Could PayID Be Exposing Your Identity?

PayID is designed to make banking easier by confirming the identity of the person you’re sending money to in real time. This can help reduce scams and prevent you from accidentally sending money to the wrong person if you mistype an account number.

A PayID is a unique identifier you can select that links to your bank account. Many elect to use their Email or Mobile number as this identifier. People can send money to you using just your PayID, instead of using the BSB and account numbers, making things more convenient. The PayID website mentions that it’s up to your bank to verify that you own the mobile number or email address you’re using, but it doesn’t explain exactly how banks should do this (https://www.auspayplus.com.au/brands/payid-faqs). It looks like there’s no clear, publicly accessible standard, so verification processes might vary between banks.

While PayID helps reduce financial fraud, it also opens up new potential privacy risks through open-source intelligence (OSINT). OSINT uses publicly available information to build a profile about someone, this information can then be used to cause harm.

When you give out your mobile number or email address to a third party, you might expect some level of privacy. This could happen when signing up for a newsletter, entering a competition, looking at a property for sale, or buying and selling things online.

By using PayID with Online Banking, anyone can easily enter a mobile number or email address to check if it’s linked to a real person. If it is, they’ll likely get access to the person’s full name, and from there they could cancel the search and try again with more numbers or emails.

How Could This Be Used to Attack You?

Here are a couple of scenarios:

• A marketer or salesperson could use PayID to gather information about potential customers (like you). Let’s say you gave your first name and mobile number when requesting a quote for a service, trying to keep your details private. But if someone uses PayID to look up your number, they might get your full name, which could then be linked to your social media profiles like LinkedIn. They could use that info for targeted marketing or even annoying sales tactics.

• Maybe you gave your number and first name to someone you met on a night out, but things took a weird turn, and you ended up blocking them. A few days later, they’ve used your mobile number to find your full name through PayID and tracked down your social media profiles, now pursuing you there.

Phishing and Spear Phishing

Phishing is when scammers pretend to be someone else to trick you into giving them sensitive information. Spear phishing is a more targeted version, where scammers use personal details to make their messages more convincing. A generic scam email or text isn’t as effective as one that includes your full name. Personalising a message makes it feel more legitimate and can increase the chance of the scam working. People usually spot a scam because the message is poorly written and lacks personal details, but if you receive an email or text that includes both your first and last name, you might second-guess yourself.

So, it’s reasonable to assume that exposing your identity through PayID can put you at risk, especially when you think your information is protected.

How Can You Protect Yourself?

Here are some ways to reduce the risk:

• First, avoid using your personal mobile number as your PayID if you can. Many banks let you use your email as your PayID, which is a good option. For example, if your name is John Smith and your email is john.smith123@gmail.com, you’re not revealing much beyond what’s already in your email address. This way, you get the benefits of PayID without exposing any personal details.

• If you'd prefer your email address remains anonymous, consider creating a separate email address just for PayID, one you’re happy to share.

PayID is a great tool for building trust in bank transactions. What seems like a harmless, useful feature can introduce risks. And unfortunately, cybercriminals are always looking for ways to exploit these types of situations.