The Auditor-General’s warning comes in the wake of $2.2 million in losses across the public sector in the past 18 months thanks to clueless staff helping out scammers by wiring money straight to them.

Some of the successful attempts followed requests to change bank details in innocuous emails purportedly from suppliers, and even from a fake chief executive officer from the same department the worker was employed by.

The Auditor-General’s office has issued three edicts to state and local government entities around the risks COVID-19 is posing in the workplace from cyber security attacks and from their own employees.

“Working from home brings the obvious challenges of untrusted networks and insecure residential environments, but it also poses a less obvious threat—letting our guard down,” one of them reads.

“Entities should remind staff to lock computers when not in use and not to leave sensitive information laying around.

“They should also ensure staff can log in securely to their systems, use strong passwords, and be vigilant when reading emails.”

A spokesman said guidance had been given to public sector entities to maintain tight internal controls as working from home requirements changed the way people were working.

“Tight economic times can create pressure for individuals and weak/changed internal control environments could create opportunity,” he said.

“Cyber security attacks can be a mechanism to attempt fraud.

“Security organisations have certainly observed a significant increase in attacks by criminal hackers attempting to take advantage of the extraordinary circumstances COVID-19 presents.”

He said there had been a marked increase in phishing during the pandemic, where scammers attempt to obtain sensitive information like usernames, passwords, credit cards or install Spyware.

“Both public and private sector entities are facing similar challenges around cyber security as their staff work more remotely,” he said.

“All organisations need to be alert but not alarmed.”