Cyber attacks and what to do

The following is a copy of email advice provided to a bowls club from Tasmania Police’s Cyber Report Management Team:

Further general information below, some of this may not apply to your matter.

Business email compromise is when criminals use email to abuse trust in business processes to scam organisations out of money or goods. Criminals can impersonate business representatives using similar names, domains and/or fraudulent logos as a legitimate organisation or by using compromised email accounts and pretending to be a trusted co-worker. Common scams associated with business email compromise include:

• Invoice fraud: Criminals compromise a vendor’s email account and through it have access to legitimate invoices. The criminals then edit contact and bank details on those invoices and send them to customers with the compromised email account. The customer pays the invoice, thinking they are paying the vendor, but instead send that money to criminals’ bank accounts.
• Employee impersonation: Criminals compromise a work email account and impersonate a co-worker via email. Criminals can use this identity to commit fraud in a number of ways. One common method is to impersonate a person in power (such as a Chief Executive Officer or Chief Financial Officer) and have a false invoice raised. Another method is to request a change to a worker’s banking details. The funds from the false invoice or the worker’s salary is then sent to criminals’ bank accounts.
• Company impersonation: Criminals register a domain with a name very similar to a large, known and trusted organisation. Criminals then impersonate the organisation in an email to a vendor and request a quote for a quantity of expensive goods, like laptops. Criminals negotiate for the goods to be delivered to them prior to payment. The goods are delivered to a specified location, however, the invoice is sent to the legitimate organisation, who never ordered or received the goods.

Unfortunately your computer or one you have been communicating with has more than likely been infected by a Trojan virus (possibly the Gozi Trojan)

The virus is very difficult to detect and locates the email section of the computer placing a rule that seeks any emails that have words such as “invoice, purchase, money, etc…” once these are located they are forwarded to an email address that looks very similar to the email address they are trying to spoof. The criminals will then replace the banking details in the email with those of a third party and send this for payment. As the email address looks nearly exactly the same as the legitimate email address, they are very rarely questioned.

The third party who has received any funds is usually an unsuspecting money mule. These people themselves are often victims of a Romance/Job scams and are directed to divert the funds overseas.

What you need to do:

1. If you’ve sent money or banking details to a scammer, contact your bank immediately.
2. If any of your email accounts have been compromised, change your password for your email account(s), notify anyone affected, and protect your stakeholders with a warning notice on your website (or phone them) informing people of the scam.
3. Ensure that you have reviewed your ‘EMAIL RULES’ in the settings of your email program. It is common for these to have been changed to allow the offenders to divert and intercept your mail or your clients mail.
4. Ensure your devices have been cleaned by an authorised technician and they are protected with the latest anti-virus, firewall and malware software. This should be done prior to connecting to any network or internet service.
5. Ensure that you have changed, and regularly change all passwords that allow access to your data and accounts. They should be passwords not easily guessed.
6. Contact your insurance provider as you may be able to lodge a claim for the Computer Intrusion and any losses incurred, depending on your policy.
7. It is also recommended you visit the below websites for further information regarding the Compromise, https://www.cyber.gov.au/threats/business-email-compromise.

As part of our investigations to assist in our investigation we would appreciate any evidence your IT examination team may locate in particular:

• The ‘email header’ from any of the compromised emails that will assist us with the IP address. (A guide on how to retrieve email headers is available at: https://mxtoolbox.com/Public/Content/EmailHeaders/)
• Details of any remote logins to your email account. Any details from your network logs or other indicators to reveal the intrusion IPs that accessed your email account.  Include details such as Suspicious IP addresses, date time and the time zone.
• Any details as to how your email account was accessed such as the type of malware/trojan.

The above information is used in an effort to identify the cyber-crime offenders and is also collated by the AFP for intelligence purpose and ongoing investigations.

It is recommended that you contact the Office of the Australian Information Commissioner (OAIC) which will be able to advise you in relation to your obligations under this scheme. General information about the scheme is available at: www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme.

Advice on managing a cyber security incident is available at: https://www.cyber.gov.au/acsc/view-all-content/guidance/managing-cyber-security-incidents.

Strategies to mitigate future risk to your organisation/business can be found at: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-explained

The following sites provide advice pertaining to scam and identity protection:

• https://www.scamwatch.gov.au/
• https://www.moneysmart.gov.au/scams
• https://www.staysmartonline.gov.au
• https://www.idcare.org

• 2022