What we can learn from Donna Dickson’s story.

In August, when I first learned that Scamwatch had received reports of puppy scams totaling $300,000, I was already concerned about Australia’s increased vulnerability to scams during the pandemic. Seeing now that Australians have lost over $100 million dollars to scams from January to August, it’s clear that we’re at a significantly higher risk to scams than previous years.

Not only has the pandemic (and the wide-spread normalisation of work-from-home) introduced its own sets of security challenges, but it’s also leaving us less attentive than usual, and more susceptible to scammers.

In 2020, it’s more important than ever to listen to the stories of scam-victims around us and learn as much as we possibly can to avoid the same criminal activity. One such story we can all learn from is Donna Dickson and her experience with online puppy scams.

Donna Dickson lives with her six dogs and cat in Armadale NSW, and due to a recurring case of identity theft, has spent 2020 dealing with an endless stream of scam victims who have been exploited under her name.

Donna was contacted on Gumtree by a prospective buyer for her off-and-on puppy breeding services. The supposed buyer ironically told Donna that she had been scammed in the past, and that she would only trust the service if Donna provided a picture of her license and registered breeder number.

Donna didn’t know at the time that this was an attempt by a scammer eliciting information for identity theft, so she provided the information as requested.

The scammer went on to use Donna’s information in countless scams, embezzling funds from unknowing buyers by using Donna’s name, business, and pictures. Now, Donna has scam victims regularly arriving at her property after long drives from rural towns, only to be told that they’ve been scammed and need to contact the local police

Considering that Australians have lost $1.3 million dollars to puppy scams throughout 2020 thus far, what can we learn from Donna’s situation to avoid scams like this?

When to Trust Others Online

The first error that led to Donna being scammed is that she trusted the person she was speaking with online. You can never be certain of who you’re speaking with online, and as such, you should treat every single interaction with a grain of salt.

Some steps you can use to stay safe in your online interactions are as follows:

  • Never let money get involved: Donna not only provided her license to the scammer in this story, but she also lent them $300 dollars to “help them out of a tight spot”. Needless to say, she never saw this money again. Even though it was out of the goodness of her heart; if you haven’t met and confirmed the person, never give or loan money to them.
  • Set limits to your online interactions: Whether you’re talking with a stranger, co-worker, friend, or family member, you can never be sure that the person on the other end of the screen is actually who you think they are. As such, set clearly defined limits to the information you’re willing to share online and always act under the assumption that you could be speaking with an imposter.
  • Think twice before sharing personal information: Any time someone asks you for personal information online should be seen as a red flag. In Donna’s case, she complied with the request and provided her license information, which led to her eventual identity-theft. Even if it’s convenient or if you’re being pressured, always work out a safe alternative rather than providing confidential information.

Making Safe Online Payments

Another piece of Donna’s story is through one of the puppy scam-victims, Sandy Trujillo.

Sandy was in the market for a new puppy to keep her elderly mother company during isolation. She purchased a puppy from a very legitimate-appearing website that used Donna’s stolen details.

Sandy, being a former veterinarian and government department investigator, quickly realised after the purchase that she had fallen victim to a scam. Unfortunately, she had already made a large deposit of $1,600 by that point.

Sandy reported the incident to the bank and local police within 24 hours, but it wasn’t enough to rectify the issue or put her mind at rest, so she took action into her own hands.

Using Google Maps, Sandy tracked down Donna’s address from the stolen license information, acquired her information from the Armadale police station, and made contact with Donna directly.

Today, the two of them have joined forces to track down and rectify ongoing puppy scams through their Facebook group, Puppy Scam Awareness Australia, which thanks to its grass-roots nature is one of my favorite cybersecurity projects of the year!

Screenshot of Puppy Scams Awareness Facebook Page

Not all of us can start our own anti-scam organisations as Sandy and Donna can, but there’s still plenty to learn from their experience, especially pertaining to making safe payments online:

  • Investigate the company first: If you’re making payment to a company for the first time, make sure they are credible and safe. You can do this by checking reviews and forums for other people’s experiences with the company.
  • Check if the website is safe: While scams are becoming more and more indistinguishable from real websites, there are some safety steps that should be taken with all purchases. Most importantly, always check the URL for typos, misleading characters, and https:// certification.
  • Use cash: This specifically applies to purchases you’re making in person. In the case of a puppy scam, a surefire way to avoid a scam is to meet in person first. See the puppy, and exchange your money in person. If their policy can’t suit this, be extremely cautious before proceeding with any online transaction.

