Have you or your business ever received a suspicious email stating “an urgent wire transfer” or notifying you that “your bank account has been disabled – verify your account now”? Well you are not alone. According to scamwatch.gov.au, in 2021, there have been 45,884 reported phishing attacks, totalling to a financial loss of $3,305,00 and 81,618 reported attempts to gain personal information.
With our lives largely remaining online due to COVID-19, malware attacks have soared with the Australian Cyber Security Centre (ACSC) receiving 22,000 calls to its Cyber Security Hotline, with an average of 60 calls per day. This is an increase of 310% from the previous financial year.
Many of these phishing attempts are email spam that are easily identifiable, often having misspelt or suspicious email addresses, and poor English and grammar. However, some attacks are more sophisticated and harder to identify.
Adam Irwin Managing Partner of Pitcher Partners Sydney said cyber criminals use information gathered from social networks and compromised accounts to target a single individual in the attempt to trick them into handing over further information, confidential data, or money.
“We know these sophisticated attacks allow perpetrators not only to access their victim’s information but to also install malware onto their victims’ computers so that they can continue to be monitored,” Mr Irwin said.
“An end-to-end technology and managed services partner like Nexon Asia Pacific (Nexon) have recognised that business email compromise is one of the most common attack vectors, however cyber criminals today have more entry points than ever before.”
Organisations need to understand the risks present in their environment, to put appropriate controls in place.
When in doubt, do not click
Ideally, your organisation has effective tools in place to limit the number of phishing emails. Because nothing is fool proof, it is imperative to identify the signs. Keep an eye out on reported phishing scams and contact addresses, making note of reoccurring tricks and techniques used.
If you receive a scam, then it most likely has been sent to someone else in your organisation before.
Even if no one is aware of the potential threat, it is best to immediately notify your security team, so that they can act accordingly.
Judge a book by its…lack of security
Our increased adoption of social media and online platforms has provided an opportunity for cyber criminals to know more about us than they should. Pinpointing the average, unbeknownst joe.
Be wary of website security when submitting sensitive information. If you are uncertain about the website, then you can also check a website’s security certificate, to ensure it has been issued to the organisation you intend to submit the information to, by clicking on the closed lock icon in the address bar.
If the site is missing one or all of these features, then it is a sign that it is not secure and therefore unsafe to use.
Start by not opening an email from a sender you are not sure of. The email URL is the first check point to confirm whether the email is legitimate or a phishing attack.
Do not open any websites or attachments that look suspicious or have been blocked by your browser or organisation. These websites or email attachments have most likely been compromised and can put you at further risk.
Never forget to check
Although it may be difficult to stay on top of all your online accounts, it is important that you do. When monitoring your accounts, look out for suspicious activity, such as payments that you did not make or unusual log in times and locations.
Security starts with individuals safeguarding their login credentials for their cloud-based office suite. If compromised then an attacker could have access to your email files, chats, documents and more.
To avoid criminals from accessing your online accounts it is best to maintain password hygiene. Long gone are the days where using the password Sundayroast123 to secure your accounts would be classified as a clever idea. As outlined by Cyber Aware, ensure to regularly change your password using strong, unique passwords that consist of a combination of characters, numbers, and symbols.
Another security layer that organisations are already implementing across their remote workforce is two-factor authentication.
Using two-factor authentication methods such as SMS verification, authentication apps or biometrics will add an additional layer of protection with your log-in requiring both your set password and an autogenerated code that expires at a rapid pace. This will add a level of complexity to your account security, making it difficult for cyber criminals to successfully enter your account.
Be cyber aware
Targeted cyber-attacks often rely on an employee taking the bait and bypassing technology controls put in place. By introducing training and phishing simulation systems, such as Cyber Aware, into your business we can raise and measure each employee’s cyber awareness maturity, reducing the human factors involved in successful cyber-attacks.
The platform works by sending your employees regular training material, and follow up quizzes, to educate them on various aspects of cyber security. In addition, simulated phishing emails help to track the cyber-security maturity of the organisation and individuals.
Garth Sperring Security and Network Business Lead at Nexon Asia Pacific noted that during their end-user awareness and phishing campaigns in 2020, 12.5% of users responded to a phishing email and provided passwords.
“Awareness training is nowadays a must as part of a comprehensive security approach. It is an integral area organisations should be investing in. To mitigate risks, employees are often the first line of defence and need to know how to identify suspicious emails or activity”, Mr Sperring said.
Continue with caution
If you remain alert and maintain awareness of cyber criminal’s techniques, look out for signs of dodgy websites, and monitor your accounts and passwords frequently, then you will be a hard target to deceive.
In summary:
- Do not click or open any attachments sent to you, unless you know the sender
- If something does not seem right, then it most likely is not
- Investigate – do not feel afraid to question the situation and take time and care to do your research before clicking anything suspicious
- Check and change your passwords regularly
- Implement simulated phishing attacks and virtual training into your organisation
If the above has raised any concerns around your security posture, engage an advisory firm to help structure your security roadmap. The first step forward is a security assessment to uncover cyber risks in your business.