QR code

QR Quishing Scams

Banks warn of Christmas QR code scams

Financial institutions and consumer advocates are sounding the alarm on the surge of Christmas-related scams, cautioning that criminals are employing a novel tactic by exploiting COVID-era QR codes to pilfer personal information.

What is Quishing?

Quishing is a form of phishing attack that uses QR codes instead of text-based links in emails, digital platforms or on physical items. Quishing is a social engineering technique used by scammers and cybercriminals to trick you into providing personal information or downloading malware onto your device — cyber.gov.au

A recent Westpac report highlighted that over half of reported scams related to purchases and sales in November and December last year. They emphasised that scammers often capitalise on the increased spending and potential distractions during the holiday season.

To illustrate the heightened risk, Westpac experienced a 5 per cent uptick in fraud-related calls following the facilitation of over 31 million point-of-sale transactions during the recent Black Friday and Cyber Monday sales.

Westpac’s research uncovered that 38 per cent of Australians fell victim to scams originating from fake websites, online retailers and marketplaces.

QR codes, once considered outdated by 2019, regained popularity during the COVID-19 pandemic due to the demand for contactless services. However, the Federal Trade Commission (FTC) in the United States has cautioned that scammers are now concealing harmful links in QR codes found at locations such as parking meters, cafes and bars.

The FTC outlined various deceptive tactics employed by scammers, including false claims of undelivered packages, account issues and fraudulent activities requiring immediate password changes. Young stressed the importance of verifying payment details before transferring funds and warned against clicking on links in SMS or email communications.

In the aftermath of clicking on deceptive links, individuals risk having their information stolen or malware installed on their devices.

Westpac identified several other prevalent Christmas scams, including enticing individuals to fake websites through social media advertisements, exploiting parcel-related anxieties with fake updates via SMS or email, and promoting seemingly lucrative fake investments.

Westpac also highlighted that investment scams pose a significant challenge, constituting half of all reported losses. These scams often promise substantial returns and involve scammers investing considerable time in grooming victims, making them difficult to identify.

In Australia, reported losses to Scamwatch on social media platforms have surged to over $66 million in 2023, marking a 40 per cent increase from the previous year. Consumer group Choice, along with 20 other organisations globally, is urging governments to mandate social media and technology companies to implement measures protecting consumers from scams.

Choice criticised tech giants such as Facebook, Instagram and Google for their failure to prevent scammers from exploiting their platforms, arguing that these companies possess the resources and technology to enhance consumer protection but are reluctant to do so without legal requirements.

The Notch Above Bookkeeping Team would like to wish you and your family a wonderful festive season and a prosperous 2024. This year we’re taking a break over Christmas / New Year and will be closed from 2PM on Friday 22 December, reopening on Monday 8 January 2024.

Source: cyber.gov.au


7 Ways Businesses can avoid Cyber Fraud

What is cyber fraud?

In a world of digital financial networks and online commerce, the risks of cyber fraud are greatly increased.

Cyber fraud is criminal activity that either targets or uses a computer, a computer network or a networked device. Usually cybercriminals or hackers set out to make money… but some have political or personal motivations.

Businesses face increased financial risk as criminals get more sophisticated. Often criminals target the finance team, especially the accounts payable function which influences critical payment processes.

What can businesses do to protect themselves against this financial fraud? Here are some guidelines.

1. Consider this a people and process challenge, not an IT challenge

It’s important to acknowledge that humans are generally the weakest point in any process (NOT Information Technology). For example, a firewall which is not monitored has no value. And antivirus software alone can’t prevent infection.

2. Update authentication and review processes

Robust payment processes help team members act wisely and consistently. An example is setting rules on how payments are approved to prevent unauthorized, fraudulent payments as well as mistakes. This may involve designating an ‘approver’ for certain types of transactions AND requiring them to follow a validation process. For example, perhaps they should match an invoice with a purchase order. Or – even safer – perhaps they should match the invoice and purchase order with the received goods or services.

3. Review password policies

Longer, complex passwords increase security  BUT can also cause password reuse, people writing them down and storing them in vulnerable places. The best policies will mandate complex passwords AND use of a reputable password manager that stores encrypted passwords. Multi-factor authentication should also be used for all applications, including email.

4. Spam filters and anti-virus software

These tools have an important role but, remember, they cannot protect against insider scams or social engineering scams.

5. Segregation of Duties

Segregation of duties means that no single employee can control multiple stages of any accounting process such as reconciliation, custody of assets, authorisation and record-keeping or bookkeeping. Acknowledge that EVEN long-term, trusted employees can be perpetrators of fraud.

