A number of non-profit membership organisations − including unions and professional bodies – are being targeted by phishing attacks directed at junior-level administrative employees. Scammers are sending employees fake emails that claim to be requests for copies of organisations' membership lists.
The emails look genuine. The ‘from’ field in each email lists the address of the organisation’s boss, and the email ends with an authentic-looking signature block.
The email asks the employee to send a copy of the organisation’s membership lists to a work email address and a 'home' email address, which is a web mail account (such as Yahoo or Gmail).
However, the 'home' email accounts are fake.
A sample email is set out below.
From: [Organisation CEO]
To: [Staff member]
Subject: Membership list (All members)
Hi [name],
I need a copy of our membership list, just name and email contact. Please compile all membership type in Microsoft-word or Excel, attach and send to me as your reply.
Please send to the 2 email addresses below:
[Authentic email address of the organisation CEO]
[CEO’s name]@yahoo.com
Kind regards,
[CEO’s signature block]
It is not known how the scammers intend to use the information they obtain. However, the people whose details are exposed might become the target for future scams.
Staying safe
Query unusual requests for information received by phone and email. Before complying with a request that seems odd or out of character, double check with the person making the request, even if it is from your boss.
If you are asked to transmit valuable or personal information to a webmail account that you do not know, think twice before doing so.
Organisations should limit how many people have access to valuable and personal information. Fewer employees with access to that information means fewer targets for these types of attacks.
If you receive a request that purports to be from an organisation that you are a member of, and that asks for personal information such as credit card details, be cautious in responding.
Responding appropriately if information is unintentionally disclosed
If an organisation experiences an incident in which personal information is unintentionally disclosed to a third party (a ‘data breach incident’), it should consider notifying affected individuals and the Office of the Australian Information Commissioner (OAIC). If there is a real risk of serious harm as a result of a data breach, the affected individuals should be notified.
Notifying people whose personal information has been unintentionally disclosed can often help those people guard against the risks that come from this type of incident.
The OAIC publishes a guide entitled Data Breach Notification Guide: A Guide to Handling Personal Information Security. This guide provides details of how to respond to a data breach incident that may involve personal information.
More information
Stay Smart Online has more information here about avoiding scams and hoaxes.
Information for this Alert has been provided by the OAIC.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Find out more.
