💸 Behind the Headlines: Understanding How One Couple Lost $800,000 to a Scam

Imagine you're closing on a dream home or finalising a big project for your business.

You receive an invoice, make the payment, and think all is settled.

But then, you get a call about an unpaid bill.

Suddenly, you realise that payment went not to your real estate agent or supplier but straight into a scammer’s pocket.

That's exactly what's happening more frequently across Australia, as fake invoice scams gain traction.

Last year, Australians reported a staggering $16.2 million lost to these cunning payment redirection scams. The scale of the losses is eye-opening, with one couple alone losing over $800,000 during a property settlement.

📑 What's the Deal with Invoice Scams?

Here's how it works: scammers impersonate real businesses by sending fake invoices to customers they've recently dealt with.

These invoices might look legit at first glance, but they've got one crucial difference—the payment details have been changed to redirect the money straight into the scammers' pockets.

Sometimes, they use compromised email accounts from the business, or they set up email addresses that look eerily similar to the real thing.

The worst part? Victims often don't realise they've been scammed until the actual business contacts them to say, "Hey, where's our money?"

🎯 Who's at Risk?

The ACCC (Australian Competition and Consumer Commission) reports that these scams typically target customers of businesses that send out big invoices regularly—think real estate, legal firms, and construction companies.

But scammers are branching out. Even customers of travel companies and car dealerships are getting hit.

There's a case where a couple lost over $800,000 while finalising a property settlement because they trusted a fraudulent email from their solicitor's email address.

Another Australian man lost more than $35,000 after scammers compromised the email account of the car dealership he was buying from. He paid the deposit through the dealership's official website, but the follow-up invoice he received was fake.

🛡️ Safeguarding Your Business

To dodge this trap, a simple rule is golden: verify then pay.

Before making substantial payments, take a moment to confirm the invoice details directly with the business. And always use contact information you've sourced independently, not what’s on the suspicious invoice.

If the worst does happen and you suspect a scam, acting swiftly is crucial. Contact your bank and Scamwatch immediately to report the incident and seek help.

🔒 Reflection for Your Business

This surge in invoice scams is a jolting reminder of the vulnerabilities in digital transactions.

How secure are your current practices?

When did you last review your transaction security protocols?

Discussing these questions with a tech partner can not only reinforce your defences but also transform your approach from reactive to proactive, ensuring your business remains secure and trusted.

It's not just about safeguarding assets—it's about fostering trust and credibility in every transaction you make.

Let's take this as a call to action to review, refine, and reinforce our business practices against such deceptive threats.

Optus Data Breach – The Latest Advice on What You Should do if You’ve Been a Victim

What data was stolen?

According to Optus, the stolen data includes:

·       Names

·       email addresses

·       postal addresses

·       phone numbers

·       dates of birth

·       passport numbers

·       driver’s licence numbers

·       Medicare numbers

Contrary to some reports, passwords and financial information were not stolen.

However, this is a great opportunity for your to do some “spring cleaning” and improve your password and Cybersecurity hygiene.

Firstly, get yourself a password manager, such as LastPass, so you can not only store all your passwords securely, you can use the manager to:

  • Check how secure your passwords are

  • Ensure you’re using unique passwords for every site or service you’re subscribed to

  • Check to see if your email address(es) or commonly used passwords have ever been involved in a known breach. You can also check this at Have I Been Pwned.

DON’T make up your own passwords.

Password managers create random, unique passwords, and let you set the complexity and length.

We recommend:

  • Upper and lowercase characters

  • Numbers

  • Symbols (not all sites allow this)

  • 20 characters (not all sites allow passwords this long)

Set a complex and easy to remember master password for your password manager.

We recommend a sentence with upper and lowercase, numbers and a symbol. E.g. ILoveParisInSpring2022! is a strong password.

For any sites or services, you’ve subscribed to that offer multifactor authentication for your online accounts, turning this on is a must. Only certain sites force multifactor authentication on you, such as financial accounting packages such as Xero and MYOB.

For any others, the best thing to do is to Google “How to turn on multifactor for %INSERT SERVICE HERE%” and you should be able to find an FAQ page for that service explaining how to enable it.

This is your first line of defence!

Now, not all multifactor authentication is created equal. Some are more secure than others. e.g. getting a code sent to your email or sending an SMS to your mobile is not recommended. This is worth a separate post. Watch this space!

However, some sort of MFA is better than nothing.  

What Else Should You Do?

Contact your local Road and Traffic Authority

The New South Wales, Victoria, Queensland, and South Australia governments have started clearing bureaucratic hurdles for anyone who can prove they are victims of the hack.

Each state has different laws and processes, so be sure to check out your local Road and Traffic Authority website for more information.

