Information security alert: phone scams seeking passwords

2 September 2020
Staff from the Department of Health and Human Services (the department) have recently received phone calls that are part of coordinated scams designed to steal personal banking information. The calls are from an automated voice recording which prompts you to speak to an operator, or from a person directly.  

Recent callers have claimed to be from Telstra and advise that someone is trying to hack into your bank accounts.  The caller is likely to ask you to download software that allows them to remotely access your accounts to check for signs of compromise and/or confirm your banking details.  This type of attack could be made from scammers pretending to be from any major agencies potentially including the department and its funded agencies and are designed to steal protected information from you.

To avoid falling prey to such attacks, it is important to have a basic understanding of how information is stored and protected.  The department has provided the following general guidance:

  • “Don’t share your password with anyone else” really does mean that - legitimate information protection measures do not require you to provide your password in order to operate
  • Requests to remotely access your computer and/or perform software downloads on it should only be granted if they are expected, eg made in writing in advance:
    1. If you have made an IT support request, an automated email with a reference number is typically provided to the requester.  Users can use that reference number to verify that such calls are in relation to that IT request
    2. Unexpected incoming calls requesting action or information that were not first advised in writing should be ignored under all circumstances. 
  • The information of every customer of a bank is stored within the same corporate network which – like other agencies - is protected by a single suite of IT and policy measures
  • Effective information security policies need to provide staff with a clear distinction between trusted and untrusted ways to share information.

Please also be aware that random SMS messages seeking action that contain malicious links are also still in circulation. 

The department urges staff at all funded agencies to notify their IT team or appropriate person/department if you have also been contacted by similar scammers.