Important information

Security threats and how to protect yourself

Threats to Macquarie's clients and customers continue to evolve and impact users of financial services through various methods, and in different ways. Being aware of the different threats that exist, and what you can do to prevent them, is the best way of avoiding them.

Online threats can refer to any type of fraud or scam generated through the internet or via email. Most online threats are designed to steal personal information such as credit card numbers, user names and passwords. These are typically executed through social engineering scams. The main intent is to gain a financial benefit via fraud.

Common fraud and online threats

Cheque fraud may be committed by:

  • altering details such as the payee or the amount without authority
  • theft of legitimate cheques and altering details or forging signatures
  • duplication/counterfeit of cheques.

Protect yourself against cheque fraud:

  • Ensure your chequebook is secured in a safe place
  • Do not pre-sign cheques
  • Cheques should be endorsed not negotiable where possible
  • Don't leave any gaps in the completion of the payee name, amount in words or in figures
  • If cheques are lost or stolen contact your cheque book provider immediately and ask them to stop payment on the cheque.

Protect yourself against card fraud:

  • Always keep your card in sight during a transaction
  • Never keep your PIN and card together
  • Ensure that your PIN is kept secure, do not disclose to anyone
  • Always sign your card as soon as you receive it
  • Never let anyone else use your card.

If you believe that you may be a victim of card fraud, or your card has been lost or stolen, contact your card provider.

Protect yourself from ATM and EFTPOS scams:

  • Always ensure that no one can observe you whilst entering your PIN, you can do this by covering your hand when entering the PIN
  • Always be discreet when withdrawing large amounts at an ATM
  • If you believe that an ATM looks suspicious or may have been tampered with, do not use it and contact the relevant bank to advise them of your suspicions
  • Never let your card out of your sight whilst performing a transaction
  • Always insert the chip where possible, as this helps mitigate risk of card skimming.

Business e-mail compromise (BEC) is when a cybercriminal hacks into an email account and impersonates the real owner to defraud the company, its customers, partners, and/or employees into sending money or sensitive data to the attacker’s account.

BEC is also known as a “man-in-the-middle” attack where two parties think that they are talking to each other directly, but in reality, an attacker is listening in and possibly altering the communication.

While a BEC scam can target anyone in the company, high-level executives and people working in the finance department are the most likely targets. “Whaling” and “CEO Fraud” are two emerging terms used to describe the phenomenon of targeting high-level executives and are typically more difficult to detect than traditional phishing scams since they are so targeted.

Example BEC’s include, but not limited to:

  • Fraudulent invoice scam - where a cybercriminal uses an employee's e-mail to send notifications to customers and suppliers asking for payment to the cybercriminal's account
  • Fake boss scam - where a fraudulent email is sent from a business executive’s account to employees instructing them to urgently transfer money from the corporate account to the criminal's account
     

Common Red Flags

  • Emails requesting changes to bank account details for regular clients or suppliers
  • Emails requesting urgent payment
  • Email requests out of usual business hours
  • Emails with vague payment purpose
  • Unusually large sums of money
     

Protect yourself against business e-mail compromises

  • Ensure everyone in the business is aware of the fraud red flags outlined above and what your escalation points are
  • Segregate duties so that different people are responsible for requesting and authorising payments
  • Obtain verbal confirmation if:
  • payment instructions are received via email
  • there is a request to change payment details or
  • if payment is requested outside of usual business

Phishing emails often impersonate large, trustworthy organisations or government agencies. They may contain a link asking you to enter your information or to respond quickly to their request via email.

  • Be on the lookout for poor spelling, grammar or other errors in the email that don’t match the organisation’s presentation.
  • Be suspicious of emails with offers that seem too good to be true or that threaten you to take an action they’ve proposed.
  • If you weren’t expecting a message from a person or business, don’t click on the links or open attachments to an email. You can always reach out to the person or business via another communication channel to verify the legitimacy of the message you’ve received.
  • Before you click a link, hover over it to see the actual web address it will take you to. If you don’t recognise or trust the address, you can always search for the article or site via a search engine with relevant key terms the page might use.
  • Utilise a spam filter to block suspicious messages from reaching your inbox.
  • Remember, Macquarie will never ask you for your passwords or secure codes via text or email.

Malicious software, often shortened to malware, can be used by cybercriminals to:

  • remotely access your computer or smart device
  • use your computer to attack a third party
  • install additional software on your software including ransomware
  • attempt to log keystrokes and capture sensitive information while the user is typing
  • access the microphone and/or webcam on a user’s device.

Malware can infect your device through a variety of methods such as:

  • opening a suspicious file
  • clicking on a link to a malicious website
  • installing modified software that’s been shared for free on the internet
  • opening a Microsoft Office document with macros embedded in them.

If you’ve been affected by malware, you might notice your device is running slower than usual, ads popping up on your machine you didn’t expect or notice websites asking for more details than they normally do to do something like logging in. You may also notice alerts from your anti-virus software telling you about an infection.