6. Create awareness of social engineering scams

A common example of fraud involves criminals impersonating trusted parties to create fraudulent payments. For example, a Finance Director may be impersonated to request certain actions, like initiating a payment or altering banking information. Some of these scams lack credibility… but their prevalence shows that they work in a disturbingly high number of cases.

7. Develop a counter-fraud culture

You cannot completely eliminate human error (or criminal behaviour) but raising the profile of the conversation and providing continuing education is a start. Management buy-in will help cyber fraud get the attention it requires. Keep in mind that the absence of fraud doesn’t mean it isn’t happening… because there is usually a lag between fraudulent actions and the impact of those actions. Ideally, the culture should inspire people to report suspicious incidents. There should be a commitment to ongoing fraud awareness, social engineering training, and implementing proper policies and procedures.

Notch Above Bookkeeping are Xero business bookkeepers and Certified Xero Platinum Partners Australia-wide, specialising in cloud bookkeeping setup, training and ongoing support. Contact us on 1300 015 130.

digital business

QLD Digital Solutions Program

Helping Small Businesses take the Digital Leap

In today’s rapidly evolving digital landscape, it is crucial for businesses of all sizes to adapt to stay competitive.

Get up to four hours of mentoring support, including the development of a tailored Digital Action Plan for your business, for just $110 inc. GST, subsidised through the Digital Solutions program to receive one-on-one support in up to five key areas:

  1. Intro to Digitising Your Business
  2. Using Small Business Software
  3. Online Security and Data Privacy
  4. Websites and Selling Online
  5. Social Media and Digital Marketing

Click here to get started»

Notch Above Bookkeeping are Xero business bookkeepers and Certified Xero Platinum Partners Australia-wide, specialising in cloud bookkeeping setup, training and ongoing support. Contact us on 1300 015 130.

break and enter via door

Cybersecurity strategy — patching operating systems

Why it’s risky to delay system updates

Imagine coming home from a long day at work to find that the lock on your front door is broken.

Your house is now vulnerable to intruders, and you have a choice to make: do you ignore the issue and hope for the best, remind yourself to fix it later, or get it fixed right away?

Most of us would choose to get it fixed immediately, as leaving it broken could lead to serious consequences. The same principle applies to your device’s operating system. It is responsible for managing your apps, software, and hardware and it is crucial that you keep it up to date and secure.

In a previous blog post, we discussed the importance of patching apps downloaded to your device. However, it’s equally important to patch your operating system. Cybercriminals are constantly searching for vulnerabilities in outdated systems and can create malware to exploit them within 48 hours. By neglecting to update your operating system, you not only put your own information at risk but also that of your clients.

To ensure that your systems remain secure, here are three ways to keep them updated:

  1. Turn on automatic updates: This takes the stress out of manually updating your systems and ensures that the patch is applied as soon as it becomes available.
  2. Replace unsupported software: If your operating system is no longer being updated by the vendor, your data is more vulnerable to a cyber attack. It’s important to replace unsupported software with a more secure option.
  3. Apply vulnerability scanning software: This can help identify holes in your system that need patching, making it easier to stay on top of updates and keep your systems secure.

By implementing these strategies alongside the previous strategies we’ve shared, you can keep your systems secure and protected from cybercriminals who are constantly looking for ways to exploit unsecure doors. Remember, just like fixing a broken lock, updating your operating system is a small but critical step in keeping your digital environment secure.

woman working at laptop

Cybersafety and configuring macro settings

Macros can be useful for streamlining day-to-day tasks…

But they can pose a security risk if they are not properly maintained.

The Australian Cyber Security Centre (ACSC) has observed an increase in attempts to compromise businesses by embedding malware in macros.

Microsoft Office macros are created by recording a series of commands, such as mouse clicks and keystrokes, to create a shortcut for repetitive tasks.

Malicious macros can be shared by cybercriminals and, if used, may grant unauthorised access to devices.

To minimise risks, it is recommended to ask three questions before using a macro:

  1. Is there a business requirement for the macro?
  2. Has the macro been developed or provided by a trusted party?
  3. Has it been validated by a trustworthy and technically skilled party?

To further safeguard your business systems and customer data, it is important to disable macros for users who do not require them — only enable macros from trusted locations, and only enable digitally signed macros created by trusted individuals on a case-by-case basis.

Related reading

Source: ATO

woman cheering at desk

Cybersafety strategy for user application hardening

9 steps to hardening your apps and operating system

Protecting your operating system from cyber-attacks involves hardening it and testing its security.

