Skip to main content

Protecting your Business from Phishing

Apr 24, 2018

AustBrokers Comsure is aware of recently targeted Phishing scams. Given the increased frequency of these scams, and the availability of instant payments through the recently introduced Australian banking New Payments Platform (NPP), please take the time to familiarise yourself with the security briefing below.


Some Common Terms

Cyber Security uses a lot of strange terminology (much of it badly spelt) that may be unfamiliar. Some common terms you will hear are:

  • PhishingPhishing is the way criminals steal confidential information such as bank account numbers, usernames, passwords and credit card numbers by sending fraudulent messages via email, SMS, instant messaging or social media platforms. Phishing emails are not just associated with banks, these days scammers will try to trick you into providing your personal and banking details by pretending to be from all sorts of well-known and respected organizations for e.g. Utilities or Government Agencies.
  • Whaling and Spear Phishing – ‘Spear phishing’ is a variant of ‘phishing’ where cyber criminals use individually targeted (thus the spear reference) messages to attempt to trick staff into giving up sensitive information or performing an action; the most common objective being to have staff transfer money into a 3rd party bank account. These messages will target specific people and organizations and may contain information that is true and specific to that person or business to make them appear more authentic. “Whaling” is another term for targeted phishing where the target organisation is a large corporate.
  • Pharming – This is where the scammer redirects you to a fake version of a legitimate website you are trying to visit. This is commonly used to harvest usernames and passwords.
  • Spoofing Spoofing is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source. Spoofing is often used by spammers and can be accomplished by changing the “FROM” e-mail address.
  • Social Engineering – is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them information such as passwords, bank information, names of key personnel or access your computer to secretly install malicious software. Social Engineering is successful because of the fact that it is usually easier to exploit the human inclination to trust and help, than it is to hack systems and software.  A basic analogy would be that a secured home guarded by alarms and deadlocks, is still vulnerable to a criminal if the home owner allows the “Pizza Delivery person” into the property.

Phishing Explained

Phishing emails have been used by criminals to steal financial details from Australians for a number of years and have become increasingly sophisticated since they were first observed in 2003. While some emails may be obvious due to poor grammar or misspelt words, others appear legitimate using corporate logos and links to genuine looking websites.

Criminals send out millions of these fraudulent emails to random email addresses in the hope of luring unsuspecting persons into providing their personal information and unfortunately this can occur not only on a computer or laptop but a Smartphone or other mobile device and tablets.

To improve the resilience of your organisation against threats it is important that all staff are aware of Phishing and other online risks and are educated on the importance of not providing confidential information, by either clicking on links or messages in an email or via a verbal conversation.


Warning Signs

Some common indications of a Phishing attack are:

  • You may receive an unsolicited email, phone call or text claiming to be from a bank, government agency, telecommunications provider or another business you may regularly deal with, asking you to update or verify personal details or pay an invoice.
  • The email or text message may not address you by your proper name, and may contain errors in spelling or grammatical mistakes.
  • The website address doesn’t look like the one you would normally use and the details requested are not something the legitimate website would normally request.
  • Be wary of attached files. Financial institutions will rarely, if ever, send these to their customers. If the message has an “.exe,” “.scr,” “zip” or “.bat” file attached, consider that a red flag and don’t open it or follow any instructions. Call your IT service provider if you suspect an unscrupulous email.


Protecting your Business from Phishing attempts

There are some basic things you can do to protect yourself:

  • Never click – Don’t open a link or attachment if a message is very appealing or threatening you to take a suggested action.
  • Confirm directly – When suspicious about a message, contact the person/organisation direct to confirm they sent the message however never use the contact details provided in the email.
  • Spam filter – Use a spam filter to block deceptive messages.
  • Check email address – If the email appears to be from a known person, click on the email address to ensure its not hiding a false address.
  • Check website – Check the sender’s website as some agencies list on their website known phishing scams related to their organisation.
  • Awareness – Be aware that a Financial Institution or large organizations will never send a link requesting confidential business or financial details to be provided.  Do an internet search using the names or exact wording of the email or message to check for any references to a scam – many scams can be identified this way.
  • Confirm website security – Look for the secure symbol. Websites that are genuine are generally encrypted to protect your details  A secure website is one that can be identified by:
  1. The use of ‘https:’ rather than ‘http:’ at the start of the internet address
  2. A closed padlock or unbroken key icon at the bottom right corner of your browser window.
  • Do not provide sensitive information – Personal, credit card details, or sensitive corporate information – including names and contact details of individuals in key corporate positions –  if you receive a call claiming to be from a bank or another organisation. Request the person’s name and contact number and conduct an independent check with the organisation in question before calling back.

What to do if you have received a Phishing Email

If you identify a phishing email – do not open it. Be sure to permanently delete it from your deleted items folder.

If you believe you have received a targeted spear phishing email please report this immediately to your compliance coordinator.

Resources

Information is readily available from various government agencies and internet service providers to help you stay informed such as:

  1. staysmartonline.gov.au/
  2. afp.gov.au/what-we-do/crime-types/cybercrime/online-fraud-and-scams
  3. Stay informed on the latest threats via ACCC’s scamwatch.com.au or specifically on Phishing Scamwatch – Phishing scams

More Blog

Mar 31, 2022

AB Comsure welcomes a new Graduate Program!

Mar 31, 2022

The Importance of understanding “Underinsurance”

Mar 31, 2022

How to protect you and/or your business from 98%* of Cyber Attacks

Mar 31, 2022

SE-QLD & NSW Extreme Weather Event Update

Feb 28, 2022

Supporting our Customers affected by the East Coast Severe Weather Event

Dec 22, 2021

Merry Christmas from Austbrokers Comsure!

Dec 22, 2021

Log4j – Your Systems could be at risk!

Dec 15, 2021

7 Common Christmas Scams to avoid.

Dec 15, 2021

Are you ready for Storm Season?