For more information and news on cyber-safety during 2020, visit http://portal.cyberaware.com/remote

Cybersecurity and Ongoing Awareness: Why We’re Still Falling For The Same Scams

Last night, I finally sat down and watched Netflix’s new trending film The Social Dilemna; a docudrama exploring the intentionally addictive patterns found in social media. The film sheds light on gloomy and often over-looked statistics, such as the fact that 210 million people are estimated to suffer from social media addiction. Naturally, I couldn’t help but draw parallels to my passion for cybersecurity, and the clearest comparison that stood out was our tendency to fall for the traps that we already know about.

Many of us have gone through the cliche “quitting social-media” phase. Whether it’s Facebook, Instagram, or simply mitigating our time spent on Youtube, the reason that this is considered a mere “phase” is that the vast majority of us fail to stick with it, despite the fact that we know quitting these platforms is linked to increases in happiness.

According to this study by Cornell University, only ten percent of surveyed participantshad actually managed to quit Facebook entirely. Even Tim Kendall, the former Director of Monetization at Facebook found himself addicted to the same systems that he helped to design.

In The Social Dilemma, Tim recalls how he would come back from a long day of working on Facebook’s systems, only to find himself spending his time at home largely on the app for personal use.

Tim personally worked on making Facebook as addictive as it could be, and despite this inside knowledge, he too struggled with social-media addiction! He found his screen-time so concerning that he is now actively working to combat screen-addiction in his new company, Moment.

From Tim we can see that the reason we spend too much time on social media isn’t that we don’t know how addictive these platforms can be, but because we stop thinking about it.

We get distracted, and scams are designed to manipulate our attention span in the same way.

We all know what an email phishing scam is, and phishing scammers know that we knowwhat a phishing scam is. But they also know that it only takes one error for a full data breach to occur. Scammers aren’t operating under the impression that the victim is unfamiliar with the scam; they’re operating under the knowledge that we all eventually get distracted and slip up.

Scammers know that 99% percent of the time, you aren’t going to fall for the scam. However, they also know that 1% of the time, you will. And they gear their efforts towards that one percent.

For example, look at pedestrian accidents in traffic. We were all raised on the classic slogan “stop, look, listen, think”, and in theory, we know how to avoid accidents. Yet pedestrian traffic accidents are still an ongoing issue, with nearly 40 fatal pedestrian accidents per year in Victoria alone.

The reason these accidents occur isn’t that drivers & pedestrians aren’t informed on road-safety, but that it wasn’t front of mind at the moment of the incident. The safety precautions we know to take simply slip our mind, and an accident occurs. The reason that school crossing supervisors are so effective isn’t solely because they tell kids when it’s safe to cross, but because they serve as a constant reminder to be safe when crossing the road. The lollipop person serves to remind us every single day “Hey, this road is dangerous, don’t forget it!”

And when it comes to cybersafety, sure we may have attended one or two training seminars, or enrolled in training that we sped through in one day and never re-visited, but that doesn’t do much for our ongoing awareness. Even though we know how scammers target us, it doesn’t mean that we’re adequately equipped to keep it front-of-mind.

The irony of Tim falling for the same addictive systems that he himself designed is not too dissimilar from what you find in the cybersecurity industry: hackers starting careers in cybersecurity after falling for hacks themselves, or cybersecurity professionals falling for the same scams they educate others on! Despite having the knowledge on how these hacks work, they were inevitability made victims through a lack of caution.

Again, in 2020 the average person knows what a typical scam looks like, but that isn’t enough. The only thing preventing you from clicking that malicious link is the current and active awareness that every link can be malicious. Without this, you can easily gloss over your own best advice and end up like Tim Kendall, falling for his own algorithm.

To keep your cybersecurity in front of mind, we recommend the following;

  • Awareness Posters: Especially during COVID-19, wherein not all of us have a workplace with safety posters and colleagues to converse with, having a general reminder near your workstation is crucial. Even a few post-it notes or a small poster can do wonders in keeping you aware and cyber-safe.
  • Ongoing Awareness Training: This is important. It’s one thing to finish a basic awareness course, but what really counts is regular and repeated training. It’s far more effective to take one lesson a month than ten lessons in a single day.
  • Phishing Simulations: Rather than wait for an employee to experience it first hand, train your staff with simulations, the same way we do in a fire drill. Run semi-regular phishing campaigns so staff have a better idea on what to look out for in a malicious email.

