Advanced phishing scams are becoming more and more common each day. The days where employees could spot phishing scams are long gone. A great amount of phishers in 2020 have become proficient in creating legitimate-looking communications. 2019 saw great developments in AI-enabled phishing attacks and phone phishing scams (also known as vishing) and it seems that these developments will not be slowing down in 2020. Therefore, it is important that people in Australia and worldwide, learn about what phishing is, types of phishing scams, how to know if they are being phished, tips on protecting themselves and how they can help protect other people from phishing scams.
What is a Phishing Scam?
Phishing scams are cyber attacks which are disguised as a trusted body, i.e The Australian Taxation Office. The objective of these cyber attacks is to deceive the target of the phishing scam into believing they are required to provide sensitive information. This sensitive information relates to banking details, passwords and business details. Once the phisher receives the sensitive information, they can potentially hold your account for ransom, infect a business’s network, transfer money from your bank account and the list goes on. The negative effects of these attacks are enormous and can cause the downfall of a business. Thus, all employees of a business should understand the types of phishing scams that are used.
Main Types Of Phishing Scams in Australia
Whaling and Spear Phishing
Whaling and spear phishing scams are aimed at businesses using information specific to the business that has been obtained somewhere else. The phisher initially sends a specially designed email to certain employees. This email is designed by the phisher to appear as if it has been sent from a genuine source. This could be another employee, a manager, director etc. The phisher uses this email to convince the target that they are required to complete an urgent action. Generally, a fake website or attachment will be connected to the email. When the target opens this link or attachment, they will be asked to do something along the lines of:
- Enter confidential, sensitive information of the business they work at, such as passwords
- Provide financial details, such as Paypal account details
Once such details are provided, the phisher is able to use this information to either commit fraud, steal money from financial accounts or infect a business’s network.
Business Email Compromise (BEC)
Business Email Compromise (BEC) is a phishing scam which targets businesses who conduct wire transfers and have international suppliers. A phisher can spoof the email of an executive or high-level employee in the finance department and then conduct fraudulent transfers. This can result in millions of dollars in losses. There are 5 specific types of BEC scams:
- Attorney Impersonation: Phishers spoof their email to appear as a lawyer that is in charge of confidential matters.
- Account Compromise: The email of a high-level employee is hacked and used to request invoice payments from genuine clients.
- CEO Fraud: A phisher spoofs their email to appear as the CEO of a business. Then they send emails to employees in the finance department, request money to be sent to an account that the phisher controls.
- Bogus Invoices: Suppliers are sent invoices from emails that are spoofed by a phisher to appear as a high-level employee at a business.
- Data Theft: HR employees are targeted by phishers to obtain personal identifiable information or tax statements of employees. This is usually a preliminary attack as it prepares the phisher with data for future attacks.
Phone Phishing aKA vishing
Vishing is a form of phishing that has the objective of getting targets to share sensitive information over the phone. In 2019, there were over 60,000 reports of vishing scams. This amounted to over $30 million lost to phishers. In 2020, it can only be estimated that vishing will continue to increase drastically. A vishing scam generally consists of a phisher pretending to be from the Australian Government or a reputable business. This phisher aims to make you comply with demands such as providing your financial information over the phone. The phisher will establish themselves as an authoritative figure and attempt to manipulate you emotionally, posing as someone who can help you fix an issue or can benefit you in a certain way. Vishing scammers can be spotted quite easily as their promises are generally unrealistic and require information which should not be transferred over the phone.
How To Know If You’re Being Phished
There are a few key attributes of a phisher. Understanding these attributes will help you know if you are communicating with a phisher or not.
Poor spelling and grammar
If the person you are communicating with fails to use proper spelling and grammar, it should indicate to you that they may not be trustworthy. There are a few reasons to why a phisher may use poor spelling and grammar. Spam filters look for various keywords and phrases that are used in generic phishing scam emails. By misspelling such words, the phisher is able to bypass certain spam filters. This is why it is important that your business uses a well-tested spam filter. If you’re not sure if your business is using a well-functioning spam filter, contact Inteck IT and we can evaluate your spam filter and IT setup. Another reason for why a phisher may be using poor spelling and grammar is because English is simply not their first language. As a result, their spelling and grammar may not be of high quality.
Shortened or Odd URLS
If the email you have received contains shortened URLS or URLS that you have never seen before, reconsider opening those links. In 2019, 51% of phishing attacks contained links to malware. This percentage is set to rise in 2020, therefore you should definitely inspect all URLS you click. If you’re not sure if the link is fraudulent or not, give us a call at 1300 39 65 65 and we’ll assist you.
Strange Sender Email Address
A great amount of spam filters detect whether or not a sender’s email address is fraudulent or not.
Without a spam filter, it may be difficult to detect whether or not the sender’s email address is spoofed. If you are receiving an email from an address which seems randomly generated such as F27TE2B3467BE2@companyname.com, you should definitely consider it to be a phishing attempt.
Too Good to Be True
If the email you receive is stating something that is simply too good to be true, such as a million dollar tax refund, it is most likely a phishing attempt.
Tips on protecting yourself from 2020 phishing scams
It is important for you and your employee to protect yourselves from the latest 2020 phishing scams. There are a few things that you can do today to protect yourself from phishing scams.
Spam filters
Ensure you have a well-tested spam filter set up on your email network. Most email services provide their own spam filter, some are not as effective as others though. If you have an ineffective spam filter or you don’t have a spam filter at all, a great amount of phishing emails will appear in your inbox daily. Therefore, it is important that you install a well-tested spam filter on your email network. If you are having trouble doing so, feel free to get in touch with us and we’ll assist you.
Browser Settings
It is extremely important that you keep your internet browser up-to-date and the settings set to the safest protocol. If you’d like to improve your web browser security settings, we recommend having a look at UCSC’s Web Browser Secure Settings.
Two-Factor Authentication
Two-factor authentication provides a method of double-verifying that you’re you. Traditionally, when you log into an account, all you have to do is use your password. This makes it easy for phishers to log into your accounts because all they need is your password. When you’re using two-factor authentication, you must use your password and a second form of authentication. This usually consists of providing the website with a code that they have text messaged your mobile phone, or using a mobile application such as Authy or Google Authenticator. This provides greater protection for your accounts and should most definitely be utilised in 2020.
SSL Websites
Websites which you input account details into should always be protected by SSL. Not sure if a website is protected by SSL? If a website is protected by SSL, the URL bar will appear with the following:
By only inputting sensitive information into SSL-secure websites, you reduce the risk of being phished drastically.
We, at Inteck IT, specialise in IT security and assisting in protecting businesses from phishing attempts. Contact us today to find out more.
How You Can Help Protect Other Australian Internet Users
If you believe the email you have received is a phishing scam, report it at https://www.scamwatch.gov.au/report-a-scam
Answer all the questions on the form honestly, as it will assist the Australian Competition and Consumer Commission’s ScamWatch, thus protecting other Australian internet users. If you do not know certain details of the scammer, you simply do not need to fill in that specific box.