DFAT has recently been advised of sophisticated phishing attacks, including on an aid supplier. The attacks have occurred in both Australia and overseas.
Phishing is a form of social engineering and is the attempt to obtain financial or other confidential information by disguising as a trustworthy entity or person, often through electronic communication.
Although the attacks could happen in a variety of ways, generally the perpetrator impersonates a legitimate person or company and seeks to change bank account details or ask for a fake invoice to be paid. As a result sensitive information may be compromised or funds can be lost if payments are made to unknown entities. Scamwatch provides more detail on how this scam works.
DFAT funding recipients are reminded of their obligations to prevent and detect fraud and to ensure that appropriate information security controls are in place. In light of this risk, DFAT funding recipients need to review fraud control strategies and IT security plans to ensure that appropriate controls are in place to minimise this risk. In addition, please ensure that your finance/payment teams and downstream contractors/grant recipients are aware of this risk and have procedures in place to mitigate it. Scamwatch includes some details on how to protect your organisation.
If your organisation has been subject to such an attack please advise the Fraud Control Section at fraud@dfat.gov.au. If the attack could also be a breach of Australian law, organisations are encouraged to report it to the Australian Cybercrime Online Reporting Network (ACORN). ACORN is a secure reporting and referral service for cybercrime and online incidents which may be in breach of Australian law. These include hacking, scams, identity theft, attacks on computer systems and illegal or prohibited online content.
Please contact fraud@dfat.gov.au if you require further information.