For more information on cyber awareness and work-from-home cyber safety, visit portal.cyberaware.com/remote

Work-at-home fatigue and cyber safety. How low-energy leads to high-risk

In a recent Ray Morgan survey, 39% of Australians working from home reported that they ‘find it difficult.’ This coincides with a Society of Human Resources Management study that found 35% of remote workers feeling regularly tired or working with low energy, and a further 32% of that pool feeling this way at least sometimes.

And a similar report from Digital Ocean suggests that roles with less of a social aspect than others can be even more taxing, with an overwhelming 82% of remote developers reporting feelings of fatigue while working remotely.

Low-energy and tired faces tend to raise concerns in the office, yet the overwhelming majority of our workforce is currently operating at a strain and without an immediate support system in proximity.

This is concerning both for reasons of mental health and also for our cyber safety, both of which are increasingly threatened during the pandemic.

One of the most common things I hear victims say following a scam is “I just wasn’t paying attention.” If you perform a Google search of the terms “scam” and “I just wasn’t paying attention”, you’ll see just how frequently scam victims are left empty-handed and quoting these famous last words. Actress Jenifer Lewis predictably coined this term right after she was allegedly embezzled out of $50,000, a scam that later became the basis of a plotline for her character in Black-ish.

If there’s one thing I struggle to do when I’m feeling tired or fatigued, it’s paying attention to the small details.
The sending address on an otherwise unsuspecting email, the URL behind an embedded link or the grammar and spelling of my colleagues; these are all things that, especially when I’m under the weather, can easily slip by me if I don’t check myself and make sure to pay attention.

Considering that a large portion of the Australian workforce, and particularly the Victorian workforce, is now working from home, we all need to remain extra vigilant in our cybersafety.

“I just wasn’t paying attention” is a valid and honest response when we’ve fallen victim to a cybercriminal, and given the tiring circumstances of 2020 we’re now hearing it more frequently than ever. Since the pandemic began, Australians have seen a huge increase to an already cascading spike in cybercrime. The months of April/May saw a total of $32 million dollars in financial damages from scams, a 33% increase from the previous year. In July, the number of reported scams was the highest it’s been all year, coinciding directly with our re-entry into Victorian lockdown.

And it isn’t enough to be wary of the infamous COVID-19 themed scams alone. While there are plenty of successful COVID-19 scams circulating to date, there are endless scams that simply focus on going unnoticed via unrelated tactics. The first round of Australian lockdown saw $300,000 lost to “puppy scams” alone. Yes, these are scams simply predicated on the false promise of purchasing a puppy. And it’s quite possible that their success is simply due to the fact that we’re preoccupied with larger thoughts, we’re tired, and we’re struggling to keep our attention on cybersafety.

As we continue in adapting to the pandemic and working through these trying times, here are a few tips to remaining vigilant and aware of cyber-crime:

  • Slow it down: don’t be afraid to slow down and double-check the work that you’re doing. If you’re actioning an unfamiliar email or visiting a website, take a breath and check through for the red-flags expected with most scams.
  • Reach out to your colleagues: while we’re not working in the same space, we can still reach out to get a second opinion on suspicious activity. If you’re even slightly unsure as to the source or purpose of an email or contact you’ve received, take the time to reach out to your colleagues for a second opinion.
  • Look out for red flags: Even when we’re tired, we can always double-check the sending address of an email, the real URL of a website link, or the source of an unexpected message. The more that you look out for common red flags, the less energy it takes to spot them in the future.

For more information on work-from-home cyber safety, visitportal.cyberaware.com/remote

COVID-19 and financial scams: how the pandemic has dictated the threat landscape in 2020.

About two weeks ago, I published an article on LinkedIn and the Cyber Aware blog in which we forecasted a second wave of scams related to COVID-19. The article demonstrated that compared to the March/April period of 2019, in which Australians lost over $20 million dollars to scammers, the same period in 2020 saw an approximate 33% increase to this already colossal figure, at almost $32 million dollars in financial damages.

It’s common knowledge at this point that the current pandemic has introduced a plethora of scams to the Australian public, but what stood out to us largely was the following statistics in which there is a clear correlation between a sharp decrease in both COVID-19 daily cases, and financial damages as the result of scams.

