Thousands hit by fraudulent ASIC email, as SMEs warned of an EOFY scam rush

SmartCompany, May 30, 2017

A malicious email impersonating the Australian Securities and Investments Commission and targeted at time-poor small business owners has been sent to tens of thousands of recipients, with experts warning these scams are likely to become more frequent as the end of financial year approaches.

The attack, uncovered by Mailguard, comes in the form of a fake company name renewal notice and appears to be sent by ASIC, with the email body including ASIC branding and the commission’s privacy policy.

When they click on the hyperlinked “Renewal letter”, users are directed to a website where a file containing malware is downloaded onto their computer. The type of malware is unknown, but it is likely to be either ransomware, a virus, or a keylogger designed to steal users’ login details.

Read more: SMEs urged to back up data as email scam hits QuickBooks

A senior executive leader by the name of Ashley Hughes is listed as the sender of the email, but no staff member of that name exists at ASIC.

The attack actually originates from the domain “”, which was registered in Hong Kong the day before the attack went out. Cyber security expert at Sense of Security Michael McKinnon told SmartCompany these attacks are often successful because of how quickly the associated domain names can be registered.

“Hackers will set up the new domain and then the email infrastructure very quickly and then start spamming like crazy. Most email-blocking systems assess domains based on their reputation, so a brand new domain name with no reputation attached to it will often pass through,” he says.

This is why these attacks are also short-lived says McKinnon, because once users start to report the email as spam, the associated domain name’s reputation “diminishes”.

The file downloaded via the email is a .zip, a common file type used to compress multiple files into one to make them smaller and easier to transfer. However, receiving a .zip file in an email should be a red flag for business owners, says McKinnon, and businesses should be deleting any such files if they have not been sent by trusted sources.

”If you’re being sent a zip file or a link to download a zip file, you should be extremely careful,” McKinnon says.

”Though unopened zip files are harmless, the contents of them can contain executables which can then install malicious software on your computer.”

With July 1 fast approaching, McKinnon warns there’s “no question” business owners will see an increase in these type of scams during the end of financial year rush.

There have been a number of recent scams impersonating organisations that SMEs deal with frequently, including Australia Post, ASIC and the Australian Taxation Office. These follow a similar pattern of a call to action, hoping to catch out time-poor business owners or employees with lots on their plate.

”It’s a busy time of year for Australian business owners, with many people trying to get bills paid and invoices sent before the end of financial year,” McKinnon says.

”All it takes is a busy finance team with one person who adds it to the piles of bills to be paid.”

”Business owners need to take a minute and think about what’s being sent, and see if there’s a way to verify what the email is requesting through ASIC’s website or a similar channel.”

ASIC provides guidelines for business owners targeted by scams on its website.