Cybercrime reaches a new peak: CyberSec habits for 2021

New decade, same trends! Cybercrime is continuing on a rampant incline and shows no signs of slowing down.

The FBI Crime Complaint Center’s (IC3) released their 2020 Internet Crime Report, which revealed an alarming 791,970 reports of cybercrime for the year. Damages from these reports totaled over $4.1 billion; a massive 69% increase from 2019.

This increase in cybercrime can be attributed to a number of reasons – from widespread working-at-home fatigue through to the use of coronavirus-themed scams – and it indicates that cybercrime is more dangerous than it’s ever been.

In Australia, the statistics are proportionately disconcerting, to say the least. In the first quarter of 2020, Scamwatch collated 36203 reports of cybercrime. However, in the first quarter of 2021, we’ve already seen an overwhelming 62895 reports; a 71% increase to an already alarming number.

Cybercrime reaches a new peak: CyberSec habits for 2021 1

And despite the cliche that cybersecurity is all about 1s and 0s, the vast majority of reported breaches are attributable to simple human error. As such, a bit of human awareness goes a long way.

Around 90% of cyber-attacks begin with a scam phishing email and can often end with the victim going out of business.

In a world where a simple misclick can carry severe real-world consequences, it’s important to establish habits that help you to stay aware and protected against encroaching cyber threats. A few measures you can take to immediately improve your cyber-hygiene are as follows:

  • Start checking the ‘fine print’: Received a suspicious email? Get into the practice of viewing the email header to verify the sending address, and learn how to hover over and read suspicious links without actually clicking on them.
  • Brush up your password hygiene: It’s been said ad nauseam: change your passwords at least once every few months, don’t re-use them, and make sure they have a mix of numbers, special characters, and both upper & lower-case letters!
  • Stop snoozing updates! Many cyber-attacks occur simply because of out-of-date apps and software. When your apps and programs ask you to update, aim to get it done on the same day to avoid potential security risks.

These are some quick and simple measures you can take to strengthen your cyber posture. With a few minor changes such as the above, you can drastically reduce your risk of human error and cyber-attacks.

With that being said, if the fix was as simple as “stop making mistakes”, I wouldn’t need to be writing this article. We aren’t machines, and mistakes are bound to happen.

Rather than carrying the weight alone, there are a number of tools we can use to help stay aware and protected against online threats, such as:

  • Two-Factor Authentication (2FA): You know that SMS code you get when you sign in to your Google account? That’s 2FA, and it can do wonders in stopping a hacker. 2FA apps such as Authy or Google Authenticator can be used on most of your logins for added security.
  • Password Managers: Rather than creating and remembering all of your passwords, a Password Manager can be used to create and store a diverse range of strong passwords, directly in your browser. See apps such as 1Pass or Lastpass.
  • Automated Updates: This one’s easy. If you’re sick of installing updates or if you’re prone to snoozing them, you can change the settings for most apps so that they install themselves automatically! Google your apps and their automatic update features to get your updates under control.

Experts have known for a long time that cyber-crime was always destined for a drastic incline (some even estimate that it will exceed the global drug trade in profitability), and the pandemic appears to have worsened the threat landscape even further.

Not sure about the next steps to take for your cybersecurity? Visit cyberaware.com for more key safety tips and takeaways.

Channel Nine faces major cybersecurity attack

The broadcast of Channel 9, one of Australia’s most widely watched television networks, was disrupted by a hack on Sunday Morning. The attack took them off the air and impacted scheduled programming for several hours.

Channel Nine described the incident as the ‘largest attack on a media company in Australian history.

Professor Craig Valli, director of the Edith Cowan University Security Research Insitute, suggested the attack was highly sophisticated and could have been launched with the motive of acquiring confidential journalistic information.

The attack began on Saturday night with computers in Channel Nine’s Sydney network operating strangely, and by Sunday morning many of them ceased to function altogether. The corporate network had been targetted and significantly compromised, leading to the aforementioned broadcast disruptions.

Seeing as the attack was notably sophisticated, speculation has arisen that state actors were involved in the attack. This also coincides with the fact that Channel Nine was scheduled to report on a number of recent controversial activities from Vladimir Putin.

If you’re an Australian, you also won’t be surprised that Weekday host Karl Stefanovic addressed this correlation directly with the tongue-in-cheek remark “Bear with us as we try and work around these technical issues caused by Vladimir, we’re not blaming anybody in particular

So how did this breach happen? Unfortunately, it was not only Channel 9 systems that were impacted, but also federal Parliament, and the attack-method may be related to the recent security breaches on Microsoft Exchange Servers.

The ACSC recently reported that a large number of Australian organisations were targetted and compromised in cyberattacks as a result of new vulnerabilities in Microsoft Exchange deployments.

