The Department of Government Services (DGS) is aware of an active phishing campaign targeting Victorian Government contractors and suppliers.
Cybercriminals are using publicly available procurement information to impersonate Victorian Government officials and send personalised phishing emails. These messages are designed to extract sensitive information and may be used to commit business email compromise (BEC) or invoice fraud.
What is BEC?
BEC is a scam where attackers trick organisations into making unauthorised payments. In 2023-24, the Australian Cyber Security Centre (ACSC) identified BEC as one of the most commonly reported cybercrimes affecting Australian businesses and individuals.
What you should do if you receive a suspicious email:
- Verify the communication by contacting your Victorian Government partners via trusted channels (eg. phone, Microsoft Teams, email etc.).
- Report the email to your own internal security team for investigation.
- If the email is confirmed as phishing, notify your VPS contact and request that they report it to the DGS Cyber Incident Response Service.
How to protect your organisation from BEC:
We recommend following the Australian Signals Directorates guidance on BEC. Be particularly alert for:
- Unexpected requests to change bank account details.
- Urgent payment requests, especially those threatening consequences for delays.
- Payment requests from executive staff that seem unusual.
- Email addresses that appear suspicious or incorrect.
- Emails sent to personal accounts (eg. Gmail) instead of official channels.
Thank you for your continued vigilance to protect your organisation and partnership with government.
Updated