The Cyber Sushi

(serving up the cold facts, with some phish bytes)

Welcome back! Here's what we are covering in this issue:

Impersonation Scams Unmasked

In the last year, over 17,000 people contacted IDCARE because they had been harmed in an impersonation scam. This is a scam where criminals pretend to be trusted organisations, celebrities, or even friends and family.

The harms varied – from serious financial loss to identity theft. One person lost $850,000 after clicking on a fake ING Bank ad on Facebook. Even if no money is lost, victims often spend hours fixing the damage. That’s why it is important to understand impersonation scams, how they work and how you can protect yourself, and your family against them.

The Main Types of Impersonation Scams

Organisation Impersonations

In 91% of impersonation scams, the scammer pretended to be a trusted organisation, such as government agency, a bank or a telco. These scams can involve phone calls, emails, or SMS messages, often claiming there’s a problem with your account or offering urgent discounts. With the help of stolen data, scammers can make their attempts feel more convincing by referencing personal details, such as the person’s name, physical address or account information.

Friend, Family, and Boss Impersonations

Scammers impersonating friends, family, or your boss can exploit trust and urgency to manipulate victims. They may hack social media accounts and send SMS messages pretending to be a loved one, asking for money or suggest you take part in an investment, or some other money-making scheme. Some scams involve requests from someone posing as your boss to buy gift cards for other employees or clients urgently to be reimbursed later. Victims often believe they are helping their boss by responding to an emergency, so they don’t have time to question the requests. In some cases, the “boss” sends the employee a fake invoice asking them to pay it from company funds causing financial loss for the business.

Celebrity Investment Scams

These scams typically involve scammers using deepfake ads or impersonating well-known public figures. These ads are designed to appear legitimate, even mimicking the voices and faces of famous personalities. The main goal is to convince individuals to deposit their savings into a criminal controlled investment scheme (usually crypto based). Victims are often shown their money is making great returns but realise it is a scam when they cannot withdraw their investments.

Have a look at this convincing deepfake of a news story our analysts found on Facebook in March.

How to Stay Safe?

✅ Be suspicious of unexpected messages – even if they seem to come from a known organisation or friend.

✅ Don’t trust caller ID or email addresses – scammers can fake them.

✅ Never click on links or call numbers from messages. Always search for official contact details through the organisation’s official app or verified website (not through ads!).

✅ Verify through another channel. If a friend or family member asks for money, call them directly on a number you know is real (Even if they have made an excuse for you not to call!)

✅ Use strong privacy settings on social media. Lock down who can see your contact lists.

✅ Install MFA (Multi-Factor Authentication) where possible. It makes it harder for scammers to take over your accounts.

IDCARE analysts have compiled a comprehensive Monthly report on impersonation scams for its subscribers. To find out more about obtaining IDCARE reports email [email protected]

Alarming Statistics: Small Businesses' Results in Cyber Health Check

A cyber health check of nearly 300 Australian small businesses has found most do not have basic cyber health practices in place.

This included simple, but effective measures like multi-factor authentication to protect business emails and social media accounts, regular backups and an encryption policy for sensitive data.

IDCARE’s Small Business Cyber Resilience Service team leader, David Murdoch, said most small businesses who completed the health check indicated they did not have the time or the understanding of cybersecurity to protect themselves.

In the six months since receiving Federal Government funding to provide the Small Business Cyber Resilience Service to businesses with 19 or fewer full-time equivalent staff, IDCARE has uncovered concerning trends. The average score on its Cyber Security Health Assessment was just 35%.

Key findings include:

Only 45% of small businesses had procedures to verify changes to payment details to detect fraudulent invoices.
Just 43% had enabled multi-factor authentication (MFA) to protect their email accounts.
Only 30% had MFA on their social media accounts.

One Melbourne historic precinct told our small business team that after the compromise of the marketing manager’s email account and then social media account – the historic precinct’s social media account and its advertising budget was being used by criminal’s to share social posts laden with malware.

Even after the social accounts were restored, the precinct continued to experience “over 1000 attacks a day”.

Thankfully, cyber resilience doesn’t have to be hard. IDCARE’s Small Business Cyber Resilience Service connects small business owners with a specialist advisor who will help them understand the steps they need to take to make a real difference.

IDCARE is also proud to collaborate with Cyber Wardens, an initiative of the Council of Small Business Organisations of Australia (COSBOA) and supported by the Federal Government. They offer Government-funded free online cyber security courses and webinars to education cyber security red flags

This May, IDCARE will be running a series of social posts, videos and polls to help small businesses understand the cyber threats.

