25 June 2021

The Australian Sports Commission (ASC) is notifying National Sporting Organisations (NSO) and National Sporting Organisations for People with Disability (NSODs) to be aware of cyber security compromises that enable invoice scams by means of payment re-direction.

Over recent days, the ASC has become aware of cyber security breaches achieved through email system exploits that intercept and redirect payments. In these cases, attackers have accessed mailboxes to detect where payments are being processed. The attackers then fake a request to change the bank details to redirect payments to their own bank. In these events, the attacker’s emails are sophisticated, looking exactly like an official email – including sending from the correct internet domain.

How to mitigate this fraud risk

The ASC suggests that Sport work with their suppliers to implement additional controls, following-up all requests to change bank details by phoning known contacts to confirm the change before payment. This check will significantly reduce the chances of fraudulent payments being made using methods recently employed in our sector.

What to do in the event of an incident

To connect with the ASC for advice on concerns in relation to this matter you can email itsecurity@ausport.gov.au to speak to our IT Security Advisor team.

The ASC has coordinated with the Australian Cyber Security Centre (Government Department) on support for sports in the lead-up to the Olympics. If you experience a cyber-attack, the ACSC has a specialist team to assist – they can be contacted by emailing asd.assist@defence.gov.au, or claire.gray@defence.gov.au for direct support.