The regulator reports that numerous Australian businesses have received bogus emails. Here’s what you need to know to avoid becoming a victim.
The Australian Competition and Consumer Commission (ACCC) has issued an urgent warning to businesses about fake emails from scammers which appear to come from the ACCC.
The regulator said it has become aware of numerous Australian businesses that received the bogus emails over recent weeks.
In some cases, the scammers ask business owners to respond to a fake complaint that has been made about their company, which can be accessed by either clicking on a particular link or downloading an attached zip file.
When the business owner clicks on the link or downloads the attachment, a piece of malware is downloaded that locks up their computer, and the scammer then demands that the user pay ransom fee in order to use their computer again.
In other cases, business owners have received an email purporting to be from the ACCC demanding payment for a copyright infringement.
In a statement, ACCC deputy chair Michael Schaper said both of the scam emails circulating are simply addressed to a non-specific ‘business owner’ and may contain errors.
“Scammers commonly ask for bitcoins or ask you to transfer money by wire transfer but even if you pay the fee, there is no guarantee that your computer will be unlocked,” Schaper said.
“Fortunately, no money has been reported lost from these particular scams to Scamwatch yet. The emails are easy to spot as fakes and you can avoid falling victim by checking the email address of the sender before clicking on any links.”
FireEye’s Australia and New Zealand regional director Richard Metcalfe told BIT there has been an increase in ransomware attacks targetting Australian businesses over recent months.
“Ransomware can be the most disruptive in organisations which don't have effective backups in place, as is often the case with small businesses. Almost two-thirds of small businesses have no data security policy, so they make easy targets for attackers. Firms should consider how to fend off ransomware and minimise the damage if the attacks get through,” Metcalfe said.
Avoid being caught out
There are a number of steps businesses should take to avoid being caught out by this scam.
The ACCC advises that anyone who unexpectedly receives an email from the ACCC should not click on any links or respond to contact details provided in the email. Instead, get in touch with the agency directly using the contact details provided on its website.
The commission notes that all of its email addresses end in .gov.au and not govt.au. It does not use email free email services such as Outlook or Gmail, and any messages coming from these addresses is fake.
The commission also suggests that hovering your mouse pointer over links as this will generally display the real address or file name. Note that files ending in .Zip or .EXE can easily disguised as PDF files, yet contain malware.
Proofpoint Australian and New Zealand managing director Tim Bentley told BIT it is important to be sceptical when it comes to email messages — if it looks even remotely suspicious, don’t open it.
“Phishers are extremely good at what they do and are extremely fast and strategic in their attacks. By leveraging the trusted name of the ACCC they have exponentially increased the likelihood that email users will click through and compromise their credentials,” Bentley said.
Top tips from the ACCC
The ACCC’s main tips are as follows:
- Do not click on any suspicious links in emails and check the sender’s address very carefully. If you think it is a scam, delete the email.
- Ensure your business has up-to-date virus protection and firewall software installed.
- Regularly back-up your computer’s data on a separate hard drive. (We recently covered this topic in depth in our guide to building a malware-proof backup system.)
- Do not respond to contact details provided in unsolicited emails. Independently verify contact details from the phone book or search online for official details.
- Keep your staff informed about security threats and provide them guidance on how to deal with scam emails.