According to a 2017 ACCC report, the most commonly reported scams to the ACCC were phishing, identity theft, and false billing scams which resulted in losses surpassing $4.6 million.
The people behind phishing emails are experts in manipulation, and use a form of social engineering to trick us into giving out our personal information. Phishing refers to emails, text messages or websites that trick people into giving out their personal and banking information. These messages pretend to come from legitimate businesses, normally banks and other financial institutions or telecommunications providers. In effect, phishing is an attempt by someone to gain unauthorised access to a system by ‘phishing’ for information from people who may use that system.
How hackers ‘phish’ for your information
Phishing is used by hackers to attempt to contact you through SMS, email, website, or telephone, posing as legitimate organisations suggesting that you need to act to avoid a certain consequence.
Email phishing (the most common form), is cast to a wide group of random people (like a fisherman casting a wide net to see what comes back). The attackers know that not everyone will respond, but by virtue of the large reach – someone is likely to take the bait.
Examples of phishing attacks
Hackers will create a fake website, which looks remarkably similar to the real one (for example, image shown below), and then sends out an email to people requesting they reset their password as it has expired. And to do so, they must click on the link.
(Example email phishing attack. Source: Mailguard)
When a victim clicks on the link, they are taken to the imposter website and as they enter in their information (in this case, username and password), the hacker intercepts this information and now gains access to the victim’s login details.
(Example website phishing attack. Source: Mailguard)
The victim is now then prompted to change their password, and as they do so, the hacker has access to the new password now as well.
This is where the hacker gets smart. Because the victim never actually changed their original password (because the website was a fake), the hacker then goes to their real mail account, changing the password to the new password – while the victim is none the wiser.
The victim has just given complete access to their mail-box, and now the hacker is viewing every single email that is sent and received.
What does the hacker do with your information?
Because the victim has relinquished complete and total control over their mail-box, the hacker reads all inbound and outbound communication to get an understanding of how they can best benefit from the information they now have access to.
Most commonly, the hackers will pose as their victim, sending out communications to their customers stating that their bank details have changed, and to forward all payments to the new bank account. The customers, not any the wiser, do this, and that invoice for $50,000 has now been paid into the hackers account, with no way of getting it back.
The risk posed to your business from a phishing attack is extremely high. Organisations might spend an excess of $100,00 on security products, such as firewalls, endpoint protection etc., but it only takes one employee to fall for the wrong email to compromise the entire system.
Other common examples of phishing emails
- Emails from the ATO claiming you owe them money – normally received around tax time
- Emails from the Police stating you owe money for speeding
(Example: a real infringement notice by mail vs. a phishing example. Source: news.com.au)
- Telephone calls from ‘representatives’ from Microsoft stating a virus has been detected on your computer and they need remote access to resolve it. Note: Microsoft will never call you about a virus on your computer
How can you protect your business against phishing attacks?
The most important act a business can take in preventing a phishing attack is end user training. Because hackers use a variety of social engineering techniques to trick people into handing over their credentials to compromise their systems, the most loyal and longest serving employee who has been at an organisation for 40 years, could be the biggest threat.
The only way for a business to reinforce anti-phishing behaviour is ongoing training and awareness.
The second most effective prevention tool is called multi-factor authentication (or MFA). With MFA, you are required to enter a second password which is generated at the time of the first successful login attempt.
This may come in the form of an SMS (as shown above) to a registered mobile device, or an application on your mobile phone, or by a physical code. This code is a for one-time-use only and will expire after a single use.
This means that even if a hacker is able to obtain a password, they will also require a second device to gain access to the final password – which is almost impossible.
Cybersecurity is no longer just a technology issue, it is a business one too. The importance of cybersecurity in business cannot be understated.