Impersonation scams are a persistent threat, and increasingly, criminals are using the phone to target Australian small businesses. They leverage sophisticated tactics, including spoofing legitimate phone numbers of government agencies or trusted organisations, to trick you and your staff into handing over sensitive information or money. This isn’t just about losing cash; it’s about significant operational and legal risk, including potential data breaches and reputational damage.
Your best defence against these evolving tactics, which now include AI phishing threats, isn’t just technology; it’s a well-informed and vigilant team. Here’s a pragmatic, step-by-step checklist to navigate suspicious calls and protect your business.
Scammers favour phone calls because they create urgency and a perceived direct connection. A convincing voice, combined with a spoofed caller ID that displays a familiar number, can bypass initial scepticism. They exploit trust and pressure, often demanding immediate action, which sidesteps critical thinking. This is a classic human risk management challenge where the human element is targeted directly.
Implement these steps across your business to verify identity and avoid falling victim to impersonation scams.
Your default position for any unsolicited call, especially if it’s unexpected or makes unusual demands, must be scepticism. Caller ID is easily faked. Even if the screen shows “ACCC” or “NAB,” do not trust it implicitly. This initial caution is your strongest barrier against social engineering.
Never provide personal details, financial information, login credentials, or allow remote access to your systems over an unsolicited call. Do not press numbers to be connected to an operator, even if prompted. Scammers often use these tactics to gather information or confirm your phone number is active.
If you suspect a call is a scam, hang up immediately. Do not argue or engage further. The crucial next step is to verify the caller’s identity independently. This means:
Once you have the official, independently sourced number, call them back. Explain that you received a suspicious call from someone claiming to be from their organisation. Ask if they were trying to reach you and for what purpose. This is the only way to genuinely confirm if the initial call was legitimate.
If you confirm it was a scam, or even if you just have strong suspicions, document everything. Note the date and time of the call, the number displayed (if any), what the scammer claimed, and any demands made. Report the scam to Scamwatch (run by the ACCC) and your telecommunications provider. If your business information or personal data was compromised, assess the implications for a potential notifiable data breach.
This isn’t a solo effort. Ensure all staff, especially those who answer phones, understand these steps. Regular security awareness training is vital. Discuss recent scam trends and reinforce the importance of vigilance. A unified defence is a strong defence for any cyber security small business.
Ignoring these steps exposes your business to significant downsides:
While this survival guide provides immediate, actionable steps, true cyber risk management for your small business requires ongoing effort. Human vigilance is your most critical asset. Beyond just knowing what to do, your team needs to consistently practice identifying and resisting social engineering tactics.
Consider implementing regular employee phishing tests and comprehensive security awareness training. These proactive measures, like those offered by a robust phishing simulation Australia service, reinforce the lessons learned and build a resilient human firewall. Equipping your staff with the knowledge and confidence to challenge suspicious communications is the most effective long-term defence against the ever-evolving landscape of cyber threats.
Launch a realistic phishing simulation in minutes and get the tools you need to build a cyber-aware team.
This blog offers general information about phishing and cybersecurity for small and medium-sized organisations. It is not legal, financial, or technical advice. Speak to a qualified professional before acting on any guidance you read here.