Welcome to this month’s edition of Cyber Insights! In this issue, we’re breaking down the latest social media restriction scams, highlighting recent security breaches, and sharing practical tips on how to tell legitimate communications from scams.

LATEST SCAMS

New laws took effect in December 2025 requiring social media platforms to restrict access to people aged 16 and over. While these laws aim to protect young Australians, criminals are already exploiting the confusion around age verification to steal personal information and money.

Scammers are using several tactics. Some pretend to be social media companies like Facebook, Instagram, or TikTok, sending emails or messages claiming your account is at risk unless you verify your age immediately. They’ll ask you to click a link to a fake website that looks legitimate, where they’ll try to steal your username, password, and even ask you to upload identity documents like your driver’s license or passport.

Other scammers pretend to be from the government or police, claiming you’ve violated the new social media age laws. They’ll threaten fines or legal action unless you provide proof of age or pay a penalty. Some criminals are even targeting young people directly, offering to sell fake IDs or access to ‘age-verified’ accounts so they can bypass the ban, but these operators rarely deliver what they promise and may try to develop inappropriate relationships with teenagers.

How to avoid this scam:

• Social media companies will never ask you to verify your age through email links or direct messages. If you receive such a message, go directly to the platform’s official website or app instead of clicking any links.
• Government agencies and police don’t send threatening messages about social media violations demanding immediate payment. These are always scams.
• Never upload copies of your driver’s license, passport, or other identity documents to websites you reach through email or text message links. These documents can be used to steal your identity.

LATEST BREACHES

University of Sydney

The University of Sydney discovered in mid-December that hackers had accessed one of their internal code storage systems. While the system was primarily used by IT teams for software development, it also contained old data files from a retired system.

The breach exposed personal details of around 20,500 current and former staff members, including names, dates of birth, phone numbers, home addresses, and job-related information from September 2018. Additionally, historical records from 2010-2019 containing information on about 5,000 students and alumni were also compromised. The university acted quickly to secure their systems and is monitoring for any signs that the stolen data has been published or misused online. Read more here

ThinkMarkets

Melbourne-based online trading broker ThinkMarkets was hit by the Chaos ransomware group on December 8. The attackers claimed to have stolen 512 gigabytes of company data and published it online after ransom negotiations failed.

The stolen data is extensive and includes human resources information, details of customer disputes and complaints, internal legal advice, company policies, and confidential trading information. Most concerning are the scanned copies of employee passports and customer identity verification documents. ThinkMarkets operates globally with offices in Australia, the Middle East, South Africa, Europe, and the United States, so the breach potentially affects clients worldwide. Read more here

How to Spot Legitimate Communications from Scams

With scammers increasingly impersonating banks, government agencies, and legitimate companies, knowing how to identify genuine communications is crucial. Criminals have become sophisticated at creating emails, text messages, and phone calls that look and sound authentic.

Here’s how to protect yourself and your organisation.

• Legitimate organisations never create urgency around account security. If a message claims your account will be closed, suspended, or penalized unless you act immediately, it’s almost certainly a scam. Real companies give you time to respond and provide multiple ways to contact them.
• Don’t trust caller ID or email addresses alone. Scammers can fake both. If someone calls claiming to be from your bank or a government agency, hang up and call back using the official number from the company’s website. Never use phone numbers provided in suspicious emails or texts.
• Hover over links before clicking (on desktop computers) to see the actual web address. Scammers often disguise malicious links with legitimate-sounding text. If you’re unsure, don’t click, go directly to the company’s website by typing the address yourself.
• Watch for generic greetings. Legitimate emails from your bank or service providers typically address you by name. Messages that start with ‘Dear customer’ or ‘Dear member’ are red flags, especially if they ask you to verify account details or click links.
• Real companies will never ask for sensitive information via email or text. Your bank will never ask you to confirm your password, PIN, or full credit card number through these channels. If you receive such a request, it’s a scam, report it immediately.
• When in doubt, verify independently. Before taking any action on a suspicious message, contact the organisation directly using contact information from their official website, not from the message you received. It takes an extra minute but could save you from identity theft or financial loss.

Find out more about cybersecurity for your business here or book a complimentary consultation with our Chief Information Security Officer, Chris Haigh here