Every day Australian businesses are being targeted by cyber scams. According to Scamwatch, between January and March 2021, there have been 14,226 reports of phishing with a revenue loss of $659,517.
2,235 of these were email phishing scams.
Furthermore, according to the Notifiable Data Breaches Report July – December 2020, email-based phishing was the most common method used to obtain credentials (25%). This means email is susceptible to great risk for information security in a business.
Phishing (pronounced fishing) is a form of cyber attack delivered via email. They are cleverly designed to trick the recipient into thinking it has come from a reputable source. The aim is to acquire login details, personal or identity information, or have the recipient click on malicious links or open attachments that can launch havoc on your network.
Case study – request to pay fake invoice
A 36-year-old person working in the finance department of an Australian consulting company received an email from their manager requesting urgent payment of an invoice to a Malaysian-based supplier. The manager who was in Malaysia for business at the time had emailed via their personal email – this was not out of character as they’d done this on past work trips. Payment of A$240,000 was promptly made. It wasn’t until several days later when the manager returned, they discovered what had happened.
You can have the best systems and technology that money can buy, but at the end of the day when it comes to phishing emails, you and your team are the last line of defence.
If you receive an email from someone you don’t know – there’s your first red flag to stop. The golden rule is never click on links or respond to a request to provide personal information – if it’s from someone you don’t know or an organisation you’ve had no interaction with.
If it’s an email from someone you do know, get into the habit of double checking the sender’s email address. A simple change in the naming convention is another warning flag. e.g. an email from John Citizen who works at A Big Corporation but the email is presented as: firstname.lastname@example.org – note the ‘q’ should be a ‘p’.
Question to ask: does the email seem fishy?
What are the odds of winning a luxury new car? If the information in the email seems too good to be true – chances are, it probably is. Always be suspicious of any emails saying you’ve won a dream prize. Also be sceptical of any unusual requests, or emails where there’s a sense of fear or urgency – ‘click here now to claim your prize’.
Question to ask: did I enter a competition to win a car?
If you have preview panel for your inbox or happen to open an email, pay close attention to the words and sentences. Are there any spelling mistakes, grammatical errors, style inconsistencies – does anything stand out as not quite right? These are all clues that should make you suspicious.
Question to ask: is the email addressed to me or does it say Dear sir, Dear madam or Dear customer?
Hover over any links and look carefully at the web address displayed. Just as you should check the email address, get into the habit of checking the spelling in the link for anything unusual. It may appear to be a genuine web address but there could be one hidden character or missing letter that alerts you – it’s a hoax.
To determine if a website is secure look for “https” at the start of the address. If you click through and land on a page with a form asking you to fill in your details – be wary.
Question to ask: am I being asked to provide any logins, personal information or credit card details?
Now that you have the tools, share the knowledge with the wider organisation. The more people on your books, the greater the risk of phishing emails coming in. Consider investing in instructional videos or interactive modules for the training. Visual aids with examples are effective ways to demonstrate the power of the human firewall.
To help protect your systems from viruses e.g. malware, antivirus software can add an extra level protection. They can:
If your organisation has an IT policy, you’re likely to be required to report the email either by forwarding it, filling in a report or logging it.
If using Outlook you can block the sender. This will move the email to junk and you can delete it from the folder. If using Gmail, there is a report phishing function. At a minimum, you should delete the email.
Finally, if you are ever unsure, you can pick up the phone and call the sender of the email to seek validation. So remember, be alert for phishing emails – don’t get caught hook, line and sinker.