Technology

Thousands hit by fraudulent ASIC email, as SMEs warned of an EOFY scam rush

Dominic Powell /

A malicious email impersonating the Australian Securities and Investments Commission and targeted at time-poor small business owners has been sent to tens of thousands of recipients, with experts warning these scams are likely to become more frequent as the end of financial year approaches.

The attack, uncovered by Mailguard, comes in the form of a fake company name renewal notice and appears to be sent by ASIC, with the email body including ASIC branding and the commission’s privacy policy.

When they click on the hyperlinked “Renewal letter”, users are directed to a website where a file containing malware is downloaded onto their computer. The type of malware is unknown, but it is likely to be either ransomware, a virus, or a keylogger designed to steal users’ login details.

Read more: SMEs urged to back up data as email scam hits QuickBooks

A senior executive leader by the name of Ashley Hughes is listed as the sender of the email, but no staff member of that name exists at ASIC.

The attack actually originates from the domain “australiangovernments.com”, which was registered in Hong Kong the day before the attack went out. Cyber security expert at Sense of Security Michael McKinnon told SmartCompany these attacks are often successful because of how quickly the associated domain names can be registered.

“Hackers will set up the new domain and then the email infrastructure very quickly and then start spamming like crazy. Most email-blocking systems assess domains based on their reputation, so a brand new domain name with no reputation attached to it will often pass through,” he says.

This is why these attacks are also short-lived says McKinnon, because once users start to report the email as spam, the associated domain name’s reputation “diminishes”.

ASIC email scam

A screenshot of the fake ASIC email. Source: Supplied

The file downloaded via the email is a .zip, a common file type used to compress multiple files into one to make them smaller and easier to transfer. However, receiving a .zip file in an email should be a red flag for business owners, says McKinnon, and businesses should be deleting any such files if they have not been sent by trusted sources.

”If you’re being sent a zip file or a link to download a zip file, you should be extremely careful,” McKinnon says.

”Though unopened zip files are harmless, the contents of them can contain executables which can then install malicious software on your computer.”

With July 1 fast approaching, McKinnon warns there’s “no question” business owners will see an increase in these type of scams during the end of financial year rush.

There have been a number of recent scams impersonating organisations that SMEs deal with frequently, including Australia Post, ASIC and the Australian Taxation Office. These follow a similar pattern of a call to action, hoping to catch out time-poor business owners or employees with lots on their plate.

”It’s a busy time of year for Australian business owners, with many people trying to get bills paid and invoices sent before the end of financial year,” McKinnon says.

”All it takes is a busy finance team with one person who adds it to the piles of bills to be paid.”

”Business owners need to take a minute and think about what’s being sent, and see if there’s a way to verify what the email is requesting through ASIC’s website or a similar channel.”

ASIC provides guidelines for business owners targeted by scams on its website.

Never miss a story: sign up to SmartCompany’s free daily newsletter and find our best stories on TwitterFacebook, LinkedIn and Instagram.

Advertisement
Dominic Powell

Dominic Powell is the lead reporter at StartupSmart.

We Recommend

FROM AROUND THE WEB

  • haydn

    One has to ask what a Hong Kong-based domain name registration company was even doing registering such a domain. Given the domain name, which should have set alarm bells ringing, the domain registrant clearly wasn’t following ICANN’s (Internet Corporation for Assigned Names and Numbers) requirement for more strenuous checks on contact information to help reduce fraudulent use of domains. ICANN could stop a lot of this nonsense in its tracks by withdrawing registration ability for registrants that engage in this type of behaviour.

  • Peter

    And what the hell is the Australian government and ASIC doing sitting on their hands given this domain name should never have been allowed to be registered in the first place!