Helping you keep your business safe from scams

Scammers are stealing millions of dollars from Australian businesses every year. Their targets are often the busy people running day-to-day operations – the people who pay invoices and answer emails and calls.

Whether you’re running your own business, part of a large organisation, or working in a small business, taking the time to educate yourself and your team about scams is key to ensuring your business stays protected.

In 2022 alone, Australian businesses lost more than $23 million to scams, with nearly 4,000 reports filed to the Australian Competition and Consumer Commission (ACCC) watchdog, Scamwatch.¹

Scammers are becoming increasingly sophisticated in their approaches, but there are still many red flags that can give their game away – and simple steps you and your team can take to protect your business.

It’s important for businesses to educate their team about what to look for and how to respond to suspicious activity, focusing on prevention and detection, and to promote cyber-safe behaviours within the business.

02

Bank impersonation scams

Impersonating bank staff is a common tactic for scammers. Usually, bank impersonation scams involve an unexpected phone call from someone claiming to work for your business’s bank. They will say there’s some kind of problem with your account and you need to take urgent action to protect your money.

For example, the impersonator may claim there’s been a fraudulent transaction on your account that needs to be cancelled, or that someone is attempting to steal money from the account and your money needs to be placed into a new account.

Red flags

• Scammers will call unexpectedly and create a sense of urgency or stress, exploiting your emotions to force a security error.
• Bank impersonation scammers will often ask for login details or passwords, claiming they need this information to protect your account. Remember that Macquarie will never ask you for these details.
• Scammers may also ask you for information about who in the business can authorise payments or coerce you to create and approve transfers for them.

Security tip

Never share your banking credentials or identification information with anyone. If you’re unsure about the legitimacy of a call from your bank, hang up and call the bank using a trusted phone number instead of the one you received the suspicious call from. You can also further enhance your account security by introducing dual authority on your accounts.

03

Remote access scams

Remote access scams work in a similar way to bank impersonation scams. The scammer will contact their target, often posing as a telecommunications or IT professional who has identified a problem with the target’s device.

Scammers may contact their target through a phone call or even using pop-ups that claim there’s a virus on the device or an issue with your IP address. Pop-ups may include a prompt to call a phone number to have the virus removed.

The scammer will claim they can fix the problem but will coerce their target to download and install remote access software and grant them access to the device. They may also ask the target to log into their online bank account or confirm security codes.

Throughout this process, scammers will often use complex phrases and technical jargon to both build trust with their target and create a sense of urgency.

The scammer may charge a fee to ‘fix’ the problem they claim to have found on their target’s device.

Red flags

• Unsolicited calls or pop-ups telling you there’s a problem with your device, asking you to download remote access software. The caller may be from a company you don’t have any services with.
• Remote access scammers can be pushy and may even become annoyed or angry if you don’t follow their instructions or act fast enough. A lack of professionalism can be an indicator of a scam.
• Scammers will often make unexpected or unusual requests, such as asking you to log in to banking apps or make payments.

Security tip

Never give unsolicited callers remote access to your computer, phone, tablet or any other devices, even if they claim to be from a reputable business.

04

Malware and ransomware

Malicious software, also known as ‘malware’, can be used to spam users with ads, redirect hyperlinks to fraudulent websites, and steal a user’s personal details or credentials on a device.

Typically, malware is downloaded and installed accidentally by people clicking on links in phishing emails, or opening email attachments from untrustworthy sources or online ads.

Some of these programs can encrypt files and lock users out of their own devices until a ransom is paid. This subset of malware programs is referred to as ‘ransomware’.

Ransomware programs will commonly demand that the ransom be paid by a predetermined date, after which the target’s files will be deleted or leaked online.

Red flags

• Free downloads from questionable sites can be a gateway for malware and ransomware to infect your computer. Avoid visiting unsafe websites, and you should never download anything from websites you don’t completely trust.
• Unusual email attachments (or attachments from email addresses you don’t recognise) can contain malware and should never be opened. Malware can be attached to almost any file type including .pdf, .doc, .jpeg, and .exe.
• Unfamiliar pop-up messages, files refusing to open (or requesting a password), documents and folders you don’t recognise appearing on your device, or files showing up in wrong locations.

Security tip

In addition to using good antivirus software, it‘s important to check for vulnerabilities and apply patches regularly. This means deploying software updates and having all users update their devices regularly. Keep backups of files off the network so that they‘re safe from ransomware.

05

Phishing, smishing and vishing

Phishing is a common tactic used by scammers to capture personal information over email. This is done by sending out legitimate-looking emails encouraging their target to click a link, and provide personal details such as banking credentials, credit card or ID numbers.

In doing so, the target is handing over the information a scammer needs to steal their identity or drain their bank accounts.

Scammers may also do this through SMS (smishing) and even phone calls (vishing – short for ‘voice phishing’).

Smishing attacks operate almost identically to phishing attacks, except via SMS.

Vishing attacks start with an unsolicited phone call – sometimes this will be from a pre-recorded voice, sometimes from someone using text-to-voice technology to discuss their identity, and other times from the scammer themselves.

Scammers go to great lengths to make their messages look legitimate, duplicating email and SMS layouts, using computers to spoof phone numbers, and sometimes recording phone calls with legitimate businesses to play back to their targets.

Red flags

• Emails and SMS with an urgent call to action, prompting you to click a link to provide information.
• Links or messages that look unusual. Watch out for small things like impersonal greetings that leave out your proper name, or unusual requests for information.
• Vishing scammers may threaten their targets with police or regulatory action unless their instructions are followed.

Security tip

If you have any doubts about the authenticity of an email, SMS or phone call, don’t click on any links. If you find yourself on a suspicious phone call, just hang up.

It’s safer to ignore questionable communications and independently confirm they are legitimate, than to take a chance on something that doesn‘t feel right. Navigate to apps and websites directly to their known address, rather than through a link provided in an SMS or email.

Stay up to date with current scams

Stay up to date with current scams

Scams are constantly evolving and the best way to protect yourself and your business is by staying up to date. Make sure you understand what the threats are and what to look out for.

You can find detailed information about scams and how to respond to them on the Australian Government’s Scamwatch website and via our dedicated business security hub.

Have good digital hygiene

Focus on prevention and promote cyber safety in the workplace. You may like to talk to your insurance provider about cyber insurance.

Keep your staff up to date with known threats, train them on the red flags to watch out for, and introduce phishing simulations to test them. 

Use long and strong passwords and introduce multi-factor authentication wherever possible.

Use reliable anti-virus software and firewalls and update them as required. These updates enable your software suite to identify and respond to threats more quickly.

Take time to pause, process, proceed

Your offline behaviour is also important. Trust your instincts. If something doesn’t feel right, pause for a moment, take time to process and double-check everything.

• Are there any red flags?
• Does this request make sense? Were you expecting it or has it come out of the blue?
• Do the contact details, language, grammar, and spelling match those of past messages or phone calls?

If you’re being asked to make a payment, update banking details or provide sensitive information, try calling the other party using a phone number you trust before acting. 

Pause and process the information before deciding whether to proceed. 

Report scams to authorities

If you’ve been contacted by a scammer, through any communications channel, always report it to your bank and the police. You can also report it on the Scamwatch website.

Visit our our business security hub to learn more about scams and find helpful information to help you stay protected.