Financial losses per month as a result of scams in Australia (Link)

No alt text provided for this image
Courtesy of Scamwatch

Daily COVID-19 cases detected within Australia over recent months (Link)

No alt text provided for this image
Courtesy of Google

In Victoria, where Cyber Aware is based, and wherein daily coronavirus cases recently broke 400, we’re gearing up for not only a second-round of lockdown restrictions and safe-practice, but also for the second round of COVID-19 related scams.

The reason that we attribute the rise in scams to causation rather than a mere correlation with COVID-19, is because of how hackers and scammers have operated historically. 90% of data breaches are successful directly due to human error. Scams are designed to directly pray on human insecurity, and create a sense of urgency behind a fraudful message. Whether it’s demanding bank details to “rectify a tax-claim error”, requesting sensitive data under the guise of a trusted colleague, or deceiving an out-of-work citizen into making payment for a false superannuation claim during the pandemic.

Hackers look at the vulnerable circumstances generated by the 2020 pandemic and see nothing but an opportunity to embezzle money from innocent individuals. Already we’re seeing this resurfacing in line with the increasing cases and media-attention, as ATO and government scams against the Australian public skyrocket.

And again, this trend of hackers jumping on mass-insecurity during times of disaster is evident as far back as September 11 in 2001, all the way through to the rampant bushfire scams at the beginning of 2020.

Typically, a trusted source is used to pray on this insecurity, such as government agencies (link) or well-known brands.

Take this recent scam for example, in which attackers send fraudulent email and SMS notifications claiming to be the Australian Taxation Office. Typically, the scam will look something similar to the below and will result in the victim granting full access of their ATO account to a malicious party.

No alt text provided for this image

Furthermore, not only have there been more scams, particularly praying on public concerns surrounding the pandemic, but our relationship to technology has shifted as a result of our mass migration to work from home as well.

This has frequently resulted in a lower quality of security, with people now sending private work information via personal social media accounts, sharing said data on family-shared computers, and operating largely on less secure internet connections and often without a VPN in place.

This has all resulted in not only a challenging obstacle to our productivity and workflow, but also to our workplace security.

Moving into the latter half of this unprecedented year, stay aware and cyber-safe with the following three tips:

  • Be vigilant of scams. Any time you receive a sensitive request for action, whether it be logging in to a system, providing payment information, or supplying private/personal information, make sure that you were expecting the request and that you have verified the source of contact. Stay up to date on current COVID-19 scams via Scamwatch.
  • Keep your personal and professional data separate. It can be easy to send a file via Facebook or your personal Gmail account, but in doing so you are increasing the risk of a data breach significantly. It may be difficult, but make sure your work-from-home systems are the exact same as the ones in your office. Keep your work at work, and off of personal accounts.
  • Give each other a hand. The major difference in whether or not you fall victim to a scam is always going to be awareness. If your colleagues aren’t aware of the current scams, or if you spot an unsafe practice, let them know! Give your colleagues a friendly reminder or tip from time-to-time, and it can make a world’s (or bank account’s) worth of difference. The best defense against social scams is a social firewall.

For more tips and news on cyber-safety in 2020, visit cyberaware.com!

Hacked by an Instagram celebrity: FBI arrests popular Instagram millionaire after alleged tie-ins to major scam racket.

Social media influencer and millionaire, Ramon Olorunwa Abbas, is currently being detained for criminal charges over alleged involvement in a major scam racket.

For those unfamiliar Abbas is an Instagrammer known for his opulent, “living the high-life” persona which he regularly presents to his 2.5 million followers.

The FBI alleges that Abbas has made hundreds of millions of dollarsthrough his involvement with a ring of fraudsters and scammers, specializing in Business Email Compromise (BEC) attacks.

BEC attacks involve hacking an email account, typically corporate, to send fake and illegitimate messages to clients and trusted contacts, typically in order to intercept or redirect financial transactions.

If you’ve been following my writing for some time, we regularly cover BEC in reference to news and best current practice, due to its fast-growing employment by scammers both domestic and abroad.

And with my experience, not only in cybersecurity but also in email hosting, I’ve seen BEC used against innocent business-owners time and time again over the years for massive financial exploitation.

Abbas was accused following a thread of social media poststhat implied tie-ins to a trans-national cybercrime network. During a series of arrests throughout this investigation (video link here), 12 other individuals were arrested, and upwards of $40 million in cash was confiscated alongside the hard drives containing email addresses of nearly two million victims.

