In this issue, we spotlight the latest scam, unpack recent data breaches, and share practical cybersecurity tips you can use every day. Plus, tune into our latest podcast episode for expert insights and actionable advice.
SCAM ALERT
Cybercriminals are using a clever trick to target Instagram users. You receive an email that looks like an official security alert from Instagram that claims that someone tried to log in to your account. The email contains instructions to “Report this user” and provides a link for you to select. This situation seems urgent, and you may be tempted to act quickly.
But the link in the email doesn’t lead to a website. If you select it, the link will automatically open your email app and even load a new email that is ready for you to send. The new email is already addressed and contains text that says “Report this user to secure your account.” If you send the email, it won’t go to Instagram’s support team, but a cybercriminal will receive it instead. They will then reply to your email and pretend to be an official support agent so they can try to trick you into sharing your password or other personal information!
Follow these tips to avoid falling victim to a phishing scam:
- Be suspicious of any security alert that asks you to send an email. Legitimate organisations such as Instagram will not ask you to secure your account by starting an email conversation.
- You should never send information like passwords, account details, or other personal information over email. Instagram support would never ask you to provide this information to them.
- If you receive what appears to be an urgent message about your account, stop and think first! Scammers often create a sense of urgency to get you to act impulsively.
SECURITY BREACHES
iiNet (TPG Telecom) Order Management System Compromise (16–19 Aug 2025)
Incident Overview: Attackers used stolen employee credentials to access iiNet’s order management system, extracting about 280,000 active email addresses, ~20,000 landline numbers, and ~10,000 customer usernames with street addresses; ~1,700 modem setup passwords were also accessed. TPG says no ID or banking data was in the impacted system.
Impact Analysis: High phishing and scamming risk from exposed contact data; legacy records mean former customers may also be targeted. No evidence of core network impact, but reputational risk and regulatory scrutiny are material. Read more here
Loyola College (VIC) INTERLOCK Ransomware Claim & Data Leak (29 Aug 2025)
Incident Overview: Ransomware group “Interlock” claimed ~591 GB exfiltration (student/staff records and financial docs). The college confirmed a cyber incident and reset credentials; Catholic education authorities notified police and urged caution as students reportedly accessed leaked material.
Impact Analysis: If claims are accurate, high privacy impact for minors and staff, potential identity fraud, and long-tail harm from sensitive documents circulating online. Incident confirmation exists; specific leak contents are primarily from threat-actor posts and trackers. Read more here
Key Lessons for IT Managers
- Credential theft is still the easiest door in. Treat employee accounts as high-value targets; prioritise phishing-resistant MFA, PAM, and continuous session risk evaluation.
- Password stores and reset flows are crown jewels. Strengthen password-handling, monitor for abnormal reset patterns, and use SSO with passkeys to reduce password exposure.
- Education sector targeting is rising. Ransomware groups increasingly hit schools; ensure data-minimisation, DLP, and child-safety-aware response plans.
- Assume contact data will be abused. After contact-detail leaks, pre-emptively warn users about phishing, rotate shared secrets (like device setup passwords), and throttle high-risk workflows.
CYBERSECURITY TIPS
How many internet-connected devices do you have in your home? While these devices make our lives easier, they also make us easy targets for cybercriminals. So, whether you are connecting to the internet through social media, online shopping, or listening to music on a smart speaker, here are some cybersecurity tips for everyday use:
Social Media Safety
- We recommend keeping your social media profile set to private and only connecting with people who you know and trust.
- Don’t share anything online that you wouldn’t want to be made public. No matter how cautious you are, any information posted on social media can still fall into the wrong hands.
- Watch out for posts that trick you into oversharing. For example, you may have seen a post that gives you a silly nickname based on random personal details. Personal details such as your first pet’s name or the year you were born, can be used by cybercriminals to guess passwords, answer security questions, or even impersonate you on social media.
Online Shopping Safety
- Only shop on well-known, reputable websites.
- Only pay using a credit or debit card. Never agree to send cash or wire money to a seller.
- Shop for the safest deal and not the cheapest. Remember, if a deal seems too good to be true, it probably is.
Smart Device Safety
- Smart speakers and some smartphones have an “always listening” setting that allows you to speak to it at any time. We recommend turning off this setting or muting the microphone while working from home or while discussing sensitive information.
- Much like a web browser, smart devices track your activity history. Review your history periodically to check for unusual activity. We also recommend clearing your device history on a regular basis.
- Keep your devices up-to-date. Smart devices receive important security patches through software updates.
Find out more about cybersecurity for your business here or book a complimentary consultation with our Chief Information Security Officer, Chris Haigh here
