Important Information

Security and fraud threats: How to protect yourself


Threats to Macquarie's clients and customers continue to evolve and impact users of financial services through various methods and in different ways. Being aware of the different threats that exist, and what you can do to prevent them, is the best way of avoiding them.

Online threats can refer to any type of fraud or scam generated through the internet or via email. Most online threats are designed to steal personal information such as credit card numbers, user names and passwords. These are typically executed through social engineering scams. The main intent is to gain a financial benefit via fraud.

Macquarie Group is committed to providing a secure online environment for our clients and partners. We encourage reporting of any suspected vulnerabilities in accordance with our Vulnerability Disclosure Program. We will validate and fix vulnerabilities in accordance with this program.


View latest threats in your region

ANZ

EMEA

Employment Scam Alert (Americas)​

An employment or job scam is where a scammer encourages you to apply for a vacancy that doesn’t exist. ​

Employment scams can take many forms including the scammer contacting you through encrypted messaging services or SMS that may either be fictitious or impersonating a legitimate Macquarie employee.

View article on employment scams.​

​Upon successful application for the non-existent position, you may be sent a cleared check as part of upfront fee/starter fee. You may then be directed to bank the check and use part of it for supplies and send or forward the remainder back to the scammers. By doing this you could unknowingly be helping criminals launder money. ​

View article on fake and fraudulent checks.​

​As part of the job scam you may be requested to send personal details including driver’s licensee and passport to the scammer.

Sending this information may also expose you to being a victim of identity fraud.

​Macquarie will never conduct job interviews over text message/SMS or through encrypted messaging services.​

Macquarie will never send you a check for upfront costs of employment. ​

If you have any suspicions about the employment process, please email the Macquarie Global Investigations team at globalinvestigations@macquarie.com.

Investment scams alert

Scammers have been reported impersonating Macquarie staff and promoting fraudulent documentation related to a range of financial investments. 

The use of phishing emails, cold calling, and fake websites scammers are seeking to entice people to invest in these false products that feature Macquarie branding.

To minimise the risk of being a victim, ensure you perform your due diligence by contacting Macquarie on the numbers listed from our website before you transfer any money.

  • Don’t rely solely on the contact numbers provided on email communications.
  • Be wary of entering your personal details into social media sites for investment opportunities.
  • Treat cold callers with suspicion related to any investment opportunities.
  • Check any documentation you receive for spelling and grammatical errors.
  • If the return on investment seems too good to be true it likely is.
  • If you think you may have been the victim of a scam that is connected to the Macquarie brand, contact us immediately at globalinvestigations@macquarie.com.

Common fraud and online threats

Cheque fraud may be committed by:

  • altering details such as the payee or the amount without authority
  • theft of legitimate cheques and altering details or forging signatures
  • duplication/counterfeit of cheques.

Protect yourself against cheque fraud:

  • Ensure your chequebook is secured in a safe place
  • Do not pre-sign cheques
  • Cheques should be endorsed not negotiable where possible
  • Don't leave any gaps in the completion of the payee name, amount in words or in figures
  • If cheques are lost or stolen contact your cheque book provider immediately and ask them to stop payment on the cheque.

Business e-mail compromise (BEC) is when a cybercriminal hacks into an email account and impersonates the real owner to defraud the company, its customers, partners, and/or employees into sending money or sensitive data to the attacker’s account.

BEC is also known as a “man-in-the-middle” attack where two parties think that they are talking to each other directly, but in reality, an attacker is listening in and possibly altering the communication.

While a BEC scam can target anyone in the company, high-level executives and people working in the finance department are the most likely targets. “Whaling” and “CEO Fraud” are two emerging terms used to describe the phenomenon of targeting high-level executives and are typically more difficult to detect than traditional phishing scams since they are so targeted.