This case follows the recent arrest of Obinwanna Okekein which Okeke pleaded guilty to $11 million of computer fraud between 2015 and 2019. Okekewas previously known as a celebrated entrepreneur, and was actually listed in the Forbes 30 under 30 before his criminal activity became public knowledge.

In response to the continuously rising scam culture across the globe and particularly within Nigeria, FBI agent Michael Nail attributes the appeal of this illegal activity to the sentiment that “You can sit at home in your PJs and slippers with a laptop, and you can actually rob a bank”

The effects of this alleged scam-work not only impacts the numerous victims, who’ve lost upwards of 124 million dollars, but also wears poorly on Nigerian relations with the United Arab Emirates public, as seen in this slew of anti-Nigerian job advertisements circling around following Abbas’ arrest.

Abbas’ lawyer has issued a statement on the allegations against Abbas, stating that Abbas not only earned his wealth through entirely legitimate means, but also that the FBI arrest should be deemed a kidnapping.

Regardless of the outcome of this case, here are a few steps to avoid BEC yourself:

  1. Keep your work and your personal email usage separate. If there’s one sure-fire way to fall into a BEC trap, it’s by sending confidential information on personal email or social media channels. Stick to the business email at all times.
  2. Use two-factor authentication! I and all of my cybersecurity colleagues must sound like a broken record at this point, but two-factor is just that important. Two factor is that extra layer of security that could make the difference between a breach and a close-call. It’s essentially what seatbelts are two cars. If you aren’t familiar with two-factor, read up here for some quick steps on setting it up.
  3. Keep on top of your password hygiene. This means strong passphrases, changing them regularly, and if storing them keeping them in secure locations such as a password manager. Essentially, treat your password the same way that you would a toothbrush. Pick good ones and change them regularly.

Financial scams during the pandemic: preparing for a second wave.

Now that we’ve reached the mid-way point of 2020, I can’t help but feel as though we’re resting in the eye of the storm. By all means, we’ve largely done a fantastic job of responding to the situation. We’ve acted on our feet and through our ability to remain adaptive and resilient, we’ve still landed in a largely manageable position.

However, concerns of a second wave are certainly looming. Currently, we’re seeing USA cases spike to higher points than ever, and Victorians such as myself are re-entering lockdown in an attempt to curb off resurfacing cases in suburbian hotspots.

My concern, however, isn’t solely for the virus itself. It’s also in the ramifications surrounding COVID-19. For example, I’d be remiss to see many of the local bars, restaurants, and small businesses that barely survived the first leg of the year, be forced back into a lockdown.

I’d be remiss to see individuals who’ve had a hard time dealing with lockdown back in square-one of self-quarantine.

And I’d be remiss to see the huge damages of COVID-19 related scams resurface yet again.

This year saw a plethora of COVID-19 scams in 2020, ranging from government-impersonating phishing scams through to false promises of early superannuation access to those in need. For a frame of reference in just how damaging and successful these scams have been, March & April of 2019 saw Australians facing a total of $20,466,361 in damages at the hands of scammers.

That’s a huge amount of financial damage in of itself, yet in 2020, the same months of March & April saw total losses of $31, 176, 098! That’s a gigantic increase of over ten million dollars lost in scams.

And funnily enough, if you then view the drop in financial damages during May of this year, you end up with a curve that closely resembles new COVID-cases.

Financial losses per month as a result of scams in Australia. (Link)

Daily COVID-19 cases detected within Australia over recent months. (Link)

As Australia “beat the curve” and lowered COVID-19 cases in April, the financial damages lost to scams dropped significantly in the following month of May. The drop in COVID-19 cases likely corresponds to the waning number of successful scams.

As public concern over COVID-19 softens, so to does the insecurity among individuals that scammers are working so hard to exploit.

As Australian coronavirus lowered, it’s viable to say that our susceptibility to coronavirus scams did too.

But just as we need to remain vigilant and prepared for a second-wave of COVID-19 cases (which we can see beginning to spike again towards the end of the daily cases graph), we also need to remain vigilant and aware of our vulnerabilities to scammers.