The ACSC further reported that many Australian organisations were yet to ‘patch’ (apply an update designed to fix and improve security vulnerabilities) on said Microsoft Exchange environments.

And while a simple update may seem trivial in the face of potential cyber-attacks by state-actors, this isn’t the first time that major security breaches occurred through widely-known security flaws.

Take, for example, the well-known 2017 Equifax data breach, in which hundreds of millions of personal data records were stolen reportedly as a result of lax security practices and a simple failure to apply a patch on a known website vulnerability.

This attack was also followed by speculation of state-actor involvement from China.

Even in our personal work-habits, many of us who are made aware of security issues in an app continue to use the app regardless. As recently as last year, millions of workers continued to use Zoom in the face of well-known security vulnerabilities, in which at least 500,000 credentials were compromised and placed on the dark web.

After the emotional roller-coaster that was 2020, it’s common to feel ‘news fatigue‘ and ultimately find ourselves shrugging off major historical events in the headlines. Indeed, many of us are desensitized to current events moving into the new decade, but that doesn’t mean we should stop learning from them.

In the case of the recent Channel 9 attack, some major takeaways that any organisation can apply to their own security posture are:

  • Always patches your systems; keep an eye on known vulnerabilities and act fast to apply necessary updates across the organisation.
  • Don’t procrastinate security; keep your hands off the snooze trigger and ensure the latest security requirements are actioned promptly.
  • Consider your digital assets, and protect them; Channel Nine houses a major flow of confidential journalistic data and a prominent platform for delivering national news. Take a moment to reflect on the data and services your organisation holds, and protect them appropriately.

Not sure about the next steps to take for your cybersecurity? Visit cyberaware.com for key safety tips and takeaways. 

Uniting Care Queensland IT responds to major cyber attack

Uniting Care Queensland IT (UCQ), an organisation responsible for servicing four hospitals and dozens of aged care & disability services in Queensland, fell victim to a cyber incident on Sunday 25 April.

In a statement released by the company only 24 hours after the attack, UCQ reported that a number of the organisation’s systems were made inaccessible and that there was no confirmed timeframe for recovery.

From major system outages through to a suspension from the My Health Record system, UCQ is still dealing with the impacts of the attack over a week after their initial statement.

Unfortunately, the Australian health sector is no stranger to cyber-crime. In 2018, it saw over 300 data breaches in only four months, and in 2019 it accounted for 22% of all data breaches, making it the highest reporting sector in the country.

This attack in itself is particularly reminiscent of 2019’s Gippsland hospital breach, which impacted a multitude of regional Victorian hospitals and similarly left highly important systems unavailable.

It may go without saying, but cybersecurity breaches in the healthcare sector are particularly problematic; not only for their potential to disrupt real-life healthcare services – such as this German hospital ransomware that led to a civilian death in late 2020 – but also for their potential to expose highly-sensitive personal data.

Consider, for example, the contentious ‘opt-out’ My Health Record system in Australia.

My Health Record houses a significant amount of personal & medical data used in healthcare services. A breach to a hospital, medical I.T. system, or even your local GP can expose said records and compromise personal privacy, and considering that My Health Record saw a reported 38 breaches in 2019 alone, one can understand the heightened consequences and added importance of security in the healthcare sector.

So how do these breaches happen? In the case of the recent UCQ breach, the incident is reportedly undergoing further forensic investigation, and a further statement on the attack method is yet to be released.

The Australian Cyber Security Center (ACSC) has recently commented on the dangers of ransomware targetting the healthcare sector, while recent statistics by the Office of the Australian Information Commissioner (OAIC) attribute nearly two in five breaches to human error. Based on recent trends in phishing, hacking, and ransomware it’s safe to assume that a common method of cyber-attack may have been used in the breach against UCQ.

When cybercriminals target major industries such as healthcare or defense, it’s easy to imagine that complicated algorithms and sophisticated methods were behind the attack.

However, it’s often the same tried-and-true methods that target the smallest business to the largest organisation, indiscriminate of industry.

As such it’s best to act as though your organisation will definitely face a cyber attack at some point, and it’s best to prepare a strong Incident Management Plan in advance; one that prepares your organisation to respond, recover and continue operations following the incident.

UCQ’s response to the recent cyber incident is an example of a well-made Incident Management Plan, and using their response as an example, here are a few key considerations to make when establishing your own Incident Management Plan:

Prepare a statement in advance: After an attack, it’s important to let your customers, partners, and stakeholders know the details of what has happened. UCQ released their public statement within only 24 hours of the attack, detailing the known extent of damages and the steps they were taking to resolve the issue. Preparing a statement in advance enables you to promptly communicate events to the public, and helps to mitigate the reputational damage that often follows a cyber attack.

