Phishing Scams – Don’t Take The Bait

Why Phish?

Because phishing works well by tempting users with offers, freebies and giveaways, which are tried and true methods of success. Humans by default are curious and even in 2016 when we are more aware than ever of the need to exercise caution, we still get lured in by these baits.
Phishing is extremely profitable and takes very little effort from the cyber criminal. Even if only 1% of those targeted by phishing fall into the trap, that cyber criminal will still net themselves a nice payday.

A global study by the Anti-Phishing Work Group (APWG) in May 2016, revealed that:

• The Retail/Service sector remained the most- targeted industry sector during the first quarter of 2016, with 42.71% of attacks
• The number of brands targeted by phishers in the first quarter remained constant – ranging from 406 to 431 brands each month.

This means targeted brands such as PayPal, Apple, Facebook, (and in Australia) the ATO, AGL, Australia Post etc. are used most often in phishing attempts. Fake websites are hard to distinguish from the real thing and are now being seen to use HTTPS connections and certificates in a further attempt to mislead the user. People generally trust many of these brand and because of that, they are the perfect cloak for cyber criminals and bring in a greater catch.

How Can I Tell If I Am Being Phished?

Phishing emails almost always contain the following:

• Typos and grammatical errors
  For some reason, cyber criminals aren’t very literate and are known for their poor grammar and bad spelling.
• Web Links or Attachments
  This is the number one bait tactic that almost always works. Clicking on these links results in a redirection to a website that will install some form of malware onto your PC. If no link is present, usually there will be an attachment and once you open and execute the file, the virus/malware happily installs itself and then goes about its business.
• Threats
  Often these emails are threatening in nature, warning of an account closure, a fine or trying to convince you that your security is at risk. No better way to get you to react hastily than by threatening you.
• Spoofing
  Spoofing involves using popular website or company names and addresses in order to appear legitimate. When you click on a spoofed link, you end up somewhere similar to where you may think you were going or somewhere else entirely. Spoofing often occurs within a network, sending emails that appear to be from within your network (your boss, the receptionist, the person at the desk next to you or even yourself), particularly from a scanner or fax.
• Phone Calls
  These start out pleasant enough with the caller informing you that they are phoning from the ‘Windows Department’ or from ‘Telecom’, perhaps even from a legitimate business within your country (in Australia, Telstra is often used in these calls). They may convince you to give your user name or password for a particular site or have you give them your credit card or banking information in order to make a payment for something. They may also instruct you to visit a website and download or install software that will let them access your PC.

How To Avoid Being Phished

There are some really easy ways to avoid phishing and most of them just require a few seconds inspection before you react:

• Is the email from someone you know or someone you are expecting to hear from?
  If not, chances are it is spam or very likely a phishing attempt. Just because it claims to be ‘Your Monthly Electricity Usage’ doesn’t mean that it is.
• Are the links in the email real?
  A simple way to check is by hovering your mouse (do not click, just hover) over the link – this will reveal the true destination of the link.
• What is in the attachment?
  Attachments in phishing emails will more than likely be zip or macro files. The attachments are usually obscurely named and will often contain your own name or a default ‘scan’ or ‘attachment’ which is a pretty good indication that it is not what it’s claiming to be.
• Assess the threat
  An email from an electricity company telling you that your account is being suspended unless you click this link or open the attachment can easily be checked by calling your electricity supplier first. Don’t assume that because they’ve appeared to have sent you an email advising of this suspension, that it is for real. The same goes for any company that you may do business with. Make a phone call, speak with your account representative, ask a real person.
• Is it a Spoof Email?
  To identify spoofing, simply take a minute to look and think – does that scanner or fax machine in the email address exist on your network? Is it normal for your CEO to be emailing you a file of that nature or asking for your user name or password? Would your boss actually want to start you on one of the most amazing pesos making journeys you’ll ever take?
• Personal use of work email addresses
  Don’t use your business email account for personal use. By this I mean that you shouldn’t be signing up to websites for personal reasons using your work email address. Doing this greatly reduces the chances of falling for a phishing scam. The damage that can be done by unleashing ransomware or malware into your work network because you believed an email to be from a place that you have personal business dealings with, is just not worth the cost to your business. Whilst we are all only human, reducing the chances of being a victim is of great benefit to your organisation.
• Phone calls can be returned
   Businesses such as Microsoft, Paypal or Telstra will never contact you via phone to ask for personal details. If you are unsure as to whether a call is legitimate or not, insist that the caller provide you with identifying information of their own such as an employee ID number or ask that they give you their number so that you can call them back later. The best way to deal with these calls is to simply hang up and then phone back the actual business if you believe you do need to speak with them further.
• Just take a few moments to check. Those few moments could save you a whole load of hassle, not to mention money.

An example of a phishing email:

 

Question: is that the email address of my bank, let alone my bank manager? Is that her name?
Question: a message in the form of a zip? Why would it be called scan? Why would my bank manager not just type the message in the email and save herself the hassle?
Unusual: it doesn’t read with the usual professional edge that my bank manager would use. There is no signature, nothing to confirm that it is what it claims to be.

Below is another example of a phishing email currently doing the rounds and catching many Australians out by claiming to be from AGL:

We have seen many people fooled by this very email over the past few weeks. 
When I received this email, right away I knew it was spam based on a few things. Firstly, we don’t get our electricity bill via email. Second, this email is missing the AGL company logo. Third, (if I was still unsure) before even clicking on any buttons, I hovered my mouse over the links as you can see in the second image. The link is not going to AGL in fact it looks like it’s going to take me to a coach development website.
This email actually contains a link to ransomware and once clicked, sends a message back to base which then deploys the ransomware into your system. Similar to this email are the ones claiming to be from Australia Post and/or the ATO. Combined, these phishing/malware emails have claimed thousands of victims and counting.

Don’t Become Complacent.

Just because the general rules of poor spelling, bad grammar and cloaked links usually apply, doesn’t mean that they are hard and fast. Sophisticated phishers can and will use professional marketing techniques in order to get you to click. They may include logos and other legitimate information taken directly from a company website, newsletter or email. Remember that no organisation would urgently request you to send your credit card details via email. If in doubt, pick up the phone. Make a call. Manually type in the email address of the website if you need to go there.
It is far better to delete an email and have it resent or to hangup on a suspicious caller than it is to be phished and hacked or robbed.

Keep your anti-virus up to date. Keep your firewalls updated and secure and above all, don’t rush. 
Read what is before you and take a breath before clicking a link or opening an attachment.