Moving into the latter half of 2020, here are some tips you can use to spot and avoid malicious scams:

  • Remain calm: Scammers are largely successful in their efforts because they know how to target our insecurities. If you’re contacted about medical results, financial benefits, or anything else pertaining to COVID, make sure you take a step back to make a calm & informed decision
  • Verify the source: A lot of scams are currently impersonated both public & private entities that we’re familiar with in attempts to lower our guard. No matter where a message claims to be from, always keep in mind that it can be a scam, and needs to be verified via legitimate contact points, such as the phone number or email on the company’s website.
  • Stay up to date on current scams: Some of the most successful scams are also some of the most well-known, and keeping an eye on publicly known scams can help you identify the tactics being used by malicious attackers now. A fantastic source for staying on top of current scams is the Scamwatch website, which I’ve personally checked regularly during this pandemic.

For more information on cybersecurity, awareness, and staying safe online, visit cyberaware.com!

State-based actor targets Australian government and business in major cyber attacks: Scott Morrison addresses the public

This morning, Scott Morrison addressed the Australian public to raise awareness of ongoing cyber threats facing the Australian government, as well as both the Australian public & private sectors.

Citing an incident pertaining to attacks against Australian government that are decisively from a state-based actor, Scott Morrison demonstrates that the need to raise this issue is not bought on from this or any particular attack, but ongoing cybersecurity threats that Australia, as well as many other nations, are consistently facing.

And based on recent years, this couldn’t be truer. Australians have fallen victim to a plethora of cybersecurity attacks, ranging from the day-to-day scams that target individuals and Australian small businesses, through to large-scale cyberattacks against infrastructure and large businesses.

Morrison mentions sophisticated state-based cyber attacks targetting critical infrastructure, the private sector, and all levels of the Australian government, and for each of these identifiers, we don’t need to look far back for matching examples of significant data breaches within Australia.

Private Sector: Toll Group suffers multiple high-impact ransomware incidents throughout 2020.
Critical Infrastructure: Victorian regional hospitals suffer crippling ransomware attacks, causing days of limited capacity and halted services.
Australian Government: Australian Parliament identifies a foreign government hack targetting Australian Parliament’s servers.

Morrison affirms his intention in bringing this topic to the public is not to raise concern, but to raise awareness; which is repeatedly shown to be the key factor in preventing human error and mitigating cyber-risk.

And while it is currently unclear as to who the state actor launching the attack(s) in concern is, there are a few key measures any individual or business can take to ensure their own safety regardless:

  • As the Minister of Defence highlighted, it’s critical to update to internet-facing devices and apps. What does this mean? In short, stop snoozing update reminders! By updating your software (apps) and devices, you can ensure that new security fixes are kept up-to-date.
  • Use two-factor authentication. I might sound like a broken record to my regular readers, but two-factor is arguably the strongest security improvement you can immediately put into effect. For more details on setting it up, read here.
  • Raise awareness for yourself and your colleagues. It’s a well-known fact that over 60% of data breaches occur as a result of human error. It’s critical to train yourself and your colleagues on Cyber Awareness as to ensure that a simple mistake doesn’t lead to an irrecoverable loss.

What can our reaction to the global pandemic teach us about risk?

No one could have predicted the COVID-19 pandemic. At least, that’s what I’m hearing. In reality, the ramifications and likelihood of a global pandemic have been predicted to a T as early as fifteen years ago. Despite this, none of us were adequately prepared for the impact on the economy, on social norms, or on our individual businesses.

Similarly, the ramifications and likelihood of a cyber-pandemic, particularly in the form of cyber warfare, are well and truly predicted. And, unfortunately, with the same lack of readiness.

The Australian Department of Defence forecasts the impacts and likelihood of a cyber “war” situation in their 2020 document; Department of Defence Mobilisation Review.

The document, among other things, outlines critical vulnerabilities in several sectors of industry, including Fuel, Power, Transport, Electricity, Health & Water, and is an incredibly informative read that i recommend for any Australian citizen.

In a workshop conducted by the Australian National University, it was emulated that majority of attacks would be targetted against civilians, rather than military or government.

“Disruption of food and fuel supply chains was a common theme. Other scenarios targeted consumer banking, ticketing at major sports events, or “mum and dad” business networks, to increase public inconvenience and fears.”

Most notably, the document outlines that in a scenario of cyberwar, adversaries would not just exploit computer systems; they would exploit vulnerabilities in society.

Predicting the impact of macro-crisis, such as cyber-warfare or the current pandemic, can be difficult. No one could have predicted the impact on their business, because we’ve never needed to. The reason that so many businesses were completely taken by surprise, is because no one thought it would happen.

For those of us lucky enough to continue operations, and for those of us who have adapted our operations to fit these trying times; there is a lot that we can learn.