Example BEC’s include, but not limited to:

  • Fraudulent invoice scam - where a cybercriminal uses an employee's e-mail to send notifications to customers and suppliers asking for payment to the cybercriminal's account
  • Fake boss scam - where a fraudulent email is sent from a business executive’s account to employees instructing them to urgently transfer money from the corporate account to the criminal's account
  • Spoof an email account or website. Slight variations on legitimate addresses (john.kelly@examplecompany.com vs. john.kelley@examplecompany.com) fool victims into thinking fake accounts are authentic.
  • Send spearphishing emails. These messages look like they’re from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes.
  • Use malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or send messages so accountants or financial officers don’t question payment requests. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information  

Common Red Flags

  • Emails requesting changes to bank account details for regular clients or suppliers
  • Emails requesting urgent payment
  • Email requests out of usual business hours
  • Emails with vague payment purpose
  • Unusually large sums of money
     

Protect yourself against business e-mail compromises

  • Ensure everyone in the business is aware of the fraud red flags outlined above and what your escalation points are
  • Segregate duties so that different people are responsible for requesting and authorising payments
  • Obtain verbal confirmation if:
  • payment instructions are received via email
  • there is a request to change payment details or
  • if payment is requested outside of usual business

Phishing scams are attempts by scammers to trick you into giving out personal information such as your bank account numbers, passwords and credit card numbers.

A scammer contacts you pretending to be from a legitimate business such a bank, telephone, or internet service provider. You may be contacted by email, social media, phone call, or text message.

The scammer asks you to provide or confirm your personal details. For example, the scammer may say that the bank or organisation is verifying customer records due to a technical error that wiped out customer data. Or, they may ask you to fill out a customer survey and offer a prize for participating.

Alternatively, the scammer may alert you to 'unauthorised or suspicious activity on your account'. You might be told that a large purchase has been made in a foreign country and asked if you authorised the payment. If you reply that you didn't, the scammer will ask you to confirm your credit card or bank details so the 'bank' can investigate. In some cases, the scammer may already have your credit card number and ask you to confirm your identity by quoting the 3 or 4 digit security code printed on the card.

 

  • Be on the lookout for poor spelling, grammar or other errors in the email that don’t match the organisation’s presentation.
  • Be suspicious of emails with offers that seem too good to be true or that threaten you to take an action they’ve proposed.
  • If you weren’t expecting a message from a person or business, don’t click on the links or open attachments to an email. You can always reach out to the person or business via another communication channel to verify the legitimacy of the message you’ve received.
  • Before you click a link, hover over it to see the actual web address it will take you to. If you don’t recognise or trust the address, you can always search for the article or site via a search engine with relevant key terms the page might use.
  • Utilise a spam filter to block suspicious messages from reaching your inbox.
  • Remember, Macquarie will never ask you for your passwords or secure codes via text or email.

Malware scammers send emails and social media messages at random with links purporting to be on something topical news, an event or something 'interesting'.

If you click on the link, you may be taken to a fake website that looks like the real deal, complete with logos and branding of legitimate sites. In order to view the video, you will be asked to install some software, such as a ‘codec’, to be able to access the video format. If you download the software, your computer will be infected with malware (malicious software).

Another way of delivering a malware scam is through websites and pop-ups that offer 'free' file downloads, including music, movies and games, or free access to content, such as adult sites.

Malware scams work by installing software on your computer that allows scammers to access your files or watch what you are doing on your computer. Scammers use this information to steal your personal details and commit fraudulent activities. They may make unauthorised purchases on your credit card or use your identity to open accounts such as banking, telephone or energy services. They might take out loans or carry out other illegal business under your name, or even sell your information to other scammers for further illegal use.

