One third of Australians use work devices for personal online holiday shopping despite the rise in scams, new research reveals


Just weeks after the Australian Competition and Consumer Commission (ACCC) revealed money lost through online shopping scams has risen 42% this year, a national survey has shown almost a third (31%) of Australians will be using work-issued devices for their online shopping this holiday season, prompting a warning for businesses from cyber security company Proofpoint.

The survey of more than 2,000 Australians found the younger generation of employees were most likely to conduct their online shopping on work devices, with 54% of respondents under 24 admitting to doing so.

A further 71% of all respondents said they often trust the links within emails from known retailers or brands and therefore click on them, potentially opening the door to scammers and risking sharing access to company information and property.

Despite the rise in online shopping scams this year, 39% of Australians agree to some extent that the convenience of online shopping outweighs any of the cyber security risks.

Proofpoint’s ANZ Area Vice President, Crispin Kerr, said: “Employees could be unintentionally leaving colleagues, suppliers, customers and business partners at risk by using company property for personal activities like Christmas shopping. Links within scam e-mails, which often look very legitimate, can trick users into clicking and lead to malware being installed on work devices, potentially exposing further sensitive company information.”

“At Proofpoint we’ve seen such phishing e-mails recently from scammers posing as companies like Amazon and shipping providers like DHL which aim to steal credentials, which could include personal or company credit card details saved to work devices.

Despite the fact that 86% of people said they were aware cybercriminals impersonate known brands and companies, only 31% said they always pay close attention to spelling and grammar, often a tell-tale sign of a fraudulent e-mail, and only a quarter (25%) said they always check the website domain starts with https:// to make sure they are visiting a legitimate website.

Crispin Kerr continued: “If this year has taught us anything, it is to expect the unexpected, which is why we would urge all individuals and businesses to remain vigilant in the run up to Christmas and be aware of the risks posed by using company devices for personal activity."

Further stats from the ACCC have shown more than 12,000 online shopping scams were reported so far this year, with nearly $7 million lost. Proofpoint recommends businesses of all sizes follow the below advice to keep themselves and their employees safe:

  1. It’s important to understand your most valuable assets (your people—employees, contractors, partners) can also become your greatest vulnerability if enough protections aren’t in place. It’s not just employees with potentially malicious intent, the potential for user negligence and for account compromise can also increase with individuals using work devices for personal reasons.
  2. The solution is really a combination of both people and technology. On the people front, while the security team is at the centre of any successful insider threat programme, protecting an organisation from cybercriminals is a team sport, and other departments including HR, legal, compliance, and communications must be involved.
  3. User education and awareness is also key. On the technology side, a dedicated insider threat solution can help organisations quickly identify user risk, protect from data loss, and accelerate incident response – so negligent employees can be exonerated, and incidents can be mitigated as early as possible. In addition, businesses need to take a holistic approach to insider threats, by developing a more comprehensive cybersecurity programme, and putting training in place to address negligent behaviour before it becomes a security concern.

As for those conducting their shopping online this year, Proofpoint has the below top tips:

  1. Use strong passwords:  Do not reuse the same password twice. Consider using a password manager to make your online experience seamless, whilst staying safe.
  2. Avoid Unprotected WiFi: Free/open-access WiFi is not secure: cybercriminals can intercept data transferred over unprotected WiFi, including credit card numbers, passwords, account information, and more.
  3. Watch out for “lookalike” sites: Attackers create “lookalike” sites imitating familiar brands. These fraudulent sites may sell counterfeit (or non-existent) goods, be infected with malware, or steal money or credentials.
  4. Dodge Potential Phishing and ‘Smishing’ Attacks: Phishing emails lead to unsafe websites that gather personal data, like credentials and credit card data. Watch out for SMS phishing too —aka ‘smishing’ — or messages through social media.
  5. Don’t click on links: Go directly to the source of the advertised deal by typing a known website address directly into your browser. For special offer codes, enter them at the checkout to see if they are legitimate.
  6. Verify Before You Buy: Fraudulent ads, websites, and mobile apps can be hard to spot. When downloading a new app or visiting an unfamiliar site, take time to read online reviews and any customer complaints.

About Proofpoint, Inc.

Proofpoint, Inc. (NASDAQ: PFPT) is a leading cybersecurity and compliance company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber-attacks. Leading organisations of all sizes, including more than half of the Fortune 1000, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube


Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.