If you are a small business owner, or know someone who is, please visit idcare.org/smallbusiness and check your cyber health now.

Our Website is getting a Refresh!

We’re excited to let you in on a little secret—IDCARE is getting a website makeover!

We’ve been working behind the scenes to create a fresh, welcoming space that’s easier to use and filled with helpful tools and advice.

We’ve remade our site with you in mind. The new design has a cleaner layout and less clutter and better navigation tools.

The official launch date for the new website is scheduled for mid-May! We’d love your feedback once it is live. Please email us at [email protected]

Behind the mask: The Guide to New and Trending Scams

The Not so Super, Super scams

Cases of scammers impersonating superannuation funds are again on the rise. The financial losses from superannuation compromise are also increasing, with total financial losses from March 2024 to April 2025 of over $34 million! In most cases, IDCARE clients didn't know how their superannuation funds were accessed, but many co-occured with the compromise of a government service account, like myGov, AT, Centrelink or Medicare.

Our Tips:

Protect your superannuation account with a strong password and, where possible, multi-factor authentication. Also check it regularly for any suspicious activity.

The best job that never existed: Employment scams surge as criminals leverage gamified tactics

In March 2025, IDCARE saw a 44% spike in employment scam reports – the highest monthly number we've ever recorded. These scams are impacting younger Australians the hardest, especially those underemployed or seeking extra income.

How it Works:

Scammers mimic online gaming platforms, getting victims to complete fake tasks (liking posts, placing fake orders, following accounts) for small payouts. To unlock bigger “commissions,” victims are pressured into making deposits.

Group chats on WhatsApp or Telegram reinforce the scam with fake success stories, making it feel real—and keeping people engaged.

Our Tips:

Be very suspicious of job advertisements that require you to complete a series of "tasks" before receiving a payment. If the "job" requires you to put in your own money to get money out - it's a scam.

The Funeral Scam

Criminals target grieving families using obituaries details to impersonate debt collectors, make fake inheritance claims, send fake “memorial” donation requests and steal identities.

How It Works:

Criminals scan obituaries and funeral notices looking for the personal details of grieving families. The obituary includes details about the deceased person’s life, accomplishments and surviving family members. Criminals use the details when contact grieving families to appear more legitimate.

Our Tips:

Limit the details you share in obituaries and let someone else handle phone calls while you are grieving and busy organising the funeral. Grief is hard enough. Don’t let scammers make it worse.

Have a Scam, Identity, or Cyber-Related Question? Ask Dr. David Lacey!

Having dealt with countless cases of scams, identity theft, and cybercrime, Dr. David Lacey is one of Australia’s most respected experts in the field. He is highly sought after by both government and industry for his unique insights into the online criminal environment. In this edition of The Cyber Sushi, Dr. Lacey is inviting you to submit your questions – and we (the Cyber Sushi team) will answer them. Send your questions to [email protected].

Our question today comes from Fiona.

Hi Dr Lacey 

A year ago I subscribed to an online health portal providing weight loss medications sent through the mail, with phone contact from doctors in their service as a means of monitoring progress. In subscribing, a condition of receiving the medication was providing photographs of myself, including my face and proof of identity by providing a photo of my driver's licence. 

OK - So I can already see eye rolls and I did realise red flags were waving at me but I foolishly subscribed anyway and can only reason that I felt too vulnerable about my weight, and ashamed to seek this medical care through my regular GP. Culpable I know. Stupid, I know.

 Anyway, long story short, though I have unsubscribed from the online portal and their services, I remain concerned that my face, but more worryingly my licence image may still be held by the organisation "for medical records" for some time.. or forever and that this could be a problem in the case of a data breach. 

I know the answer to anyone considering doing a similar thing is simply "Don't" but is there anything I can do now?

 Kind regards,
Fiona 

Answer:

Hi Fiona,

 Thanks for your email. Firstly, you are neither “culpable” or “stupid”. We’ve actually had several clients contact us being involved in a similar circumstance. Can I check, have you been able to cancel the subscription? If not, please let your bank know. Also, yes, you should be concerned if you provided your driver licence. Please contact our case management centre for support by either filling in the Get Help form on our website, IDCARE.org or calling our free number, 1800 595 160. They can send you a response plan that explains how you can protect yourself going forward.

Kind regards,
The Cyber Sushi Team.