As the backbone of a device, the operating system manages apps, hardware and software to ensure the proper functioning of the device.

One way to harden the operating system and its apps is to add layers of security that make it harder for cybercriminals to breach the system. This can be achieved by following these steps:

  1. Installing all software updates: Using outdated software versions can make the system vulnerable to cyber-attacks
  2. Using a standard operating environment: All computers should run on the same software to reduce the setup changes that users can make to their own computers
  3. Controlling the types of apps that are installed and used in the operating system
  4. Reviewing the apps and functions enabled on the system to ensure that they are all necessary and removing any that are no longer used or required
  5. Managing who can make system changes like installing or uninstalling software
  6. Using software firewalls to limit inbound and outbound network connections to approved apps and services
  7. Having anti-virus software in place
  8. Considering the need for software that can prevent particular devices from being connected to workstations and servers
  9. Logging and storing actions or occurrences that can be recognized by the device’s software, such as an app being updated.

By implementing these extra steps, users can harden their operating system and apps, making it more difficult for cybercriminals to exploit vulnerabilities and launch attacks.

Source: ATO


CSIRO aids SMEs in advancing cybersecurity and digital tech R&D

CSIRO program to help SMEs advance cybersecurity and digital technology R&D

The CSIRO is helping small to medium enterprises (SMEs) enhance their research and development (R&D) knowledge with a free 10-week online program focused on cybersecurity and digital technologies.

Eligible companies can be working directly in cybersecurity, digital technologies or adjacent industries and want to improve the cybersecurity and digital technologies aspect of their offering.

The CSIRO’s Innovate to Grow: Cyber Security and Digital Technologies program commences 8 June 2023 and is available for 20-25 SMEs.

Expressions of interest to participate close 15 May.

Source: CSIRO


ATO Make cyber security a priority for 2023

It’s critical to safeguard your business and client information from cyber incidents.

Recent cyber attacks have shown how important it is to have robust cyber security practices in place to protect both your business and customer information.

Business owners hold the keys to their customers’ lives on their devices and are responsible for keeping that information safe from cybercriminals.

Application control

Put simply, application control involves you putting together a list of computer apps and/or downloadable programs that are ‘authorised’ as being legitimate and safe to use. You then add these authorised apps to your computer’s application control feature. These features act as your computer’s security guard, ensuring that you can only download and use the approved list of apps can be on your computer.

Doing this can minimise the risk of malicious code (also known as malware) being downloaded onto your systems, which can then disrupt, damage, or even gain unauthorised access to your computer systems.

It’s important that you regularly review the list of approved apps and remove any you no longer need. It’s also crucial that you test the application control to make sure it works. Simply try and download an app that isn’t on your authorised list and make sure your system blocks the download.

Source: ATO


Do you think you can spot a cyber threat?

Cyber security is more important than ever

Protecting your customers and your data from cybercriminals should be one of your top business priorities.

Ensure that you know how to identify and respond to cyber threats. Increasing your knowledge and awareness is the best way to protect your business.

Luckily, you don’t have to be an IT expert to step up your cybersecurity. Protect your business now with these five ways to increase your online account security:

1. Make 2 Factor-Authentication Mandatory

2 Factor-Authentication (2FA) helps prevent a hacker from getting into your account, even if they steal your password. To avoid common phishing techniques associated with text message codes, choose to apply 2-Factor Authentication.

Alongside the traditional password, 2FA-enabled users are required to enter a one-time security code that they receive via text which is the best way to authenticate the user.

You don’t have to make 2FA mandatory in your business, but we strongly recommend it as do most good cloud computing platforms.

2. Close shared login accounts

Shared logins mean multiple people in your business know a password and can make it harder to track any work or issues you may have.

3. Remove risky access to your data

Consider removing account access for any staff who are no longer with you.

4. Update your software

If your browser operating system or apps are out-of-date, the software might no longer be safe from hackers. Keep your software updated to help protect your account.

5. Use unique, strong passwords

It’s risky to use the same password on multiple sites. If your password for one site is hacked, it could be used to access your accounts on multiple sites. Instead, consider using a password manager.

If you’re ever unsure about a phone caller, SMS, voicemail or email claiming to be genuine but seems suss, do not reply. You can also follow the latest scams and advice on how to protect yourself on the ATO website or via Scamwatch.

Looking for a Xero Certified Bookkeeper for your business? Are you drowning in paperwork? Cash flow keeping you awake at night? Learn how Notch Above Bookkeeping can solve all these problems, and more. Contact our team on 1300 015 130 Australia-wide.