VIC: Information regarding Optus breach : VicRoads

NSW - https://www.service.nsw.gov.au/optus-breach 

QLD - https://www.qld.gov.au/transport/licensing/update/change-your-customer-reference-number

SA - https://service.sa.gov.au/news?a=1112633

ACT - https://www.accesscanberra.act.gov.au/s/article/Information-about-the-Optus-data-breach

WA - https://www.transport.wa.gov.au/aboutus/37546_48564.asp

TAS - https://www.service.tas.gov.au/services/me-and-my-identity/personal-information-card/impacted-by-the-recent-optus-cyberattack

Medicare

All the customers who have an unexpired Medicare card will be contacted by Optus. There are a further 22,000 expired Medicare card numbers that were exposed, and the holders of those cards will also be contacted directly. It's worth noting that Optus says personal information cannot be accessed using just a Medicare number.

Credit Reporting

Optus is providing one year of free Equifax credit reporting, identify and credit monitoring tool. Contact Optus for a code - then go to https://www.equifax.com.au/optus  

Put a temporary ban on your credit reporting - this will block anyone from applying for credit in your name. Extensions to the ban are possible under certain circumstances, especially if you suspect you’ve been the target of identity theft or Cybercrime. https://www.equifax.com.au/eform/submit/credit-ban   

Banking

Make sure all your financial systems have multi-factor authentication. Surprisingly, and perhaps even shockingly, some banks and financial institutions don't force MFA on you, and some don't even offer it.

Contact your bank and notify them your data has been breached in the Optus breach and ask them to put a note on your file.

How do I replace my passport?

You can replace your passport by:

·       going through Passport replacement portal

·       picking up a form at a participating Australia Post outlet

·       contacting an Australian diplomatic or consular mission

Further Information

If you think you may be affected by the recent Optus data breach, contact Optus Customer service on 133 937Optus Media Centre | Optus

If you need assistance with taking these steps, please visit cyber.gov.au or on 1300 CYBER1 hotline

Be alert for scams referencing the Optus data breach. Learn how to protect yourself from scams by visiting www.scamwatch.gov.au.

If you are concerned that your identity has been compromised or you have been a victim of a scam, contact your bank immediately and call IDCARE on 1800 595 160. 

If your identity has been stolen, you can apply for a Commonwealth Victims' Certificate 

The following websites can help you protect yourself and stay informed:

·      Identity theft | Moneysmart

·      Identity fraud | OAIC

·       Report cybercrime | https://www.cyber.gov.au/acsc/report

·      Australian Cyber Security Centre Homepage | ACSC

·       Office of the Australian Information Commissioner

Complaints

If you wish to make a privacy complaint, If you have been affected by the data breach and wish to make a privacy complaint, you can raise this with Optus

If you are unable to resolve your complaint with Optus, you may wish to lodge a complaint with the Telecommunications Industry Ombudsman. If you are unsatisfied with the outcome, you can lodge a privacy complaint with the Office of the Australian Information Commissioner.

Credit:

The Guardian Optus data breach: everything we know so far about what happened | Optus | The Guardian

Malwarebytes Optus data breach "attacker" says sorry, it was a mistake (malwarebytes.com)

ABC News Impacted by the Optus data breach? Here's how to replace your passport, drivers licence and Medicare card - ABC News

Australian Goverment Optus Data Breach | Australian Passport Office (passports.gov.au)

Cyber Security Is Easier Than You Think...

What sensitive client data are you keeping on your computers or devices?

Recently, we performed one of our complimentary security health checks on a new client, and we found that 40 credit card details were being kept in a spreadsheet on the reception computer. The potential liability cost listed is probably too modest.

The computer was also missing critical software updates and didn't have a current anti-virus/security software installed.

This is a common scenario for many businesses. People just don't know what they don't know.

What sensitive data are you keeping, that you don't need to, or that exposes you to risk?

It's never too late to start. Don't be ashamed if you have no idea about your security.

Cybersecurity is easier than you think. Just start with one thing.

Still not sure what to start with? Here are some of our recent posts that could be places to start:

Password Behaviour and Management

Multi-Factor Authentication

Or head on over to our FREE Resources page to see some of our Guides and helpful Checklists!

Network Detective EXCERPT

Network Detective EXCERPT

Have Your Been Breached? 10 Data Breaches in the Last 10 Years

Data Breaches are unfortunately fairly common and will not be a thing of the past for a long while.

Check for yourself at https://haveibeenpwned.com to see if you have been impacted by any reported data breaches.

Were you impacted by any of these breaches? What are some of the breaches we don’t have listed here that you were impacted by? See more websites/services that have been breached at https://haveibeenpwned.com/PwnedWebsites.

Read More

What's your password?

Do you use easy to remember passwords because, let's face it, there are so many to remember! How are you supposed to remember them all? This week we go into some of the password behaviours found in Australian’s and a simple step you can take to combat them and make your credentials more secure.

Read More