Cybersecurity – How to Not Getting Caught During Phishing Season

With the festive season just around the corner, and potentially the end of many health orders and government-related restrictions in sight, many people will be looking forward to spending this time with loved ones.

While this period presents an opportunity to celebrate, exchange gifts and enjoy some downtime, many people will still be connected online; let’s face it, going online is probably part of your daily routine now.

Unfortunately, there are some people, scammers, who don’t take a break. These people exploit the weaknesses in online applications and devices as well as our vulnerabilities. Scammers undertake various scams to target people of all backgrounds, ages and income levels across Australia.

Scammers usually engage in an activity called ‘phishing’. Phishing is the fraudulent practice of sending emails (or phone calls) pretending to be from reputable companies to induce individuals to reveal personal information. There’s not one specific group of people who are more likely to become victims of a scam. Our article this month will assist you in considering and revising your cybersecurity awareness, improve your risk awareness, and hopefully minimise any exposures.

What is Cybersecurity?

Cybersecurity is the act of protecting digital assets (such as computers, servers, mobile devices, electronic systems, networks, and data) from malicious attacks. The Australian Cyber Security Centre compiles a report each year on cyber crime data collected.

This term can be applied to multiple contexts (such as network, application or information security); however, we’ll focus on the most unpredictable cybersecurity factor: People. Anyone can accidentally introduce a virus to an otherwise secure system by not following good security practices.

Good cybersecurity practices help prevent cyber-crime, cyber-attack and cyber-terrorism. Cyber-crime specifically includes ‘actors’ or ‘groups’ targeting systems for financial gain. A key objective in targeting vulnerable systems is the installation of “malware”. Malware means ‘malicious software’.

A cybercriminal or hacker has created malware to disrupt or damage a legitimate user’s computer or extract sensitive personal and financial information. Malware spreads via (unsolicited) emails, legitimate-looking downloads, or through user interaction with a third party. The increasing prevalence of malware, and the ability to perform cybercrime, is achieved by scammers through a scam.

Types of scams

Let’s explore several commons scams:

• Tech-support (or remote-access) scam: Scammers trick you into unnecessary technical support services to supposedly “fix” device or software problems that don’t exist. At best, scammers are trying to get you to pay them to “fix” fake issues; at worst, they’re trying to steal your personal or financial information. This type of scam also extends to contact made by a scammer via phone, text or email falsely claiming to be from other familiar companies, such as a bank or government agency.
• Online shopping scam: Online (or “classifieds”) scams involve scammers establishing fake websites and tricking people into buying from them. Once the order is placed and payment is made, shoppers might receive an inferior product to what was promised (or worse, nothing at all). Unsurprisingly, there has been an increase in these scams due to the health pandemic lockdowns and residents purchasing their goods digitally.
• Romance scam: Scammers know that the quickest way to the purse strings is via the heartstrings. They usually create fake online identities designed to lure you in. Once they’ve gained your trust, they use your newfound relationship to request you send them money or gifts. These requests are usually connected with an urgent need for cash to help with fake health, travel or family problems. These scams are unique in that they may occur over many months and use manipulative, psychologically controlling, and devious tactics.
• Investment scam: An investment scam is when someone contacts you, usually “out of the blue”. Investment scams may be via phone or email, offering the chance to invest in a “once-in-a-lifetime opportunity”.

There are multiple types of scams and you’ll note, as you step through each of our common examples, several emerging and consistent elements. These are:

• The use of scare tactics
• A sense of urgency
• A promise or commitment (which is likely connected to something too good to be true or believable).
• A call to action – that is, you must “do” something (i.e. ‘engage’ in a particular behaviour (such as clicking on a link, downloading software or facilitating a payment or transaction).

Best Practice Cybersecurity Tips

Good cybersecurity practices apply to everyone and should be practiced daily. Our non-exhaustive, helpful tips are summarised as follows:

• Use security software: Install security software on your devices and keep it updated.
• Use auto-updates on your devices: Whether you are a user of an Apple, Microsoft, Samsung, or another platform manufacturer, we recommend enabling auto-updates on your devices. Device and product updates often include security fixes (or ‘patches’) that enhance your overall security position and address any identified vulnerabilities.
• Use multi-factor authentication: This is also sometimes referred to as two-factor or dual authentication. This method relies on a user providing a password as the first factor and a second, different factor. The second factor could be your mobile device, token, fingerprint scan etc. We recommend this be set up for most sensitive websites (e.g. your online banking account). Helpful hint: This safeguard can prevent someone from logging in to your account if your login details have been compromised.
• Use strong passwords: Research conducted by IT-sector companies has reported passwords can be guessed and, you guessed it, the most common passwords used by users include ‘password’, ‘123456’, ‘qwerty’ or a variant. Password-protect all your devices with a strong password. Use a different password for each site. Choose passwords that would be difficult for others to guess and update them regularly. Importantly, keep your passwords and pin numbers in a safe place. (A password manager can simplify the task of creating complex, unique passwords and storing them securely.)
• Be discreet with your information (“share with care”): Protect your personal information, especially when using social media sites. We recommend adjusting your privacy settings to minimise who can identify and locate you online, as well as not sharing essential information, no matter how basic or insignificant it may seem. Scammers can readily create fake identifies and exploit weaknesses through utilising basic elements such as your surname, address, phone numbers, date of birth etc.
• Be alert for scams: Be careful when clicking on links within emails and untrustworthy websites. Do not open suspicious texts, pop-up windows, click on links or attachments in emails, delete these emails. If unsure, verify the contact’s identity through an independent source – for example, if it’s a supplier, call them directly based on their listed phone number – never use the contact details provided in the communication sent to you. The same goes for unsolicited phone calls.
• Avoid using public Wi-Fi: Public Wi-Fi can be convenient, especially in places such as shopping centres and hospitality venues. Remember, it’s a shared network and you don’t know what vulnerabilities there are (including other users). We do not recommend checking your social media or logging into your online banking account when using public Wi-Fi.
• Back up your data regularly: Cybersecurity goes beyond safeguarding your personal and sensitive information – it extends to protecting your data from loss or destruction. Maintain reliable backups of your data.
• Log out of applications and websites when you are done using them: Equally, delete untrustworthy emails. Do not open these or click on links within them.
• When shopping online, always use an online shopping service that you know and trust: This includes only providing your credit card details to companies you recognise online. Importantly, be wary of unusual payment requests – scammers often ask you to use an unusual payment method (including pre-loaded debit cards, gift cards, iTunes cards or virtual currency such as Bitcoin).
• Utilise external support networks: Consider a trusted source to serve as a second set of eyes and ears. Family members (including tech-savvy grandchildren) may be willing to assist or contact a reputable IT provider.
• Regularly review bank and credit card statements: Regularly check your accounts to identify any unusual transactions, activity, or potential breaches.

Remember, if it looks (or sounds) too good to be true, it probably is.

The Bishop Collins Audit and Assurance team can assist you in identifying processes in your business that can be improved to prevent being a victim of a phishing scam. You can contact us here.