Firstly, in the same vein that you can’t stop a pandemic, you can’t stop cybercrime. But, what you can do is have a measured, established risk-based plan and response for your business.

We recommend putting time and effort into establishing incident response measures, as well as preparations for large-scale impacts on your business, both in cyber and key risk drivers.

While you can’t control the large-scale ramifications of a potential cyber-pandemic, such as the impact on supply lines, key infrastructure, and tech, you can prepare for and mitigate risk to your business.

Remember, even in the context of a general cyber-attack, there are huge large financial, operation and reputational repercussions to account for. In 60% of cases, one cyber-attack is enough to cause businesses to shut down within only 6 months.

Whether you already have an established risk-management plan or not, here are a few key cyber-points that all business should have covered:

  • Identify your key assets. Every business has key data and critical systems that they could not continue to operate without. Common examples include confidential client & business records, network infrastructure or systems that are integral to your product/service.

    In the same vein that many businesses in hospitality have suddenly lost their bread-and-butter services, and have been forced to adapt, cyber incidents have a similar, but much wider scope of impact to businesses.

    Identify the crown jewels of your business, establish extra protective measures to ensure that they are safe (such as two-factor authentication and access control), and establish worst-case scenarios in which your business could temporarily operate in the case of a data breach.
  • Back up your data. For certain types of cyber-crime, such as ransomware, the hardest part of recovering is getting the business back online. By regularly backing up your key data & systems, you can not only get back on your feet much faster, but you also remove some of the leverage that a hacker has over your business.
  • Responding to the public and your client base. Regardless of whether a cyber-incident is targetted, or impacts you from a wider scale, your stakeholders will need answers. Establish a timeframe, template and plan-of-action that can be efficiently and promptly communicated to the public and your stakeholders. This not only ensures that you meet compliance, but it also saves you a lot of reputational harm.

For many of us, this pandemic is simply an affirmation of risk. Risk is real. While you can never remove 100% of the risk, you can understand it, identify what you are comfortable with, and prepare your business with a plan accordingly.

Having no risk assessment or plan in place is likely to leave you in a similar situation to many COVID-19 impacted businesses right now. For those in high-risk industries, such as airlines, accommodation and hospitality – did they have a plan outlining their key action steps in the scenario that their primary operations entirely stopped in 4 weeks?

No. And in hindsight, it’s become obvious to all of us that we should have been prepared.

While this sort of doomsday-level preparation would have seemed silly in January, it’s clear to all of us now that it’s entirely necessary and reasonable. COVID-19 should serve all of us as a wake-up call, and encourage us to be mindful and ready for sudden changes, and difficult scenarios.

Staying Cyber Aware of fake domains and COVID-19 scams: fake domain registrations in the thousands

Scammers always exploit people’s fears, and what could be an easier target today than COVID-19.

70% of new domain name registrations are said to be malicious, and since the advent of COVID-19 over 30,000 scam registrations relating to the pandemic have been identified.

The vast majority of these scams come from the U.S, followed by Italy, Germany and Russia.

Luckily within Australia, there are few more hurdles for a scammer to get through before they can register a domain name. Namely, they need to have a registered business entity through ASIC first.

When it comes to international domains, such as .com domain names, they can be registered quickly and without hassle, meaning that they are largely dependant on third-party security vendors to detect & take them down.

This can take between a few hours or a few days, which is more than enough time for a scammer to put a malicious domain name to good use.

Furthermore, keep in mind that while malicious domains are primarily used to launch fake websites, they can be used for other purposes, such as phishing emails.

For example, a scammer could use a domain such as “covidcure2020.com.au” to launch a fake vaccine website, or they could use it to send you a scam email addressed from “info@covidcure.com.au”.

Cyber Aware recommends that you treat any COVID-19 related domain name, email, or website very cautiously during this time. Furthermore, when browsing the web in general, you take these steps to stay safe:

  • Always check for HTTPS in the URL
    • While https:// isn’t the guaranteed badge of safety that it’s often portrayed to be, it’s still necessary and much safer than its counterpart (http). Wherein visiting a website that starts with https:// guarantees that you are at least visiting a site with a verified security certificate, http sites are far more open, and allow your data to essentially be eavesdropped on in transit.
    • To check for HTTPS://, look for the padlock and https:// in your browser address bar.
  • Make sure the URL matches the website you expect to be visiting. Often times, fake domain registrations will try to match existing websites and just change a few characters around.If you click on a link or popup expecting to be taken to Bunnings or BIG W for example, make sure that the link you land on actually matches their official website exactly.
  • When you receive an email, check the address! Because modern email systems allow for senders to show a display name instead of an email address, it’s a lot easier for scammers to pose as others. Whenever an email contains a link for you to click, or is asking for payment/data, be sure to expand the display name and check the actual email address of the sender!

