Cybersecurity / Australia / ACSC

Top 5 Cyber Scams Targeting Australian Businesses

Australian organisations face a steady stream of financially-motivated scams. The Australian Cyber Security Centre (ACSC)Australian Signals Directorate (ASD), highlights the importance of strong email, identity and backup controls to reduce impact. Here are the top five scams to watch—and the practical steps that make a real difference.

1) Business Email Compromise (BEC) / Invoice Fraud

Attackers compromise or convincingly spoof business mailboxes, then insert themselves into payment threads to change bank details. Because messages appear legitimate, payments are often misdirected.

Spot it: Treat any request to change bank details as high-risk. Verify via a known phone number or in-app vendor portal—not by replying to the email.

Reduce risk: Enforce MFA and Conditional Access, enable Defender for Office 365 anti-phishing, and require dual-control for supplier changes and payments.

2) Remote Access Scams

Callers claiming to be from Microsoft, your telco or the NBN pressure staff to install “support” tools (e.g., AnyDesk/TeamViewer), gaining full control to steal credentials or deploy malware.

Spot it: Legitimate providers don’t cold-call to fix “viruses”. Hang up; contact the provider via their official channels.

Reduce risk: Application control and endpoint protection, block risky downloads, and user awareness training that rehearses “refuse and report”.

3) “Account Deactivation” Phishing

Fake notices claim your Microsoft 365/Google account is expiring or over quota. Links lead to credential-stealing pages that mimic the real login.

Spot it: Hover to inspect URLs; look for login.microsoftonline.com when it’s Microsoft. Be wary of urgency and spelling errors.

Reduce risk: Defender Safe Links with time-of-click scanning, passwordless or phishing-resistant MFA (e.g., FIDO2), and conditional access sign-in risk policies.

4) “Fake Boss” Gift Card / Urgent Payment Scam

Staff receive texts/emails impersonating executives requesting urgent gift cards or unusual payments while “in a meeting”.

Spot it: It’s always urgent, off-channel, and asks for gift cards or crypto.

Reduce risk: Payment policies that require second-person verification, and mail authentication (SPF/DKIM/DMARC) to reduce spoofing success.

5) Malicious Job Applicant / Recruitment Scams

“Applicants” send malicious attachments (e.g., macro Word files, HTML pages or zipped executables) that install malware when opened.

Spot it: Be suspicious of non-standard resume formats (.zip, .html, .exe, macro-enabled docs).

Reduce risk: Block macro-enabled attachments from unknown senders, sandbox detonations, and application control on endpoints.

Mapping Controls to ACSC/ASD Guidance

Many of the controls that stop these scams map directly to the ACSC’s guidance—especially the ASD Essential Eight (patching apps/OS, application control, macro security, MFA and backups) and email-security hardening on Microsoft 365.

• MFA + Conditional Access → reduce credential-stuffing/BEC risk.
• Safe Links / Anti-phishing → neutralise link-based credential theft.
• Macro controls & application control → stop malicious attachments from executing.
• Regular, tested backups → resilience if ransomware lands.

How huebloom Can Help

Our Microsoft 365 Security Assessment benchmarks your tenant against ASD Essential Eight & ISM, Secure Score and platform best practice across Entra ID, Defender for Office 365 and Intune. You get a prioritised remediation plan with 30/60/90-day actions that directly address the scams above.