Hacked or spammed? Ensure you understand your obligations

February 2019

Scams cost Australian businesses almost $30 million in 2018 and they are occurring with increasing regularity. But what are 'reasonable' steps you have to take to protect your client data to ensure you meet the requirements of the Privacy Act?

We've all seen the headlines about scams and hacks hitting small and medium-sized business, and while data-driven crime is both sophisticated and highly challenging to address, the reality for many business owners is that simple human error and judgement are major contributors to the problem.

As data and cybersecurity are often challenging for SMEs, what steps to they need to take to ensure they protect both their business and their legal obligations around privacy?

OAIC Report: 37% of breaches are 'human error'

The most recent report from the Office of the Australian Information Commissioner (OAIC) points to a surprisingly simple error: 37% of data beaches resulted from human error not malicious attack. In over 20% of reported cases, personal information was simply sent to the wrong recipient. Another 6% of complaints were attributed to system faults.

If the business is of a certain size, more than $3 million in annual turnover, it has an obligation to report unauthorised access or disclosure of personal information or loss of personal information it holds to comply with the Data Breach Scheme.

The Data Breach Scheme also applies to businesses 'related to' another business covered by the Privacy Act, or if the business, regardless of size, deals with health records (including gyms, child care centres, natural health providers, etc.,), is a credit provider, or holds Tax File Number information (see the list). 

What the statistics from the OAIC demonstrate is that procedural integrity in your business is paramount – train your team to not only be wary of scams but ingrain best practice for the day to day management of personal data.

Reasonable steps and privacy protection is not just 'an IT issue'

Organisations are required to take all reasonable steps to prevent a breach occurring, put in place the systems and procedures to identify and assess a breach, and issue a notification if a breach is likely to cause 'serious harm'.

While not the only factor, protecting your systems remains a priority as Marriot Hotels discovered when the Starwood guest reservation database was breached. According to the latest announcement, up to 383 million records were potentially impacted. Of those, there were approximately 5.25 million unique unencrypted passport numbers.

On 30 November 2018, the company announced that unauthorised access to the database may have been occurring since 2014. 

Similarly, Cathay Pacific released a statement notifying that up to 9.4 million members of their Marco Polo Club, Asia Miles or a Registered Account holder have potentially had their data breached including passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer programme membership number; customer service remarks and historical travel information.

Remember, hackers can gain access to your business's data simply by a staff member clicking on a link.

Email security, spoofing, and phishing

While not impacting personal data, according to the ScamWatch, a common scam is as simple as hackers gaining access to a business' email accounts, or 'spoof' a business' email so their emails appear to come from the company.

The hacker then sends emails to customers claiming that the business's banking details have changed and that future invoices should be paid to a new account. These emails look legitimate as they come from one of the business's official email accounts. Payments then start to flow into the hacker's account. The average loss from these scams is around $30,000.

A variation is where the hacker sends an email internally to a business' accounts team, pretending to be the CEO, asking for funds to be urgently transferred to an off-shore account. Hackers can also request salary or rental payments be directed to a new account.

In 2018, these scams cost Australian business $30 million in 2018.

What can you do to protect your business?

Simple measures you can take:

  • Have strong and enforced processes in place for the management of personal client information.
  • Strong authorising procedures for payments such as two-step authority.
  • Change passwords often and use two-step authentication where available.
  • If a client's bank details have changed, phone them and check the details.
  • Train your team on cybersecurity: 
    • Check requests for payments that arrive electronically from other team members and management.
    • Check email addresses are legitimate – look for slight variations.
    • Be suspicious of poorly written emails.
    • Don't click on links from email – always use your account with the supplier or Government department to check details.
  • If contacted by the ATO, contact the ATO or your accountant to verify the information if you are concerned.

What the latest scams look like


The Australian Taxation Office (ATO) has warned about the emergence of a scam where "…scammers are using an ATO number to send fraudulent SMS messages to taxpayers asking them to click on a link and hand over their personal details in order to obtain a refund."

The refund scam follows a more sinister four phase scam stating there is a warrant out for your arrest for unpaid taxes in prior years:

  • The scam starts with a text message purportedly from the Australian Federal Police (AFP).
  • Within minutes, your mobile rings and the caller identifies themselves as being from the AFP and working with the ATO.
  • They then ask for your accountant's details. You then receive a call purportedly from your 'accounting firm' asking you to verify the AFP/ATO claims.
  • Finally, you are provided with a way, if you act quickly, to make the AFP go away by paying a fee before your 'imminent arrest'.

The ATO states that it will not:

  • Send you an email or SMS asking you to click on a link to provide login, personal or financial information, or to download a file or open an attachment;
  • Use aggressive or rude behaviour, or threaten you with arrest, jail or deportation;
  • Request payment of a debt via iTunes or Google Play cards, pre-paid Visa cards, cryptocurrency or direct credit to a personal bank account; or
  • Request a fee in order to release a refund owed to you.

Medicare Scam

A new phishing scam sent text messages purportedly from Medicare advising the recipient that they are owed a $200 rebate from Medicare.

Once the person clicks on the reclaim link, they are asked to provide their personal details including bank account details for the 'rebate.'


Another phishing scam doing the rounds is a request from ASIC to renew your business name, which is sent via "ASIC Messaging Service", however if you look at the sender's email address, you see very quickly that it's not a legitimate ASIC address. A sample of what it looks like is below.

Follow Bates Cosgrave on Linkedin, Facebook or Twitter


This article is provided for information purposes only and correct at the time of publication. It should not be used in place of advice from your accountant. Please contact us on 02 9957 4033 to discuss your specific circumstances.

Share this

Get Small Business News each month

ChineseLanguage Select