Some of the ways to reduce your risk of being affected by malware include:

  • Do not open attachments or click on links in emails or social media messages you’ve received from strangers – just press delete.
  • If you want to access footage or information about major or breaking news, use a reliable news source rather than an unknown web link.
  • Be wary of free downloads and website access, such as music, games, movies and adult sites, they may install harmful programs without you knowing.
  • Always keep your computer security up to date with anti-virus and anti-spyware software, and a good firewall. Only buy computer and anti-virus software from a reputable source.
  • Use your security software to run a virus check if you think your computer’s security has been compromised. If you still have doubts, contact your anti-virus software provider or a computer specialist.
  • Keep your office networks, computers, and mobile devices secure. Update your security software, change passwords and back up your data regularly. Store your backups offsite and offline

 

 

Ransomware is a type of malware that locks your device and its files down so you can’t use them without paying a fee.

Ransomware can be very costly to recover from. It commonly uses encryption techniques to lock your files, making them unreadable, and some go one step further and make your computer unusable.

Ransomware infects users’ devices through the same techniques as malware and can include:

  • opening a suspicious file sent to you
  • clicking on a link to a malicious website
  • installing modified software that’s been shared for free on the internet
  • opening a Microsoft Office document with macros embedded in them.

It is not recommended to pay the ransom if you’re affected by ransomware. There is no guarantee that paying the ransom will see you get your files back and your computer fixed. You should engage a technical resource for assistance if affected.

Some of the ways to reduce your risk of being affected by ransomware include:

  • use anti-virus software and keep it updated
  • make sure your applications and operating systems are up to date
  • regularly back up your files
  • use strong passwords
  • disable Microsoft Office macros by default and only use macros you know and trust
  • regularly run anti-virus scans of your machine and review installed applications for unusual items
  • don’t download applications from third-party download sites or peer-to-peer networks
  • don’t click on online ads to download applications.

Identity theft happens when a criminal steals personal information and uses it to commit a crime such as opening fraudulent loans or stealing money from your bank accounts.

Cybercriminals can steal information including contact details, tax file numbers, credit card details, online account usernames and passwords.

Some of the signs of possible identity theft include:

  • your bank transaction history shows purchases or withdrawals you haven’t made
  • you stop receiving mail or stop receiving regular, expected mail like your utility bills
  • you start receiving communications related to a credit facility you didn’t open
  • a government agency gets in touch regarding a benefit that you haven’t applied for
  • you start receiving calls from debt collectors without being behind in loan repayments.

Some of the ways you can minimise the likelihood of having your identity stolen include:

  • limit what you share online
  • set your social media privacy settings to ‘private’
  • don’t accept new connections on social media from people you don’t know
  • be suspicious of communications asking you to confirm sensitive personal information
  • use strong, unique passwords for each online account
  • keep your devices, applications and operating system patched and up to date.

Scams have existed for centuries, however the internet allows scammers to reach a much larger audience.

A scam might come in the form of an email, contact from an unknown person through websites such as dating sites, online forums or social networking sites. Scams are usually designed to either steal your money or trick you into revealing personal information. They use techniques to manipulate you and appeal to your good nature, and are constantly evolving.

'Cold calling' scams are an unexpected or unsolicited telephone call offering investments or financial advice. The investments they offer usually guarantee high returns or encourage you to invest in overseas companies. The scams sound professional and may have other resources to support their claims. Cold callers often claim to be stock brokers or portfolio managers.
 

Technical support scams

Technical support scams involve cybercriminals getting in contact with users and pretending to have identified a serious problem with the user’s computer or internet connection and offer to help.

They’ll ask for remote access to the user’s computer but in doing so, will access files, intercept bank account logins and other sensitive information on the machine. They may also ask the user to pay a fee to fix the machine.

This scam works on intimidating the user, often using technical words and phrases to confuse the victim and employing techniques to build urgency. The scams can be initiated via a cold call, mass-messaged emails to users or via pop-up ads suggesting you’ve got a virus and to call a 1800 number for help.

Some of the ways you can protect yourself from scams such as these include:

  • always keep your computer up to date with the latest software updates, antivirus software and a good firewall
  • never disclose your personal information, financial account or online account details over the phone unless you made the call and got the number from a reliable source
  • if a stranger asks for remote access to your computer, say no, even if they claim to be from a reputable business.

