Latest News September 2022

http://www.aplaccountants.com.au

http://www.mytaxvet.com.au

Don’t believe an email just because it comes from someone you trust!

The amount of phishing and scams happening on the internet is really alarming at the moment, so don’t get caught out. At APL and James Noble accountants we run special internet monitoring tools to monitor if hackers are sending emails pretending to be us, and some weeks the amount is significant, coming from mail servers anywhere between China and the Netherlands.

This got us thinking to giving you context as to how you or your business could easily be compromised – we put our ‘hackers hats’ on and thought how would we scam a veterinary clinic. So you don’t have to get buried in technical jargon, just some simple examples of how you or your customers can get fooled in the veterinary space.

Step one – a hacker uses you email address:

Surely your email address belongs to you and is private? Well if you think this is the case then you are wrong – ANYBODY IN THE WORLD CAN USE YOUR EMAIL ADDRESS! Anyone can know your email address because you use it so much in the public space. In fact just knowing your web site address is enough to create an email that looks like it’s coming from your business. If xyzvets.com.au has a website, then a hacker can create a fictitious email from that business by prefixing the domain name with any name they please eg. [email protected] At our offices where we have a small amount of tech savvy it would take us 5-10 minutes to send emails from any of your email addresses! This hacking technique is called ‘spoofing’ and it is within the technical capabilities of a 10 year old. Emails were never designed to be protected or private and the only protection you have against this type of behaviour is your spam box. Most mail services that receive your emails check the route of the email (where it has come from), and if the route looks suspicious they put it into spam. How accurate this is depends entirely on who you use for your mail service and how your emails are set up.

Step two – a hacker starts sending invoices using your email address:

Knowing that your email address can be freely and easily copied, the next step is to start sending out invoices asking for payment to a bank account owned by the hacker. Of course this practice is initially very ineffective – if I send out 1000 invoices using the email address of [email protected] to a random list of targets, then the probability of it going to someone that actually knows and trusts XYZ vets is very unlikely, but if you play the numbers game correctly then you will get the occasional successful payment. This practice of sending random emails to the world at large is what we have been monitoring on the internet for some time now.

The scam is a lot more effective if you send emails from a business that is trusted by the public and that is widely used – this significantly increases the likelihood of a successful payment. For this reason medical professionals (including vets), accountants, government offices and banks are commonly used for this sort of scam.

A hacker can take this to an all new level of effectiveness if they can get their hands on another bit of ‘not so private’ information – and that information is a customer email list. On the surface if someone gets a list of your customers and their emails, its annoying but no big deal……..

However imagine now that the hacker sends emails from [email protected] to your entire mailing list pleading for a charitable donation to a pet sanctuary that has just burnt down. With this they provide a bank account information to transfer the money and your logo and branding on the email. How many of the 3000 clients of xyz vets do you think would make a donation – our guess is probably more than 300! And with that goes a complimentary big slap in the face to your reputation.

This is the vulnerability we think is currently the most significant for veterinary practices (and for any trusted professional service).

Step three – being on the receiving end of such a scam

If a hacker has your email address (which they do have because its public as explained above) they may put you on the other end of a scam like the one above. They may send you an invoice from your accountant or from the ATO asking for a tax payment or from a bank asking you to log in to verify a payment. With this they provide a bank account in which you can pay the money or even worse, a link that asks you to log into your bank to make a payment.

Receiving log in requests is a very dangerous scam that allows hackers to complete access to private places like your online bank account. They create a web page that looks EXACTLY like the bank’s log in page – once again, to do this would take our office tech team less than 5 minutes to do and is within the technical capabilities of a 10 year old, in fact is just a simply copy/paste of text from one web page to another, so the hackers site will look exactly like the banks. The only way you can tell it apart from the real thing is by looking at the web address at the top of the browser when you click the link. Below is an example of the legitimate login page for anz, the important thing being that the part of the web address before the .com.au is ‘anz’

What a smart hacker will do is use a similar domain for example ‘anz-banking-online-au/business/online-banking’. When in a hurry, you can’t really be blamed for not noticing. You will then type in your credentials, the login will fail (your pasword will however be sent to the hacker) and you will be redirected to the legitimate site. From your perspective you will just think you typed the password in wrong.

