Another year, another scam. While data driven crime is more sophisticated and difficult to address than ever, human error and judgement remains one of the major problems.
The latest data breach report from the Office of the Australian Information Commissioner (OAIC) is surprising for the simplicity of the problems – 37% of data beaches resulted from human error not malicious attack. In over 20% of reported cases, personal information was simply sent to the wrong recipient. Another 6% of complaints were attributed to system faults.
Remember, hackers can gain access to your business’s data simply by a staff member clicking on a link.
While not impacting personal data, according to the ScamWatch, a common scam is where hackers gain access to a business’ email accounts, or ‘spoof’ a business’ email so their emails appear to come from the company. The hacker then sends emails to customers claiming that the business’s banking details have changed and that future invoices should be paid to a new account. These emails look legitimate as they come from one of the business’s official email accounts. Payments then start to flow into the hacker’s account. The average loss from these scams is around $30,000.
A variation is where the hacker sends an email internally to a business’ accounts team, pretending to be the CEO, asking for funds to be urgently transferred to an off-shore account. Hackers can also request salary or rental payments be directed to a new account.
In 2018, these scams cost Australian business $30 million in 2018.
Simple measures you can take:
- Have strong and enforced processes in place for the management of personal client information.
- Strong authorising procedures for payments – two-step authority.
- Change passwords often and use two-step authentication where available.
- If a client’s bank details have changed, phone them and check the details.
- Train your team on cyber security:
- Check requests for payments that arrive electronically from other team members and management.
- Check email addresses are legitimate – look for slight variations.
- Be suspicious of poorly written emails.
- Don’t click on links from email – always use your account with the supplier or Government department to check details.
- If contacted by the ATO, contact us to verify the information if you are concerned.
The Australian Taxation Office (ATO) has warned about the emergence of a scam where “…scammers are using an ATO number to send fraudulent SMS messages to taxpayers asking them to click on a link and hand over their personal details in order to obtain a refund.”
The refund scam follows a more sinister four phase scam stating there is a warrant out for your arrest for unpaid taxes in prior years. The scam starts with a text message purportedly from the Australian Federal Police (AFP). Within minutes, your mobile rings and the caller identifies themselves as being from the AFP and working with the ATO. They then ask for your accountant’s details. You then receive a call purportedly from your ‘accounting firm’ asking you to verify the AFP/ATO claims. Finally, you are provided with a way, if you act quickly, to make the AFP go away by paying a fee before your ‘imminent arrest’.
The ATO states that it will not:
- send you an email or SMS asking you to click on a link to provide login, personal or financial information, or to download a file or open an attachment;
- use aggressive or rude behaviour, or threaten you with arrest, jail or deportation;
- request payment of a debt via iTunes or Google Play cards, pre-paid Visa cards, cryptocurrency or direct credit to a personal bank account; or
- request a fee in order to release a refund owed to you.
A new phishing scam sent text messages purportedly from Medicare advising the recipient that they are owed a $200 rebate from Medicare. Once the person clicks on the reclaim link, they are asked to provide their personal details including bank account details for the ‘rebate.’