Finally, here are some of the most current COVID-19 scam types currently floating around;

  • Superannuation scams: scams that offer fake early-access to your superannuation and request private data or bank details to proceed.
  • Phishing/SMS scams: these have been absolutely rampant since the pandemic broke out. Read further about fake government SMS scams here.
  • Fake vaccines/med treatment: emails and sites may offer access to COVID-19 testing or vaccinations. Never seek these services outside of official vendors.
  • Price gouging on sanitation products: this extends outside of the realm of cyber also, with people hoarding key supplies (such as toilet paper) and upselling it at ludicrous amounts.

For more information on staying cybersafe during COVID-19, visit https://portal.cyberaware.com/remote.

Three Cyber Aware tips to protect your password(s): World Password Day sees 555,278,657+ stolen credentials.

Depending on your part of the world, today is World Password Day! While for fellow Downundians it was actually yesterday, there’s never a bad time to strengthen your passwords!

As of right now, HaveIBeenPwned (a database of real-world passwords previously exposed in data breaches) reports 555,278,657 stolen passwords in their database.

You can actually visit their website and check if one of your passwords is among the many stolen.

Furthermore, large portions of these passwords and the countless unaccounted for in unknown data-breaches are constantly being bought, sold, and used in the dark web to exploit individuals and organisations at large.

To best avoid your passwords being bought & sold on the dark web along with the billions of others, we’ve come up with three key password tips to close out your work-week:

Tip 1: Start Passphrasing!

Have you ever struggled to come up with a strong enough password for a new login? The easiest way to get around this, while still creating a password that’s easy enough to remember, is passphrashing!

If you haven’t already heard of it, passphrasing is essentially like using an acronym; you take the first letter of each word in a sentence or phrase, and use it to make a password!

For example, “I’m going to the pub after lockdown” could be used to make a passphrase such as “iGtTpAl831”.

This way, you have an easily memorable password that’s much harder for a hacker to guess or crack. Remember to use a mix of upper & lower casing, as well as some numbers & special characters for extra strength.

Tip 2: Regularly Change your password!

Passwords should be treated like your toothbrush. Never share it around, and change it regularly.

The reason for this is that even if you have a strong password that is entirely unguessable, it can still be lost or stolen in other ways. Take, for example, the recent Zoom security issues; one of which saw a large pool of passwords stolen during a data breach and sold on the dark web.

In this scenario, weak and strong passwords alike were outright stolen and leaked entirely outside of the end-users control. And considering that on the dark web, password trading and password dumps are still being performed regularly, sometimes in chunks upwards of 2billion at once, it’s more likely than not that your passwords are already out there.

Even if you have a strong passphrase, change it often to ensure that your password is private & secure.

Tip 3: Use a password manager!

At the risk of sounding like Elon Musk discussing his newborn in the new Joe Rogan podcast: human brains are a lot like computers. We have a limited amount of memory.

Rather than scrambling to remember each and every unique password, or worse, compromising the strength & complexity of your passwords to ensure that they are memorable, use a password manager!

The way that password managers work is similar to how a browser’s auto-fill works. When logging in to an account, you type in your username & password just once, then your password manager securely stores and remembers them. Next time you log in, the password manager will take care of the grunt-work and log in for you.

The only password you still need to remember is your master key for the password manager itself.

You’re probably thinking that this doesn’t sound safe, but in exchange for this easy login tool, good Password Managers bulk up their security on the master login. Often times, you’re required to know your master-key, have a two-factor authentication code, and authorise the device that you’re logging in from.

In exchange for that hassle, you don’t need to write down or remember any of your other passwords, and they’re actually kept safer as a result!

Some password managers I’d recommend are LastPass1Pass (my preferred choice), and the updated Google Password Manager with Two-Factor enabled.

For more information on work-from-home security, visit https://portal.cyberaware.com/remote.

Top
Before you go, get a demo of our next-gen security awareness platform and see how we can help reduce your client's human risk.
WAIT!
Thanks, Not Interested
GET STARTED!
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.
GET STARTED!
Thanks, Not Interested
GET STARTED!
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.