1 July 2020
Recently, the Australian Government communicated that large-scale cyber-attacks are currently being waged on the Australian Government, critical infrastructure and Australian businesses.
These attacks have been underway for some time (weeks to months), however the Government has seen it appropriate to advise the public to be extra vigilant.
It’s evident COVID-19 has created a period of disruption and uncertainty that has increased the chances of fraudulent activities occurring in your business with email phishing and SMS fraud on the rise.
In a recent report, NSW ICAC, stated, “While not conclusive as to all or any organisation, the evidence nonetheless tends to show that some forms of corruption and serious misconduct become more prevalent during periods of significant disruption and economic downturn”.
Security is a shared responsibility
Technology alone cannot prevent all attacks and the single best measure any business can collectively take to increase their security is to increase their ability to spot threats and their knowledge of how to respond.
While methods like multi-factor authentication (MFA) is still one of the most effective tools to mitigate and reduce the success of these attacks, the critical weapon against these types of attacks is staff awareness. The human layer is the top level.
Malicious email attacks
Once of the most common forms of cyber-attacks occurs through email phishing. Cyber criminals send out millions of fraudulent communications to random email addresses in the hope of luring unsuspecting people into providing their personal details. Here are two examples of common email cyber-scams to watch out for.
In our current environment where many are now working from home have seen employees receive fraudulent emails mentioning ‘VPN configuration’ or ‘remote access’ (or similar terms). These emails ask the user to enter their login credentials (as per example below).
Employees receive fraudulent emails with false invoices or statements. These bogus invoices/statements can occasionally be accompanied by phone calls urging payment.
What makes these suspicious?
- A link asking you to sign in is a major red flag.
- Fake business email addresses have been created.
- The funny characters in the email address are often a sign that something isn’t quite right.
Identifying a malicious email
- Do not provide your login details via email under any circumstances. Phishing attempts can be camouflaged as legitimate sources such as OneDrive attachments and hyperlinks embedded within emails from seemingly known email addresses such as the IT Service Desk.
- If in doubt contact the sender via telephone (using a known legitimate number) to confirm the validity of the email.
- Particularly avoid clicking on any links from mobile devices. When viewing emails on mobile devices the full email address does not show so the domain is hidden making it is easier to disguise.
- Don’t be fooled by how the email looks. They can be extremely well-crafted and use stolen branding to make it appear they are coming from a legitimate, trusted source.
Malicious SMS attacks
Smishing, which is a phishing message sent via text messaging (SMS), is a growing cyber risk and primarily aimed at getting people to enter usernames, password and other personal identification information. It has overtaken email as the most commonly used delivery method for cyber fraud.
The Australian Competition and Consumer Commission’s (ACCC) Scamwatch reported it had received multiple reports of coronavirus-themed scam texts urging users to click on a link for Coronavirus testing locations.
The message uses emotive words such as ‘safety’ and ‘tested’ to prey on people’s susceptibility to click on links for more information about a rapidly threatening pandemic. However, the grammatical inconsistencies are a red flag this is not genuine.
SMS Tips to stay safe
Smishing messages, like phishing messages, often try to create a sense of urgency to get victims to divulge personal information without thinking but there are steps you can take to protect your information from smishers.
- Avoid falling prey to smishing messages by staying calm when checking your texts and always keeping an eye out for suspicious-looking messages.
- Avoid messages from fake-looking numbers but remain aware this does not guarantee protection. Scammers know how to make a smishing message look like it is coming from someone you know.
- If you receive a text message claiming to be an alert from your bank or credit card company, call the organisation directly, using its listed number you obtain from another source, to find out if the message is legitimate.
- A legitimate organisation will not send you a text asking you to click on a link to confirm or enter your login or general information. Only provide information in person or via telephone.
- Delete any possible smishing messages without clicking on any links or without replying to the message. Replying to ask the sender to no longer text you will likely lead to more scam messages.
If you believe you have been a victim of a cyber-attack or have any concerns or queries relating to cybersecurity, please get in contact with us.
 NSW ICAC, Managing corrupt conduct during the COVID-19 outbreak, April 2020