Public servants warned after a series of calls appeared to lay the groundwork for a targeted phishing campaign

Victorian government employees have been warned about what is believed to be a phone-based social engineering campaign targeting the state’s public sector, possibly ahead of a phishing campaign designed to collect employee credentials.

A spokesperson for the Department of Premier and Cabinet confirmed to Computerworld that a warning had been issued after a “small number of staff from some government departments” late last week received calls.

“The callers asked staff to confirm their name and workplace contact details,” the spokesperson said. “Staff deemed the calls to be suspicious and did not provide any information to the callers.”



Call recipients are understood to have been told that they would receive an email.



The Herald Sun in late December revealed that an unknown third party had downloaded the work details of “tens of thousands” state government employees. The breach involved the Victorian government directory, the paper said, and was reported to the police.

The breach was believed to have involved the compromise of an employee’s email account, the Herald Sun reported.

“There is no information to suggest a direct connection between these phone calls and the recent unauthorised access to a partial copy of the Victorian government employee directory,” the DPC spokesperson told Computerworld.

DPC said after the calls it had provided security advice to government departments and agencies and “reminded staff to remain vigilant when it comes to unsolicited communications, including phone calls and phishing emails.”

“We have also notified the Australian Cyber Security Centre,” the DPC spokesperson said.

Victoria in late 2017 appointed its first whole-of-government chief information security officer (CISO) as part of an effort to boost cyber security across the public sector.

The former senior manager, information and technology risk, at ANZ, John O’Driscoll, was tapped to be the state’s first CISO, with the role sitting within DPC.

The creation of O’Driscoll’s role was part of the state’s cyber security strategy, launched in August 2017, which envisages a more coordinated cross-government approach to information security.

The strategy argued government at all levels was facing increasing security threats.

“While our approach to date has worked to some extent, Victorian Auditor-General reports and departmental in-house testing regularly uncover vulnerabilities that must be addressed,” the strategy said. “The time for an agency-by-agency (only) approach has passed. We need to address these risks strategically, and where it makes sense, holistically.”

Last year the state government pledged $17.6 million over four years to help implement the strategy.

“Funding will be provided to implement the Government’s cyber security strategy to improve detection and prevention capabilities, and responses to cyber-attacks on Victorian Government IT systems,” a budget document outlining the funding stated.

“This funding will ensure we have the strong cyber security capabilities we need to protect the delivery of public services across the whole of the government,” the document said.