How can you prevent this from happening?

1. Be aware of the web address of every single link that comes in your email. If a bank sends you an email to log into your account then either make sure that when you click on the link you go to the right place, or better still, don’t click the link and log it your bank by browsing there directly. And by the way, banks very rarely if ever send emails with links to log in, if you get such an email with a link without having asked for it, then it is likely to be malicious.

2. Use 2 factor authentication for every online account you have when its available. 2 factor authentication often abbreviated as 2FA is that frustrating thing that happens when you log into a site and you are asked to verify the log in on another device like a mobile phone. Yes we all hate it, but for a hacker to gain access to your login becomes virtually impossible because they would need to have access to your mobile phone as well as your passwords. Of course many services are not 2FA enabled! Even the ANZ bank login is not and certainly not most of the software systems that veterinary practices use – this is not surprising because medical professions tend to lag behind with technology and our estimate is that over 50% of veterinary practices would struggle to implement 2FA across their entire teams logins. So an alternative to this is to force everyone to use very strong passwords of at least 9 characters long, a combination of upper and lower case letters and at least one non-alphabetic character.

3. That brings us to another problem – if you are using complicated passwords, how do you remember them? Post-it notes on computers are not a smart thing – many malicious attacks on software systems originate from disgruntled employees or ex-employees. You just have to post the credentials on the dark web and watch the fireworks if you want to annoy your boss. The best way around this is to use a password management tool. At APL and James Noble Accountants we use lastpass.com which gives us a safe place to store all passwords without having to share them among our team or use post it notes and emails to give other team member access.

4. When asked to make payments by bank transfer online make sure that the bank account number for that supplier is the same as the one you have always used. If the account number has changed then contact that supplier by phone to verify the new account. If it is a request from a new supplier then contact them to verify the account before paying.

We hope that this information is simple enough and proves useful to you. It is also important that you educate your team to these risks so that the whole business is on board and understands the current urgency of better online security. We would hate to see your great businesses compromised because we have not informed you of the risks.

Beware of text messages too

Just like email addresses, mobile phone numbers are not that private and easy to get hold of or even to just guess. Recently we have also been receiving a lot of text messages from someone pretending to be a bank and asking to click a link and log in. So treat your text messages in exactly the same way as you would treat an email – be careful about clicking on links and then entering your passwords.

A couple of terms you need to understand to update your payroll

You may have seen some information about STP Phase 2 being released. This is some additional payroll information that will need to be sent to the ATO each time you process a payrun. For those of you on xero, it isn’t completely ready yet and when it is we will let you know. It will mean you need to make some changes in your payroll set up for each employee, and when it is ready if you need us to assist please let us know.

In the meanwhile some of you may have started the steps, and the first one is changing employees to categorise them as contractor, employee or closely held associates. Here is what you need to know in order to categories them correctly:

Non – employee – person that you are only using payroll software to report super liabilities eg. locum that you pay on invoice but still pay super using xero autosuper function.

Closely held payee – person that is directly related to the entity eg. Family member of business, director or shareholder of the company or beneficiary of the trust. 

Casual – person that does not have a firm commitment about how long they will be employed or what days or hours they will work and they may not take all the work that the business offers them.

Dog Tales!

Hope you like my new haircut! Many of you know that I had my special bum glands removed and so I thought I’d give you an update on how that went. It was a great day. I got to go to my usual vet and hang out with the nurses that all know and love me. I heard that a special visiting vet was doing my surgery, but I never really got to spend time with him. Mom was very happy when she fetched me and has kept telling everyone that I’ve been a superstar. The best thing is I go back to my usual vet for my check ups and mom keeps saying how great it is that she hasn’t had to drive too far. I love my usual vet so it’s worked out well for me too!

If any of you don’t currently have special visiting vets (I think they’ve been calling them mobile specialists in the office) then it’s definitely worth doing. Dad says the usual vet makes more money this way, and mom and I love going to our usual vet. It looks like everyone wins this way!