Some of the ways to reduce your risk of being affected by malware include:

  • use anti-virus software and keep it updated
  • make sure your applications and operating systems are up to date
  • regularly back up your files
  • use strong passwords
  • disable Microsoft Office macros by default and only use macros you know and trust
  • regularly run anti-virus scans of your machine and review installed applications for unusual items
  • don’t download applications from third-party download sites or peer-to-peer networks
  • don’t click on online ads to download applications.

Ransomware is a type of malware that locks your device and its files down so you can’t use them without paying a fee.

Ransomware can be very costly to recover from. It commonly uses encryption techniques to lock your files, making them unreadable, and some go one step further and make your computer unusable.

Ransomware infects users’ devices through the same techniques as malware and can include:

  • opening a suspicious file sent to you
  • clicking on a link to a malicious website
  • installing modified software that’s been shared for free on the internet
  • opening a Microsoft Office document with macros embedded in them.

It is not recommended to pay the ransom if you’re affected by ransomware. There is no guarantee that paying the ransom will see you get your files back and your computer fixed. You should engage a technical resource for assistance if affected.

Some of the ways to reduce your risk of being affected by ransomware include:

  • use anti-virus software and keep it updated
  • make sure your applications and operating systems are up to date
  • regularly back up your files
  • use strong passwords
  • disable Microsoft Office macros by default and only use macros you know and trust
  • regularly run anti-virus scans of your machine and review installed applications for unusual items
  • don’t download applications from third-party download sites or peer-to-peer networks
  • don’t click on online ads to download applications.

Identity theft happens when a criminal steals personal information and uses it to commit a crime such as opening fraudulent loans or stealing money from your bank accounts.

Cybercriminals can steal information including contact details, tax file numbers, credit card details, online account usernames and passwords.

Some of the signs of possible identity theft include:

  • your bank transaction history shows purchases or withdrawals you haven’t made
  • you stop receiving mail or stop receiving regular, expected mail like your utility bills
  • you start receiving communications related to a credit facility you didn’t open
  • a government agency gets in touch regarding a benefit that you haven’t applied for
  • you start receiving calls from debt collectors without being behind in loan repayments.

Some of the ways you can minimise the likelihood of having your identity stolen include:

  • limit what you share online
  • set your social media privacy settings to ‘private’
  • don’t accept new connections on social media from people you don’t know
  • be suspicious of communications asking you to confirm sensitive personal information
  • use strong, unique passwords for each online account
  • keep your devices, applications and operating system patched and up to date.

Scams have existed for centuries, however the internet allows scammers to reach a much larger audience.

A scam might come in the form of an email, contact from an unknown person through websites such as dating sites, online forums or social networking sites. Scams are usually designed to either steal your money or trick you into revealing personal information. They use techniques to manipulate you and appeal to your good nature, and are constantly evolving.

'Cold calling' scams are an unexpected or unsolicited telephone call offering investments or financial advice. The investments they offer usually guarantee high returns or encourage you to invest in overseas companies. The scams sound professional and may have other resources to support their claims. Cold callers often claim to be stock brokers or portfolio managers.
 

Technical support scams

Technical support scams involve cybercriminals getting in contact with users and pretending to have identified a serious problem with the user’s computer or internet connection and offer to help.

They’ll ask for remote access to the user’s computer but in doing so, will access files, intercept bank account logins and other sensitive information on the machine. They may also ask the user to pay a fee to fix the machine.

This scam works on intimidating the user, often using technical words and phrases to confuse the victim and employing techniques to build urgency. The scams can be initiated via a cold call, mass-messaged emails to users or via pop-up ads suggesting you’ve got a virus and to call a 1800 number for help.

Some of the ways you can protect yourself from scams such as these include:

  • always keep your computer up to date with the latest software updates, antivirus software and a good firewall
  • never disclose your personal information, financial account or online account details over the phone unless you made the call and got the number from a reliable source
  • if a stranger asks for remote access to your computer, say no, even if they claim to be from a reputable business.

 

How do I know if I’m being scammed?

The most common scams share some key characteristics. When it comes to protecting yourself from scams, it’s important to be vigilant around providing personal information or making payments to an account.

Characteristics of a scam:

  • you’re contacted out of the blue
  • there’s a sense of urgency to act quickly
  • it sounds too good to be true.

If you’re being offered a product or investment at a much lower price than normal or promised a return much larger than what you might get from the bank, you may be falling for a scam. If it seems too good to be true, it probably is.

Scammers rely on building trust with their victims before exploiting this relationship for financial gain. Ask yourself if you really know the person you’re talking to. It’s important to seek independent advice around investments.


Tips to stay safe online

Protect yourself from online threats

  • Use strong, unique passwords and change your password if you believe it may have been compromised.
  • Install an anti-virus software and keep it updated to reduce the likelihood of being impacted by malware.
  • Regularly back up your computer and devices.
  • Think before you share information on social media, especially personal information such as the address of your new house in a photo.
  • Be aware of phishing emails and don’t click on them.

 

Reporting fraud and online threats

If you have experienced an online threat or have fallen victim to phishing or any other type of online fraud, please notify us by email at scams@macquarie.com. If possible please send your contact phone number and the suspicious email as an attachment, rather than forwarding the email. This helps to identify the author and source and will be used to help reduce online fraud.

