of a criminal exploiting your personal details—and you’ll be ready to act if they try.

// Need more help?

Contact our team today.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.