The Cyber Sushi

(serving up the cold facts, with some phish bytes)

Welcome back! Here's what we are covering in this issue:

Another “World’s Biggest” Data Breach – Here’s What Actually Matters

Did you see the headlines? They were pretty hard to miss. News agencies across the globe reported on the “world’s biggest data breach” on 20 June – with 16 billion passwords linked to Apple, Facebook, Google, and other platforms leaked.

What made it worse? This came less than a month after another monster breach that exposed login data for 184 million credentials.

And right in the middle of all this? Australia was marking Privacy Awareness Week (16–22 June).

What’s important to know: the likelihood of your login details being exposed is high. Do yourself a favour – visit Have I Been Pwned and plug in your email address for a reality check.

Chances are – you’ve been breached. So, the real question is: what actually matters?

At IDCARE, we see firsthand the harm that follows when people’s information is exposed. That’s why we’ve seen a significant rise in the number of “unknowns” coming to our support service. These are people who don't recollect engaging with a scammer or clicking on a link at any time.

They were just living their lives – until something went wrong.  Maybe their myGov account was accessed and their Centrelink payments redirected. Maybe a bank account was opened in their name. The list of bad outcomes when your credentials are exposed is long.

With this latest 16 billion password leak, four key tips matter most in helping to keep you safe.:

1.    Use a password manager to create long, strong and unique passwords for every account – and use passkeys or other authentication methods wherever available.

2.  Secure your accounts with two-factor or multi-factor authentication – ideally using an authenticator app.

3. Check your credit reports every six months across all three credit reporting agencies for anything unusual and also keep an eye on your bank account for unusual transactions, even if the amounts are small.

4. Protect your myGov account by using a passkey instead of a password, or use the DigitaID

IDCARE's Learning Centre has a range of fact sheets and videos to help guide you through how to set these up.

Remember: the basics make a big difference. That’s why we created the Safety Essentials Takeaways booklet. You can get your free copy here.

Small Business Cyber Threat UPDATE

IDCARE’s analysts have identified the most common—and damaging—cyber issues impacting small businesses today:

📧 Compromised Email & Social Media Accounts
Business email compromise (BEC) is a major issue. Scammers gain access to inboxes to send fraudulent invoices, impersonate staff, or steal sensitive data. Social media accounts—especially Facebook and Instagram—are also being targeted, often resulting in permanent loss of access and reputational harm.

💻 System Takeovers & Malware
Some scammers gain control of business devices through malicious popups or fake support calls. Once inside, they can access EFTPOS systems, banking platforms, email accounts, and more—especially when remote access is unknowingly granted.

🛒 Fake Online Stores & Website Clones
Scammers are setting up fake websites that mimic legitimate suppliers or businesses. Many small businesses report losses after paying for commercial equipment or site offices that never arrive. In other cases, scammers created fake versions of real websites to deceive customers.

📄 False Invoices & Chargeback Scams
Scammers impersonate suppliers, customers, or even colleagues to request payments or refunds. One business processed payments on behalf of a fake “florist,” believing it was for a catering client. Others had rent payments diverted after email threads with real estate agents were intercepted.

🧠 The Human Impact
The toll isn’t just financial. Business owners describe disrupted sleep, lost confidence, and emotional exhaustion—especially when their brand or identity is used without their knowledge.

🚨 Emerging Threats

ClickFix Malware: A fake CAPTCHA installs malware that can steal passwords, activate webcams, and extract sensitive files.
Rideshare Account Takeovers: Fake support calls are allowing scammers to take over driver accounts, cutting off earnings and access.

Worried about your small business?
IDCARE offers a free Small Business Cyber Resilience Service, funded by the Australian Government.
👉 idcare.org/smallbusiness

The PDF Attachment and the Business Email Compromise

Real Story: Leeann Ellison, HealthCare Connected

Leeann Ellison, Managing Director of HealthCare Connected, thought she was cyber-aware. With more than 20 years of senior executive marketing experience, she knew not to click suspicious links. But she didn’t realise that even a PDF attachment could open the door to cybercriminals.

