Company affected – Australian SME

What happened:

A junior member of staff, working in an Australian SME, was the victim of a whaling attack. The junior received an email from the 'CEO' of the business explaining that their phone was flat and requesting that they quickly reply with their mobile number. The junior followed these instructions and got a reply via text message saying that it was the CEO using a borrowed phone. The CEO said that they were stuck in a meeting, and so could the junior quickly organise some iTunes gift cards to the value of $500 for the fellow meeting attendees. They explained that the junior would be reimbursed for this task. As per the request, the junior purchased the gift cards, photographed their numbers and SMS'd the details over to their boss. It was sometime later when the junior was speaking to the CEO in person when they realised they'd been scammed. 

How it happened:

The email address that the original request was sent from was not the CEO's real address, but a generic Gmail email using the CEO's name. This means the CEO's name appeared on the email account when it entered the junior's inbox, causing them to not think twice. The scammer used urgency and authority to make the junior panic, and do something they ordinarily would not. Once the conversation had left the email system and switched to SMS, there was no way of tracking or intercepting the conversation to remediate.

The end result:

By the time the CEO had discovered what had happened and engaged Myrtec, the damage was done. Fortunately, the costs of the cards could be claimed through cyber insurance for the junior to receive their money back. Myrtec implemented anti-impersonation protections and secure misuse of their email systems in the business. Lastly, the CEO arranged Cyber Awareness training for all staff. 

How to avoid:

This situation is easily avoidable if staff receive thorough cyber training, which will always include tips on how to identify scam emails. 

Myrtec recommends that you:

  • Ask your IT provider to implement email impersonation protection on your email servers, especially for your senior personnel. 
  • Check your cyber insurance is up-to-date and that you are meeting the policy requirements.
  • Make regular cyber training compulsory for all staff members that covers the latest cyber scamming tactics. 

To learn more about how you can protect your business 's cyber security click here.


Thank you to Myrtec for providing this case study 

Talk to an advisor now

You've come to the right place, we're here to work with you to make sure you succeed

Book a meeting   Call (02) 4925 7700
Our advisor locations:

Central Coast, Hunter and Mid Coast or we can come to where you are.

View more locations