Welcome to this month’s edition of Cyber Insights!

In this issue, we cover the latest Microsoft Teams scam, recent data breaches, and practical tips to help protect yourself against AI voice scams.

In this scam, you receive an unexpected invitation to join a Microsoft Teams group. The group name reads like an urgent billing alert, suggesting something like a large subscription charge has just been processed or that a payment issue requires your immediate attention. Because the invitation is sent through Microsoft’s own systems, the notification that lands in your inbox comes from a legitimate Microsoft email address. Many corporate email security filters will not flag it.

When you open the invitation and see the alarming message, you also see a phone number to call. If you panic and dial that number, you reach a scammer posing as a billing support agent. They use pressure tactics to convince you to make a payment or, in more serious cases, to let them take remote control of your computer using a legitimate tool such as Quick Assist. Once they have that access, they can move through your organisation’s systems, copy sensitive data, and install harmful software, including software that locks your files until you pay a ransom.

This scam works so well in workplaces because Microsoft Teams feels like a trusted internal channel. Most people apply scepticism to suspicious emails, but an unexpected alert appearing inside a familiar workplace tool tends to bypass that caution. The urgency built into the message name does the rest of the work for the scammer.

For businesses, the risks go beyond a single fraudulent payment. Remote access to a company’s systems can lead to the theft of sensitive business and customer data, attacks that cripple operations, or a long-term presence that scammers use for future attacks.

Follow these tips to avoid falling victim to this scam:

• Be suspicious of any unexpected Teams invitation from an external person, particularly one with an urgent or financial message in the group name. Treat it with the same scepticism you would apply to a suspicious email.
• Never call a phone number found in a Teams message from an unknown sender. If you have a genuine concern about a billing issue, contact your IT team or your software vendor directly using official contact details you already have.
• Never allow anyone to take remote control of your computer in response to an unsolicited contact, even if the request appears to come through a familiar or trusted platform. Report unexpected external Teams contacts to your IT or security team before taking any action.

NSW Treasury

On 19 April 2026, internal security monitoring at NSW Treasury detected a suspected large-scale transfer of government documents to an external server. This was not an external hack but an alleged insider theft, where a person inside the organisation misused their access to steal data. A 45-year-old staff member from Treasury’s commercial team was arrested at his home in Homebush West, Sydney, after allegedly accessing and transferring more than 5,600 sensitive government documents. NSW Police established Strike Force Civic to investigate the matter.

The stolen material spanned multiple NSW Government departments and projects, covering confidential commercial and financial information tied to current and previous government negotiations with the private sector. Police have indicated that all allegedly stolen data has since been located and secured. There is no evidence of any external compromise to NSW Treasury systems, and no impact on the delivery of government services. Read more here

Instructure (Canvas Learning Platform)

On 30 April 2026, Instructure detected unauthorised access to its Canvas learning platform by threat group ShinyHunters. The attackers claim to have exfiltrated data from approximately 9,000 institutions and up to 275 million users globally, with multiple Australian institutions confirmed affected, including Queensland state schools, UTS, the University of Melbourne, RMIT, and others. On 7 May, attackers escalated by defacing Canvas login pages with a ransom demand.

Exposed data for Queensland students and staff enrolled since 2020 includes names, email addresses, school locations, and private messages. Instructure has stated there is no current evidence that passwords, financial information, or government identifiers were accessed. This ranks as one of the most significant breaches of an education platform in recent years.   Read more here

Key lessons for organisations

• Staff with legitimate access can pose as serious a risk as outside attackers. Monitoring for unusual data transfers, limiting access to sensitive documents based on role, and having a clear process for investigating suspected misuse are essential controls.
• Supply chain attacks, where criminals target your partners or suppliers to reach you indirectly, are increasingly common. Verify the security practices of any third party that handles your customer data.
• Small and community organisations hold sensitive data too, and criminal extortion groups know it. Having regular backups, a basic incident response plan, and cyber security support available before an incident occurs can make the difference between recovery and permanent loss.

Imagine you get a frantic phone call from your child, a close friend, or a colleague. They are in trouble, they need money urgently, and they sound exactly like themselves. But what if it was not them at all? Scammers are now using artificial intelligence to clone real voices from short audio clips found on social media, voicemails, or online videos. They then use those cloned voices to call family members, colleagues, or employees and demand money or sensitive information. These calls are frighteningly convincing.

Research published by Commonwealth Bank in January 2026 found that while 89% of Australians believe they can spot an AI-generated scam, they correctly identified AI-generated content only 42% of the time. Knowing what to look for, and having a simple plan ready, can stop a scam before any damage is done.

How to Protect Yourself from AI Voice Scams

Follow the tips below to protect yourself and your family from AI voice scams:

• Agree on a safe word with people you trust. Pick a word or phrase that only you and your close contacts know. If someone calls claiming to be a family member or colleague in an emergency, ask for the safe word before you take any action.
• Hang up and call back on a number you already have. If you receive an unexpected urgent call, end it and dial the person back using a number saved in your phone or on their business card. Do not use a number the caller gives you.
• Be suspicious of any call that demands fast action. Scammers rely on panic to cloud your judgement. If a caller pressures you to transfer money, share a code, or act immediately, treat that urgency as a warning sign, not a reason to rush.
• Limit the voice and video content you share publicly. AI voice cloning needs only a few seconds of clear audio. Review your social media privacy settings and consider whether your public video posts give scammers enough material to work with.
• Report it to Scamwatch. If you receive a suspicious call or have fallen victim to one, report it at scamwatch.gov.au. Your report helps warn other Australians and contributes to national scam intelligence.