After receiving a seemingly harmless email, Leeann believes a malicious PDF allowed hackers to quietly access her business email account. For over two months, they monitored her inbox without detection—learning her communication patterns and waiting for the right moment.

Eventually, they struck—impersonating her to send invoices to clients with their bank account details instead of hers. The result? Financial losses for both Leeann and her clients, and a serious breach of trust.

Leeann turned to IDCARE’s Small Business Cyber Resilience Service, where she received free, tailored support to secure her systems and build greater cyber resilience.

🎥 Watch Leeann share her experience in this short video: https://youtu.be/zUjRhq9p0dw

We thank Leeann for courageously sharing her experience to help other small businesses stay safe.

Behind the mask: The Guide to New and Trending Scams

Swipe Left for this Tinder Investment scam:

IDCARE is helping clients engaged in a romance-turned-investment scam that started on the dating platform, Tinder, linked to a fake MEXC crypto platform.

💔 Victims lost an average of $48,000
💔 94% were women aged 25–44
💔 Most also had their identity compromised

How it works:
Scammers build a romantic connection, move the chat off Tinder, then introduce “crypto trading” on a fake MEXC site that asks for ID documents.

Our advice:
If someone you’ve never met in person is introducing an investment opportunities - be cautious. Chances, they're a scammer not a lover.

The "Marathon" Scam - run from this one🏃‍➡️

Gold Coast local Jess lapella thought she’d secured a resale ticket to the sold-out Gold Coast Half Marathon through a Facebook runners' group. But the ticket wasn’t real—and she was left out of pocket and off the start line. Unfortunately, scammers love to leverage opportunities from events that sell out quickly - whether it is a marathon, or a Taylor Swift concert. In the past year:

🔎 IDCARE has seen over 740 cases of ticket or event scams like this - most involving music tickets.
💸 Reported losses total more than $618,000 in the past year

How it works:
Criminals typically compromise real Facebook accounts and post fake ticket sales in community groups. The profile looks genuine—but it's been taken over. .

Our tips:
✔️ Be wary of ticket sales on social media and check the event's website to look for authorised reseller opportunities.
✔️ Enable two-factor authentication to protect your own account from being used by scammers! Learn how in our Learning Centre at idcare.org

Ask Dr Lacey: "Is it safe to bank online?"

Have a Scam, Identity, or Cyber-Related Question? Ask Dr. David Lacey!

Having dealt with countless cases of scams, identity theft, and cybercrime, Dr. David Lacey is one of Australia’s most respected experts in the field. He is highly sought after by both government and industry for his unique insights into the online criminal environment. In this edition of The Cyber Sushi, Dr. Lacey is inviting you to submit your questions – and we (the Cyber Sushi team) will answer them. Send your questions to [email protected].

Our question today comes from Andrew,

Hi Dr Lacey,

When sensitive information such as passwords or bank account details and PIN numbers are sent over the internet via the bank's (or other institution's) website how secure are these in transmission? (Obviously once they have the information the security depends on the institution itself as we have seen with Optus etc).

Answer:

Hi Andrew,

That's a complex question and involves a lot of "well, it depends", starting with how secure your device is and if you ARE interacting on the bank's correct website. The banking website itself is safe. They employ hundreds of people to ensure their products and platforms are secure - their reputation depends on it! So, providing your passwords and banking details on the bank's official website is a secure (and very handy) way to do an online transaction. However, criminals regularly impersonate banking platforms and if you are sharing information on their fake website - it is going directly to them. Further, if your device has been compromised (through malware, remote access etc), the criminals may be able to see your valuable banking details. We recommend banking in the app as opposed to websites - if you get the app from the official Apple or Google store (never download an app from a link in an email or socials!).

Kind regards,
The Cyber Sushi Team.