It’s not often these days that bank transactions involve mere cents — and a tiny transaction could in fact be a cause for alarm.
When one Sydney-based ING customer spotted a “charge for $0.00” beside an unrecognised company name on their statement last week, they immediately sprang into action and cancelled their card.
They had stopped a payment authorisation scam in its tracks — but experts say thousands of Australians could be at risk of similar attacks.
Watch the latest news and stream for free on 7plus >>
“I was checking my ING account and saw a pending/holding charge for $0.00 from Jet Frog BR. (I had) never heard of them, nor had (I) ordered anything at the time of the charge,” the anonymous Sydney netizen wrote on Reddit.
“ING were really quick to cancel the card and are organising a new one, but it seems they’ve had a few calls like this recently.”
Mary fell in love with a man she met online. A video he sent her set off alarm bells
Powerball prize soars to $150 million – but how fair is the draw?
NordVPN cybersecurity expert Adrianus Warmenhoven told 7NEWS.com.au that if the customer hadn’t cancelled the card, the empty charge would likely have been followed by several larger debits.
“Jet Frog is associated with a scam, where criminals firstly use stolen payment card details to test the validity of your card by charging a very small amount of money or not charging the user at all, but kind of authorising validity of the card,” Warmenhoven said.
“If it’s successful, later on, they proceed to make unauthorised charges, usually charging a larger amount of money but often still relatively low so as not to attract a user’s attention to be able to suck money as long as possible.”
The scam is not new. Reports of Jet Frog payment authorisations surfaced internationally two years ago, with one netizen claiming an unauthorised charge for a $1000 necklace followed the initial $0.99 debit.
The Sydney-based ING customer shared a screenshot of the Jet Frog transaction from their bank statement. Credit: AAP Images/Reddit
The compromised ING customer said they usually use Apple Pay and clarified “the physical card has hardly even been used”.
“I still can’t figure out where the compromise has come from,” they said.
While it’s unclear how the card was compromised, Warmenhoven said fraudsters usually buy credit card numbers on the dark web.
He cited a NordVPN study which found 65,000 stolen Australian payment cards for sale — each for less than the price of a pint of beer.
“In the past, experts linked payment card fraud to brute force attacks — when a criminal tries to guess a payment card number and CVV in order to use their victim’s card,” he said.
“However, 58 per cent of the cards we found during our research were sold alongside the email and home addresses of their victims, which are impossible to brute force.
“We can therefore conclude they were stolen using more sophisticated methods, such as phishing and malware.”
ING told 7NEWS.com.au it was already in the process of reviewing the suspicious transaction when the customer flagged it.
“We continually monitor accounts for suspicious and fraudulent activity. As in this instance, we spotted the transaction, cancelled the customer’s card and reissued them with a new one,” it said.
“While we do everything we can to protect customers from fraud, we also encourage customers to diligently review their transaction records and contact us immediately on 133 464 if they ever spot anything that doesn’t seem right.”
The problem is not with ING alone — several of Australia’s big banks are aware of the Jet Frog scam and have reported dodgy authorisation transactions in customer bank accounts, 7NEWS.com.au understands.
It’s understood details of the scam have been communicated between the banks but no major losses have been reported from the Jet Frog scam in Australia.
Tips to protecting your card details
Other than keeping an eye on your transactions, Warmenhoven said: “People should take steps not to lose their bank card information in the first place.”
Here are some ways he advises people can remain vigilant:
Use impenetrable passwords: Different passwords for each account are the best, and store your passwords in an encrypted password manager. Make sure your passwords consist of at least 20 letters, numbers, and symbols.
Download your bank’s app: Use it to track your money, paying particular attention to any unusual deductions. Some apps will notify you of every transaction in real time — just make sure to look.
Respond to data breaches: Change your username and password immediately if a company says your details were involved in a data breach. If you’ve used the same one elsewhere, change it there too.
Use anti-malware software: Anti-malware software will ensure you do not download malicious files to your device and will protect you from information-stealing viruses.