Welcome to this month’s edition of Cyber Insights!
This issue is packed with highlights: from celebrating Cybersecurity Awareness Month and exposing the Apple iCloud calendar scam to breaking down recent breaches and exploring how to stay safe from the growing threats of AI art and deepfakes.
Latest Scam
In this scam, you receive an email for an Apple iCloud Calendar invitation. The invitation is sent from a genuine Apple email address and appears to be related to a purchase invoice. When you look at the invitation’s notes, you see an alarming message about a large charge to your PayPal account. The message includes a phone number and directs you to call to speak to a support team.
However, this is actually a clever phishing scam. Cybercriminals created a real calendar invitation, but put a phony purchase message in the notes, hoping to scare you. The phone number in the message doesn’t connect to a real support team but instead goes directly to a scammer. If you call the number, the scammer will try to trick you into giving them full control of your computer so they can steal your money and personal information!
Follow these tips to avoid falling victim to this phishing scam:
- Be suspicious of any calendar invitation you weren’t expecting, especially if it contains an urgent message about a purchase.
- Never call a phone number listed in an unexpected email. If you’re concerned about a purchase, log in to your account directly on the official website or app to check your transaction history.
- Don’t accept or decline suspicious calendar invitations, as this can confirm to scammers that your email address is active. Instead, simply delete the email.
Security Breach
NSW Health (South Eastern Sydney & Illawarra Shoalhaven)
Accidental data exposure- 10 September 2025
Incident Overview
Confidential credentialing documents for nearly 600 medical staff, including 67 senior doctors, were inadvertently published on health district websites. Exposed items reportedly included passports, driver’s licences, Medicare cards and professional qualifications. NSW Health removed the files and commenced a forensic investigation.
Impact Analysis
While not a malicious intrusion, the exposure significantly elevates identity theft and fraud risk for affected clinicians, and creates downstream trust, compliance and regulatory issues for the districts. NSW Health is funding ID replacement and providing IDCARE support, but long-lived credentials may circulate if copied prior to takedown. Read more here
The Property Business (Sydney)
Kairos ransomware exfiltration- mid-September 2025
Incident Overview
A Sydney real estate agency disclosed unauthorised access to an archive server; threat actors (Kairos) claim 164 GB of stolen data covering landlords, tenants and agents. The company says it secured systems and notified authorities; multiple outlets reported dark-web leak threats.
Impact Analysis
If verified, compromise of rental applications, IDs and contact details creates acute fraud risk for individuals and business-email compromise risk for property transactions. Real-estate workflows routinely hold passports, bank details and employment records, magnifying privacy harm and OAIC notification obligations. Read more here
The Dangers of AI Art and Deepfakes
What are AI Art and Deepfakes?
AI art is generated using billions of images and examples of art. When you enter a prompt, the AI art generator builds an image for you by combining many of these examples into a single image. Deepfake technology is similar, but it involves manipulating real photographs and videos of people and places. This technology can make it look like a person did or said something that they never did. Both of these technologies can be used in a harmless way, but cybercriminals have learned to use them maliciously.
Deepfake Scams
Scammers can use deepfake technology to impersonate celebrities or other public figures. This type of scam can make it seem like a celebrity has endorsed a product even though they have not. Scammers use this technique to trick people into purchasing a fake product, and they will steal consumers’ personal or financial information. Deepfakes can be used for political figures as well. A deepfake video can make it appear that a government official said or did something that they didn’t say or do. These types of videos can be used to lure people into visiting fake websites or clicking on fake news articles.
AI-Generated Art and Photograph Scams
Cybercriminals commonly use AI in online romance scams. They can generate fake photographs to use in dating profiles to try and steal money or information from their victims. The cybercriminals will also use current events as the subject of their scams. They use AI to create realistic photographs of tragedies and other events. They post the photographs on fake websites to coerce people into donating money to a charity organization. The organisation is fake, of course, and the cybercriminals will keep any donated money.
What Can I Do to Stay Safe?
Follow the tips below to keep yourself safe from AI art scams:
- AI-generated images often have subtle differences or mistakes. Keep an eye out for anything in the photograph that appears to be unusual. A hand with more than five fingers or a photograph with strange lighting or shadows are common signs that an image was created with AI.
- Always stop and think before clicking or taking action. If a photograph or image seems bizarre or too good to be true, it could be a scam.
- When possible, verify the claim in a different location. For example, if you see a video with a celebrity endorsement, check that person’s official website for proof that they are actually involved with the product.
Find out more about cybersecurity for your business here or book a complimentary consultation with our Chief Information Security Officer, Chris Haigh here