 

Investment scams

There are three main types of investment scams:

  • The investment offer is completely fake.
  • The investment exists, but the money you give the scammer doesn't go towards that investment.
  • The scammer says they represent a well-known company – but they're lying.

In any case, the money you 'invest' goes straight into the scammer's bank account and not towards any real investment. It is extremely hard to recover your money if it goes to a scammer based overseas.

Anyone can be scammed and every scam is different. Scams are often very hard to spot and can feel legitimate in the moment. Scammers can use professional-looking websites and apps, and impersonate legitimate companies.

 

How scammers get you to invest

Scammers can come from anywhere. The most common approaches are:

  • Unexpected contact – they may contact you by phone, social media, email or text message. They might pretend to be someone you know, such as your fund manager, financial adviser, bank, or even a friend. They’ll offer guaranteed or unrealistic high returns on an investment.
  • Fake investment trading – they use real investment trading platforms to set up fake accounts. Then they offer to trade on your behalf. Once you deposit your money it’s gone for good.
  • Fake investment comparison websites – scammers will get you to enter your personal information into their fake website, then contact you to sell their scam investment.
  • Websites with fake ASIC endorsements – slick websites with fake investing information and performance figures. They may claim to be endorsed or approved by ASIC by showing the ASIC logo.
  • Dating apps – using romance to form a relationship with you, then offering you an investment opportunity.
  • Paid advertising – scammers often pay big money for advertisements, to appear high in online search results. They also advertise through social media. Advertising a scam is illegal.
  • Fake news articles – scammers will promote fake articles on social media, impersonating other news outlets and linking to their scam websites.

 

How do I know if I’m being scammed?

The most common scams share some key characteristics. When it comes to protecting yourself from scams, it’s important to be vigilant around providing personal information or making payments to an account.

Characteristics of a scam:

  • you’re contacted out of the blue
  • there’s a sense of urgency to act quickly
  • it sounds too good to be true.

If you’re being offered a product or investment at a much lower price than normal or promised a return much larger than what you might get from the bank, you may be falling for a scam. If it seems too good to be true, it probably is.

Scammers rely on building trust with their victims before exploiting this relationship for financial gain. Ask yourself if you really know the person you’re talking to. It’s important to seek independent advice around investments.

Tips to stay safe online

Protect yourself from online threats

Passwords

Use strong, unique passwords and change them if you believe they may have been compromised at any point.

Be vigilant

Be aware of phishing emails and avoid opening them.

Back up devices

Regularly back up your computer and devices.

Multi-factor Authentication

Using another layer of authentication in addition to your username and password, is preferable if your data is sensitive. If your account offers multi-factor authentication, you should enable it.

Keep personal information safe

Always take caution when sharing personal information on social media. For example, if you upload a photo of your new house, check to make sure the address isn't visible. 

Anti-virus software

Install an anti-virus software and keep it updated to reduce the likelihood of being impacted by malware.

Reporting fraud and online threats

If you have experienced an online threat or have fallen victim to phishing or any other type of online fraud/scam that may involve the Macquarie brand please notify us by email at globalinvestigations@macquarie.com. If possible, please send your contact phone number and the suspicious email as an attachment, rather than forwarding the email. This helps to identify the author and source and will be used to help reduce online fraud.

Global fraud and security resource matrix

The accordion below outlines the regions and countries that Macquarie operate in and the regulators, reporting authorities and consumer assistance services available to the local population to report instances of fraud and scams etc.

Reporting security threats

Urgent and high-risk security threats or incidents, such as extortion attempts, violence towards staff, bomb threats and suspicious packages and any life safety incident can be reported immediately to the Macquarie 24/7 Global Security Operations Centre (GSOC): GSOC@macquarie.com.