Phishing emails have reportedly been sent to Australian businesses using accounting software, with business leaders warned to double check invoices and communications for legitimacy before taking any action.
On its website this week, Xero revealed that it had received complaints of scammers sending phishing emails that looked suspiciously like invoices from the accounting software provider.
These emails were sent to customers in different countries, and it is believed Australian customers are among those preyed upon.
Reckon has since revealed that while it has been the subject of similar phishing scams in the past, it has not been caught up in this latest round of attacks.
“Reckon has had a couple of instances of customers subject to phishing attacks in the past, but their customers haven't reported one for at least 12 months,” a spokesperson told My Business.
MYOB said that “from time to time unfortunately these situations do occur”, but it did not suggest that any of its customers have reported being targeted in this instance either.
SMEs are renowned for being targets of ransomware and phishing scams, because of their willingness to pay to recover stolen data, and the ease with which busy business leaders and their teams can overlook dodgy emails.
Research in March this year suggested that as many as one in three email attacks successfully steal money, data or personal information from their intended victim.
“A big concern for businesses when a phishing attack occurs is ensuring that core platforms and services can continue without interruption if a primary service becomes unavailable as a result of the attack,” said Garrett O’Hara from cyber security firm Mimecast.
“In light of recent legislation changes, we're also seeing much more importance being placed on having data assurance - ensuring company and customer data is safe and easily recoverable.”
As has been noted in other phishing scams, Mr O’Hara said this particular incident involved a wide number of email addresses and individual names being used to send the bogus emails, in a bid to legitimise them as being from a big business.
“Email security can detect and protect against these types of emails getting into the network and block malicious links; however, users should always be checking that the domain they have received the email from matches the business content,” he said.
Mr O’Hara suggested that every email should be viewed through the lens of the following four questions:
- Is the email address of the sender valid, and does it make sense for the email received?
- What do your ‘spidey senses’ say? Is the email unexpected? Does it use an odd tone?
- If you hover over any links do they make sense (correct domain, etc)?
- Are you better off to double check with the security team first before clicking on a link or opening an attachment?
“Five minutes to ask could save a lot of time...and embarrassment,” Mr O’Hara concluded.
Adam Zuchetti is the editor of My Business, and has steered the publication’s editorial direction since early 2016.
- ‘Don’t assume how employees will react to redundancy’
By Simon Rountree
- Customers behaving badly: ‘My time is worth more than yours’
By Adam Zuchetti
- What businesses can learn from Sir Roger Bannister
By Adam Zuchetti