A good statement is broad, readily editable, and accounts for factors such as service unavailability and data loss.

Set up backups and redundant work systems: If your work systems were taken offline, how would your organisation continue to operate? UCQ reported a return to manual booking processes while the attack was under investigation, wherein other impacted systems were still able to be used.

Consider what you would do in an attack, and prepare systems to ensure that your business is capable of operating during a potential system outage. Furthermore, prepare data backups so that in the event of ransomware or data loss, your organisation has a level of flexibility in deciding the best recovery plan.

Know your requirements. Different regulations and legislations at an industry, state, and federal level will apply to your organisation and determine your requirements in the event of a data breach. For example, all Australian organisations are required under the Notifiable Data Breaches scheme to notify the OAIC within 30 days of a notifiable data breach.

UCQ’s prompt and detailed statement on the breach was likely released with industry requirements in mind, as oftentimes, failure to adhere to relevant legislation can incur significant penalties.

Don’t wait until the last minute to learn your responsibilities. You wouldn’t leave your OHS obligations untended to, and the same applies to data breach regulations.

Not sure about the next steps to take for your cybersecurity? Visit cyberaware.com for key safety tips and takeaways..

Ethical hacker claims to have successfully guessed Donald Trump’s Twitter password

Since passwords were established in 1960, a recurring theme of cybersecurity has been Password Strength. The globally implemented tool for login security has always faced the challenge of being guessed or compromised due to low password strength, and moving into the new decade password security is as relevant as ever.

And if there is any indicator that password security is still a leading security concern, it’s when one of the most influential world leaders has a public password slip-up.

Allegedly, President Donald J. Trump’s Twitter password has been discovered during security research by Dutch researcher, Victor Gevers. Gevers suggested that upon merely his fifth attempt at logging in to the United States President’s account, he correctly guessed the president’s password was maga2020!.

If true, this would indicate that the credentials for one of the world’s most influential Twitter profiles was not only exceedingly weak, but did not adhere to Twitter’s own password policy either.

One of the key takeaways from this alleged password breach, regardless of the purported owner of the password, is that security software (such as antivirus and firewalls) is not enough. Many studies, including this report from Kaspersky Lab, indicate that over 90% of data breaches are attributable to human error.Yet, according to research by comparethemarket.com.au, 87% of small business owners believe that using antivirus software alone is ample protection from cyber attacks.

The researcher involved in this alleged password discovery did not actually hack the President’s Twitter in the traditional sense; he merely guessed the password. Even if you have the world’s leading technology and resources available to establish strong, secure I.T. systems, all it takes is a simple case of human error, such as setting a weak password, for a potentially catastrophic breach to occur.

And while the mainstream media is constantly flooded with controversial and surprising stories surrounding Trump’s presidency, this is by no means an unusual or surprising case in the context of modern cybersecurity.

When revisiting the largest Australian data breaches of the past three years, you can see that many significant data breaches that occurred within well-known organisations were caused by simple human mistakes, such as mishandling password storage or falling victim to phishing attacks. And when you consider the gigantic risk of having weak passwords, compared to how easy it is to practice safer password hygiene, it’s apparent that all of us should make the effort to strengthen our credentials.

A perfect analogy is the Australian road toll. In 1970, there were over 1000 lives lost in traffic accidents. In 1971, seatbelts were mandated in all seats of motor vehicles, which led to a steadily declining Lives Lost count to now where we see less than 300 deaths on the road per year. Strong passwords have the ability, much like seatbelts, to drastically reduce risk and improve your safety.

Whether you’re a leading politician like Trump, or you’re simply looking to strengthen your work email logins, here are some key steps you can take to easily alleviate some risk:

  • Create strong, unique passwords: A strong password should consist of a mix of uppercase letters, lowercase letters, numbers & symbols. It should also be at least 12 characters in length. Furthermore, avoid re-using passwords so that you can ensure your systems don’t share the consequences of a potential compromise.

    Using a Password Manager can do wonders in creating multiple strong passwords without the hassle of needing to memorise them. Read here for more information.
  • Practice safe password hygiene: Think of your passwords like a toothbrush. It needs to be good quality and it needs to be changed regularly. You wouldn’t use the same toothbrush for six months straight, and you shouldn’t use the same password for very long either. Update your passwords regularly.
  • Use Two-Factor Authentication: Two-factor authentication works to add an extra level of security to your logins, by demanding a unique code sent to you via SMS or a Two-Factor app after you’ve entered your password. In the event that your password is stolen or hacked, Two-Factor can be the last deciding barrier between a data breach and your systems.

For more information on cybersecurity and password hygiene, visit cyberaware.com!

