According the OAIC statistics, phishing attacks have increased considerably in the past three months due to the COVID-19 pandemic. Three in five data breaches have been caused through malicious or criminal attacks; with data breaches resulting from phishing continuing to be the leading source of malicious attacks.
Twitter was the vehicle of choice by hackers last month when the accounts of Bill Gates and Joe Biden, among others, were accessed with so-called tweets asking their followers to pay $1,000 within 30 minutes, and they would send back $2,000! The old adage of 'if it sounds too good to be true, it probably is' comes to mind.
Education and awareness is key, so we’d like to offer some advice on what to look for in suspicious emails, and more importantly, what to do:
- Unsolicited messages - Never respond to unsolicited messages and calls that ask for personal or financial details, even if they claim to be a from a reputable organisation or government authority.
- User name & password disclosure - To trick you into disclosing your user name and password, fraudsters may include the name of a legitimate company within the structure of the email and/or web addresses. For example: https://www.google.com is a fake address that doesn't go to a real Google web site. A real Google web address has a forward slash ("/") after "google.com" — for example, "https://www.google.com/" or "https://login.google.com/
- Email looks legitimate as from a 'work colleague', but the request seems odd - For example; the scammers search LinkedIn for a HR/Payroll Clerk, send an email posing as a colleague to alter their payroll account details to a new account and instantly it is payday for the scammers. If the request is at odds with normal company processes or is asking to change bank account details, simply call the colleague directly to confirm that they did in fact request a change.
- Sent to a website with pop-ups - Be careful if you're sent to a website that immediately displays a pop-up window asking you to enter your username and password. Phishing scams may direct you to a legitimate website and then use a pop-up to gain your account information.
- An unexpected email from a company - If you have received an unexpected email from a company, and it is riddled with mistakes, this can be a strong indicator it is actually a phish. Look for spelling errors, poor grammar, or inferior graphics.
- Hyperlinks in an email - Check a link first by hovering your mouse over any link in an email - the hyperlink may be labelled as https://www.google.com.au for example but the tooltip that pops up contains the actual destination URL and it may be something different like https://dodgybros.com.au/we.got.you or https://12220.127.116.11/scam (not real examples, but the point being you are not being directed to www.google.com.au)
- Email containing an attachment - Be wary if you receive an email from a company out of the blue that contains an attachment, especially if it relates to something unexpected. The attachment could contain a malicious URL or trojan, leading to the installation of a virus or other type of malware on your PC or network.
You can find further advice on how to protect yourselves – both at work and at home - on the ACCC’s Scamwatch site.
What to do if you suspect a suspicious email.
- Do not open, forward or reply to it - To do so may compromise your security
- Do not click on links or attachments - these can be disguise malware that may infect your device or network.
- Take a screenshot of the email - send this screen shot to your organisation’s IT team. The IT Team will need this information to starts its investigations.
- Once the investigation is complete - respond according to advice provided by your IT or Leadership team.
- Delete it - once given the instruction to 'delete' from your IT or Leadership team to prevent you from accidentally opening the message in the future.
If you have any questions or would like to discuss further then please feel free to send me an email firstname.lastname@example.org