Major ACSC critical alerts on FortiBleed and cPanel in 2026 create fertile ground for impersonation scams pretending to be ASD, ACSC, or cyber.gov.au urgent notices. Updated 26 June 2026.

After genuine Critical Alert: Act Now publications on cyber.gov.au, criminals send look-alike emails demanding clicks, phone callbacks, or remote access. ACSC’s official guidance hub remains the only trusted source for alert text and ratings.

Australian SMBs already scrambling to patch Fortinet or confirm hosting patches are prime targets for secondary phishing.

How impersonation scams work

Attackers copy ACSC branding, cite real CVE numbers like CVE-2026-41940, and pressure recipients to “verify compliance” via malicious links or Teams calls. Some reference FortiBleed by name after June media coverage.

Legitimate ACSC alerts never ask for passwords, remote desktop sessions, or cryptocurrency payments. They point to technical mitigation on cyber.gov.au and vendor sites.

How to verify real ACSC communications

Type cyber.gov.au directly into your browser. Navigate to Alerts and Advisories and match alert titles and dates to anything emailed internally. Do not trust reply addresses alone; domains may use homoglyphs or subdomains.

Subscribe to official RSS or mailing lists from within the site rather than third-party “security newsletter” aggregators of unknown provenance.

Staff training after critical alert weeks

Tell finance and office managers that no government agency will cold-call demanding immediate payment to “avoid fines” related to Fortinet or cPanel patches. IT leads should be the single path for verifying infra alerts.

If a message urges secrecy from your MSP or IT provider, treat it as fraudulent. Real incident response encourages involving your known support channel.

Technical controls that help

Enable email authentication monitoring, block newly registered domains where policy allows, and flag external senders claiming to be “ACSC Support.” Phishing-resistant MFA on email and admin tools limits damage when someone clicks once.

Our directory lists providers who help SMBs deploy baseline email security if you lack internal staff.

Reporting impersonation

Report scams to Scamwatch and, for business-targeted phishing referencing ACSC, notify ASD through official cyber.gov.au reporting channels listed on the site. Include full headers and URLs, not screenshots alone.

Context: why June 2026 is risky

Back-to-back real critical alerts train staff to expect urgency. Scammers exploit that conditioning. Pair this article with our FortiBleed and cPanel news posts so teams learn real actions from your internal comms, not from inbound email.

Internal comms template for SMB owners

Send staff a short note naming the real ACSC alert titles, linking directly to cyber.gov.au typed manually, and stating IT will never ask for passwords via email. Include a single contact name for verification. Repeat after every major alert week because new hires and casual staff miss the first message.

Finance and accounts payable red flags

Impersonation often pivots from “security compliance” to fake invoices or bank detail changes once someone engages. Train accounts staff that ACSC does not invoice businesses for patch compliance. Government domains end in .gov.au; look-alikes use hyphens, misspellings, or unrelated .com addresses.

If a message references FortiBleed or CVE-2026-41940 with urgency, compare CVE numbers and dates against the official alert page before clicking attachments.

Building verification habits

Bookmark cyber.gov.au alerts on executive and IT browsers. Disable link previews in email clients that encourage one-click trust. Run short quarterly phishing simulations if your provider offers them; real alert weeks are the highest-risk time for fake twins.

Local IT shops listed in our directory often help SMBs configure email authentication and staff training alongside firewall work. More security guides sit on the blog.

Executive impersonation variants

Fake ACSC messages sometimes pivot to “your CEO approved this urgent patch link” threads. Brief leadership not to bless security exceptions via email reply chains attackers can forge. Use known phone numbers or in-person verification for any request to disable antivirus or install remote tools during alert weeks.

Remote workers and home router risk

FortiBleed remediation often focuses on office firewalls while staff work from home on consumer routers with default passwords. Remind remote workers to update home gateway firmware and use MFA on VPN clients. Compromised home networks re-enter corporate resources through legitimate VPN tunnels after password rotation on the FortiGate alone.

Mobile device phishing during alert weeks

Staff reading ACSC-themed scams on phones may miss suspicious URL domains. Train teams to long-press links and inspect domains before tapping, or defer security tasks to desktop browsers with cyber.gov.au bookmarked.

Frequently Asked Questions