For more information pertaining to online threats and how to protect yourself you can visit:

Swipe for more
Region Country Financial Regulator / Reporting Authority / Consumer Assistance
Americas Canada Investment Industry Regulatory Organisation of Canada (IIROC) 
https://www.iiroc.ca/Pages/default.aspx
Mexico National Banking and Securities Commission (CNBV) 
https://www.gob.mx/cnbv (Spanish version)
Brazil Securities and Exchange Commission of Brazil (CVM) 
http://www.cvm.gov.br/subportal_ingles/index.html
Chile The Commission of the Financial Market (CMF) 
https://www.cmfchile.cl/portal/principal/605/w3-propertyvalue-26173.html
USA U.S. Securities and Exchange Commission (SEC) 
https://www.sec.gov/ 
Commodity Futures Trading Commission 
https://www.cftc.gov/ 
Financial Crimes Enforcement Network (FinCEN) 
https://www.fincen.gov/   
ANZ Australia Australian Securities & Investment Commission (ASIC) 
https://asic.gov.au/ 
Scamwatch 
https://www.scamwatch.gov.au/ 
Australian Competition & Consumer Commission (ACCC) 
https://www.accc.gov.au/
New Zealand Financial Markets Authority (FMA) 
https://www.fma.govt.nz/
Asia China China Securities Regulatory Commission (CSRC) 
http://www.csrc.gov.cn/pub/csrc_en/ 
China Banking and Insurance Regulatory Commission 
https://www.cbirc.gov.cn/en/view/pages/index/index.html
Hong Kong Securities and Futures Commission 
https://www.sfc.hk/en/
India Securities and Exchange Board of India 
https://www.sebi.gov.in/
Indonesia Financial Services Authority of Indonesia 
https://www.ojk.go.id/en/Default.aspx
Japan Financial Services Agency 
https://www.fsa.go.jp/en/index.html 
Securities and Exchange Surveillance Commission 
https://www.fsa.go.jp/sesc/english/index.htm
Malaysia Securities Commission Malaysia 
https://www.sc.com.my/
Philippines Securities and Exchange Commission (SEC) 
https://www.sec.gov.ph/
Singapore Monetary Authority of Singapore (MAS) 
https://www.mas.gov.sg/
South Korea Financial Services Commission (FSC) 
http://www.fsc.go.kr/eng/
Taiwan Financial Supervisory Commission (FSC) 
https://www.fsc.gov.tw/en/index.jsp
Thailand The Securities and Exchange Commission (SEC) 
https://www.sec.or.th/EN/Pages/Home.aspx
EMEA Austria Oesterreichische National Bank 
https://www.oenb.at/en/
Denmark Danish Financial Supervisory Authority (DFSA) 
https://www.dfsa.dk/
France Autorité des marchés financiers (AMF) (Financial Authority)  
https://www.amf-france.org/fr 
Autorité de Contrôle Prudentiel et de Résolution, (ACPR) (Prudential Authority) 
https://acpr.banque-france.fr/en
Germany Federal Financial Supervisory Authority (BaFin) 
https://www.bafin.de/EN/Homepage/homepage_node.html
Ireland Central Bank of Ireland 
https://centralbank.ie/
Luxembourg Commission de Surveillance du Secteur Financier (CSSF) 
https://www.cssf.lu/en/
Netherlands Netherlands Authority for the Financial Markets 
https://www.afm.nl/en
South Africa Financial Sector Conduct Authority (FSCA)
https://www.fsca.co.za/Pages/Default.aspx
Spain National Securities Market Commission (CNMV) 
http://www.cnmv.es/portal/home.aspx?lang=en
Sweden Swedish Financial Supervisory Authority (Finansinspektionen (FI)) 
https://www.fi.se/en/about-fi/
Switzerland Swiss Financial Market Supervisory Authority (FINMA) 
https://www.finma.ch/en/
United Arab Emirates Securities & Commodities Authority 
https://www.sca.gov.ae/en/home.aspx
United Kingdom Bank of England 
https://www.bankofengland.co.uk/ 
Prudential Regulation Authority (PRA) 
https://www.bankofengland.co.uk/prudential-regulation 
Financial Conduct Authority (FCA) 
https://www.fca.org.uk/

Reporting security threats

Urgent and high-risk security threats or incidents, such as extortion attempts, violence towards staff, bomb threats and suspicious packages and any life safety incident can be reported immediately to the Macquarie 24/7 Global Security Operations Centre (GSOC):

GSOC@macquarie.com

Further reading

Man with sunglasses on laptop in dark room

Business banking

From spear phishing to whaling

Business banking

Protect your most important asset: your personal identity

Business banking

Is your business at risk of email compromise?

Business banking

How secure is your business online?
Two business women conversing in conference room

Business banking

How well do you really know your clients?

Business banking

How to stop your business being held to ransom

Business banking

12 scams you should be aware of

Business banking

Is that email really from your boss?