Cyber Risks: Phishing & How to Spot It

The Human Component of Emergency and Disaster Communications – Emerging Risk Report: Issue 81
May 28, 2019
CEO Connect #2: The only constant is change
June 11, 2019

Cyber Risks: Phishing & How to Spot It

Scams are one of the oldest crimes in the book – from the Trojan Horse debacle to the confidence tricksters of 1800s America – but with the rise of the Digital Age, they have become more sophisticated, more insidious, and more prevalent than ever. Find our resources on cyber security here.
Phishing attacks are one of the most prolific and effective forms of cyber attack as criminals exploit data breaches, current affairs, seasonal events and social media to craft seemingly personal and legitimate emails. While technological defences are important, by far the weakest part of an organisation’s cyber defence is its people: they are the targets of scams, an easier and more susceptible entry point than hacking or other methods, and a harder one to reinforce. The best way to mitigate this risk is to ensure you understand the form of attacks and make sure everyone at risk is also well informed.

Let’s Go Phishing!

The ACCC reports that Australians lost $933,470 to phishing scams last year, and it received over 24,000 individual complaints. The most common method by far was email, accounting for the loss of almost half a million dollars, followed by phone which only cost half as much.

And the number of scams – and the associated financial loss that goes with them – is increasing at a staggering rate. In Australia, the losses accumulated during the first 5 months of 2019 are already almost equal to the total amount lost in 2016. There has also been a notable shift in methods, from 2016 and 2017 where phone scams dominated the losses, to 2018 and 2019 where email scams are now costing us more.

Amount lost to phishing scams in Australia

2016                                   $373,860

2017                                   $810,224

2018                                   $933,470

2019 (Jan-May)            $360,737

Recent data breach news highlights the need for individuals to remain vigilant to phishing emails.

Data breaches are a major consideration in cyber security, and are often not discovered or reported until long after the initial breach. Therefore, even individuals who have not knowingly been affected by a breach should be vigilant to the threat of phishing attacks.

What does a phishing attack look like though, and would you, your colleagues and staff, and/or students recognise one? It might be:

  • An email claiming to be from a bank requesting you log-in to verify your account due to fraudulent activity that has taken place. A link will likely be provided that will direct you to a website that looks similar to the genuine site, but which in fact will store the details that you input for the phisher’s use.
  • An email stating that you have been charged for a service you didn’t use, with an attached document that is supposed to be an invoice. When you open the attachment, malicious code installs on the computer without the user’s knowledge.

Catch of The Day

Victims of a data breach are likely to receive targeted phishing emails that use stolen personal information to make the email seem legitimate. Customers of an organisation that has suffered a data breach may also be targeted with phishing emails, regardless of whether their details have been compromised, because criminals take advantage of events in the news to target customers of a breached organisation with phishing emails using a subject line regarding the breach.

Usually, attackers are seeking financial gain. This could be through direct means such as tricking victims into sending money or downloading malware designed to steal financial credentials. Alternatively, they could seek to monetise the attack indirectly, by stealing information which is then sold on and could be used to facilitate further attacks.

What Should You Watch For?

A phishing email will typically contain a malicious attachment or a link to a malicious website. As well as awareness, the best defence is to make sure that your devices and software are kept up to date.

Whilst phishing emails are designed to be difficult to spot, there are some checks which users can employ in order to identify the less sophisticated campaigns:

  1. Sender: Were you expecting this email? Not recognising the sender isn’t necessarily cause for concern but look carefully at the sender’s name – does it sound legitimate, or is it trying to mimic something you are familiar with?
  2. Subject line: Often alarmist, hoping to scare the reader into an action without much thought. May use excessive punctuation.
  3. Logo: The logo may be of a low quality if the attacker has simply cut and pasted from a website. Is it even a genuine company?
  4. Dear You: Be wary of emails that refer to you by generic names, or in a way you find unusual, such as the first part of your email address. Don’t forget though, your actual name may be inferred by your email address.
  5. The body: Look out for bad grammar or spelling errors, but bear in mind that modern phishing looks a lot better than it used to. Many phishing campaigns originate from non-English speaking countries but are written in English in order to target a wider global audience, so word choice may be odd or sound disjointed.
  6. The hyperlink/attachment: The whole email is designed to impress on you the importance of clicking this link or attachment right now. Even if the link looks genuine, hover the mouse over it to reveal the true link. It may provide a clue that this is not a genuine email. If you are still unsure, do not click the link – just open a webpage and log onto your account via the normal method. If it appears to be from a trusted source, consider phoning the company’s customer service, but never follow the email’s instructions. Be aware that some companies operate policies stating they will never include links in emails and will never ask for personal information. Again, if in doubt, open a browser and check – and do not open attachments.
  7. Signature block: The signature block may be a generic design or a copy from the real company.

 Other useful resources:

Read our cyber risk checklist here to help you mitigate this risk, or read about the four lessons we can learn from America’s experiences here.