Skip to main content

Scammers claiming to be from ICT service desks targeting user multi-factor authentication

The Australian Cyber Security Centre (ACSC) is aware of a phone scam asking staff members of a critical infrastructure organisation to reveal their multifactor authentication credentials.

The scammers seek to convince staff members to reveal their credentials by impersonating the service desk on a direct telephone call.

There are many ways scammers try to get your information or money over the phone. They will usually pretend to be from a well-known organisation, such as a government agency, a utilities provider, Australia Post, a bank or the police. They can be incredibly convincing.

What you should do

The ACSC recommends organisations inform all staff that:

  1. The organisation's service desk will never contact staff and ask them for their multi-factor or two-factor authentication token code or passwords.
  2. Any person claiming to be from the organisations service desk requesting such information, should be reported to their cyber security staff in the first instance.

How to protect yourself

There are a number of preventative measures Australians can take to protect themselves online:

  • Never share multi-factor or two-factor authentication details withanyone.

  • If you believe your account has been compromised, alert your organisation's ICT team.

  • Report scams to the Australian Competition and Consumer Commission's Scamwatch. Include as much information as possible about the scam message in your report (eg the email itself, or a screenshot).

  • Report all cybercrime with Australian Cybercrime Online Reporting Network (ACORN).

More information

Visit to learn more about cyber security, including common threat types and understanding how passwords can be your first line of defence.

For cyber security advice or to report a cyber incident or threat, you can go to or call 1300 CYBER 1 (1300 292 371).