Phishing – Make sure you don’t take the bait!
Unfortunately today’s world is a place where it seems that you need to be on the lookout and wary of anyone or anything that seems a little different or unexpected. The reason for this to be the case is the countless number of scams that are becoming more common place. The main goal of these scams – attempt to gain access to either personal information (for identity theft purposes) or financial benefit. One of the most successful methods that scammers use is ‘phishing’.
What is Phishing?
Phishing is an attempt to gain access to personal or sensitive information from someone. The types of information that are of interest to the party performing the scam includes but not exclusive to usernames, passwords, financial details (such as bank account or credit card numbers).
The actual name of phishing is intentionally the same as fishing in a sense. The scammer casts a net or sets bait in the hopes of catching a victim – just as a fisherman does when attempting to catch a fish.
How does the whole process start?
The main ways that this is implemented is through fake e-mails and websites designed to deceive the user. These forms of communications usually appear to be from a legitimate source or trusted company that the user may have dealings with.
Malicious links contained within e-mails or websites Mimicked types of sites and e-mails can appear to come from legitimate sources such as social media sites (such as Facebook, Twitter, LinkedIn), financial organisations (banks or online payment companies like PayPal) or even government organisations (particularly taxation based departments).
Overall; phishing comes under the umbrella of social engineering. There are three highly popular techniques of phishing:
Spear: This is basically a direct targeted attack on a particular individual; gaining access to and using personal information about the person they target to increase the likelihood of success.
Cloning: This is where a legitimate e-mail is spoofed exactly; however the attachment or links within the e-mail have been replaced by tainted links or contents of the document. Aimed to lean on the user’s social trust since the source appears legitimate.
Whaling: Similar to spear phishing above; whaling is when the target is high-profiled. This means that the target could be an executive level employee or some type of ‘celebrity’ with publicly documented information about them being available (current news stories, etc.)
Why is it so popular?
As with anything that has a potential financial windfall at the end of it; phishing is popular due to how easy it is to scale. Having the ability to be able to connect many potential victims with the use of one scam.
In the information security industry; it’s widely recognised that the main weakness in any IT security system is the human element. All it takes is one unsuspecting user, employee or contractor not paying attention for a phishing attack to become successful.
Some 2019 Australian Phishing Statistics
The Australian Government encourages the public to report any potential scams which they may come across through their ScamWatch system. This could include phone, text message or online scamming.
Based on their current figures up to the beginning of April 2019; the Australian Government has had over 6400 phishing scams reported (second most of all types of scams) – with around 1.6% (or 100 individual reports) confirmed as having caused financial losses of close to AU$300,000 (with over $25 million lost across all scam types).
The other interesting statistics that comes from this is that the age demographics are all about even (other than a spike in the 65+ age bracket) with over 95% of reported scam attempts have come from the three most popular catagories:
- Phone call
- Text Messages
With those types of financial gains being made; there isn’t any reason for scammers to stop doing what they’re doing.
How to avoid taking the bait…AKA User Training
Your IT department; or IT service provider will have methods to prevent and protect from cyber security threats. Some of these include:
- Ensuring that Anti-virus is installed on all desktops, servers and devices.
- A firewall of some form is between the local network and the Internet.
- Running regular updates on operating systems and software packages to close potential security flaws.
- Implementing a spam filter on company e-mail servers and e-mail clients.
While these will go a long way in preventing cyber threats from being able to get into the network – none are 100% assured to catch everything. This is where user training is important. Things that are important to cover include:
- What to look for/identifying a potential scam.
- How to deal with the potential scam entry point (e-mail, phone call, etc.)
- Understanding the potential risks of falling for a phishing scam.
It may be part of your IT departments requirements to train staff on this type of thing; or you could opt to bring in an outside company that specialises in staff training around cyber security to do this.
Real Life Phishing Attack Examples
There are a number of real life examples of phishing that can be mentioned.
2018 Soccer World Cup Tickets and Accommodation
In the lead up to the soccer world cup in Russia during June 2018; there were a number of e-mail scams going around claiming that people had won tickets to matches held during the tournament. To go along with this; accommodation in Russia during the time period was also a popular topic that scammers used to hook their targets with.
Sextortion E-mails (Scare Scam)
A newer style of phishing technique is sending a random e-mail claiming to have hacked your personal computer (be it a desktop or laptop). Then they’ve made a recording from the webcam associated with the computer they gained access to and caught you watching adult content in compromising positions.
Should you not pay; then the video will be shared with all your contacts (where the scare scam comes in).
An example of these types of e-mails can be found on Spiceworks; an IT professionals community and forum.
The best methods to undertake to prevent this from even being plausible is by covering any webcam or video recording device that you have connected to your devices; and to close off microphone ports or install micblocking software. It’s also best to implement some form of Two Factor Authentication (2FA) to prevent unauthorised access to your systems or network (even if they get a username and password).
Fake Financial Institution E-mails
If you search for ‘bank phishing scams’ then you’ll see that each of the large Australian banks all provide information about the latest scams where their branding is associated. These include NAB, Commonwealth Bank, Westpac and ANZ.
The best thing to do if you receive a banking type communication you’re not expecting is to delete the e-mail and contact that institution directly for clarification. The most important thing to remember:
DON’T EVER GIVE OUT FINANCIAL INFORMATION OVER E-MAIL OR TELEPHONE WITHOUT VALIDATING THE REQUEST IS LEGITIMATE FIRST.
Covering your business with Cyber Security
Test My Backups is focused on providing small to medium businesses affordable data protection and business continuity systems and techniques. This is to ensure that should any business fall victim to data loss or cyber attack; that they’re not left having to count the cost of IT system downtime or contribute to the already large sums collected from Australian businesses through Cyber Scams.
If you found this article to be informative; share and follow our social media accounts. Should this have raised any questions around your businesses resilience to cyber attack – list them below and join the conversation!