What we can learn from Donna Dickson’s story.

In August, when I first learned that Scamwatch had received reports of puppy scams totaling $300,000, I was already concerned about Australia’s increased vulnerability to scams during the pandemic. Seeing now that Australians have lost over $100 million dollars to scams from January to August, it’s clear that we’re at a significantly higher risk to scams than previous years.

Not only has the pandemic (and the wide-spread normalisation of work-from-home) introduced its own sets of security challenges, but it’s also leaving us less attentive than usual, and more susceptible to scammers.

In 2020, it’s more important than ever to listen to the stories of scam-victims around us and learn as much as we possibly can to avoid the same criminal activity. One such story we can all learn from is Donna Dickson and her experience with online puppy scams.

Donna Dickson lives with her six dogs and cat in Armadale NSW, and due to a recurring case of identity theft, has spent 2020 dealing with an endless stream of scam victims who have been exploited under her name.

Donna was contacted on Gumtree by a prospective buyer for her off-and-on puppy breeding services. The supposed buyer ironically told Donna that she had been scammed in the past, and that she would only trust the service if Donna provided a picture of her license and registered breeder number.

Donna didn’t know at the time that this was an attempt by a scammer eliciting information for identity theft, so she provided the information as requested.

The scammer went on to use Donna’s information in countless scams, embezzling funds from unknowing buyers by using Donna’s name, business, and pictures. Now, Donna has scam victims regularly arriving at her property after long drives from rural towns, only to be told that they’ve been scammed and need to contact the local police

Considering that Australians have lost $1.3 million dollars to puppy scams throughout 2020 thus far, what can we learn from Donna’s situation to avoid scams like this?

When to Trust Others Online

The first error that led to Donna being scammed is that she trusted the person she was speaking with online. You can never be certain of who you’re speaking with online, and as such, you should treat every single interaction with a grain of salt.

Some steps you can use to stay safe in your online interactions are as follows:

  • Never let money get involved: Donna not only provided her license to the scammer in this story, but she also lent them $300 dollars to “help them out of a tight spot”. Needless to say, she never saw this money again. Even though it was out of the goodness of her heart; if you haven’t met and confirmed the person, never give or loan money to them.
  • Set limits to your online interactions: Whether you’re talking with a stranger, co-worker, friend, or family member, you can never be sure that the person on the other end of the screen is actually who you think they are. As such, set clearly defined limits to the information you’re willing to share online and always act under the assumption that you could be speaking with an imposter.
  • Think twice before sharing personal information: Any time someone asks you for personal information online should be seen as a red flag. In Donna’s case, she complied with the request and provided her license information, which led to her eventual identity-theft. Even if it’s convenient or if you’re being pressured, always work out a safe alternative rather than providing confidential information.

Making Safe Online Payments

Another piece of Donna’s story is through one of the puppy scam-victims, Sandy Trujillo.

Sandy was in the market for a new puppy to keep her elderly mother company during isolation. She purchased a puppy from a very legitimate-appearing website that used Donna’s stolen details.

Sandy, being a former veterinarian and government department investigator, quickly realised after the purchase that she had fallen victim to a scam. Unfortunately, she had already made a large deposit of $1,600 by that point.

Sandy reported the incident to the bank and local police within 24 hours, but it wasn’t enough to rectify the issue or put her mind at rest, so she took action into her own hands.

Using Google Maps, Sandy tracked down Donna’s address from the stolen license information, acquired her information from the Armadale police station, and made contact with Donna directly.

Today, the two of them have joined forces to track down and rectify ongoing puppy scams through their Facebook group, Puppy Scam Awareness Australia, which thanks to its grass-roots nature is one of my favorite cybersecurity projects of the year!

Screenshot of Puppy Scams Awareness Facebook Page

Not all of us can start our own anti-scam organisations as Sandy and Donna can, but there’s still plenty to learn from their experience, especially pertaining to making safe payments online:

  • Investigate the company first: If you’re making payment to a company for the first time, make sure they are credible and safe. You can do this by checking reviews and forums for other people’s experiences with the company.
  • Check if the website is safe: While scams are becoming more and more indistinguishable from real websites, there are some safety steps that should be taken with all purchases. Most importantly, always check the URL for typos, misleading characters, and https:// certification.
  • Use cash: This specifically applies to purchases you’re making in person. In the case of a puppy scam, a surefire way to avoid a scam is to meet in person first. See the puppy, and exchange your money in person. If their policy can’t suit this, be extremely cautious before proceeding with any online transaction.

For more information and news on cyber-safety during 2020, visit http://portal.cyberaware.com/remote

Cybersecurity and Ongoing Awareness: Why We’re Still Falling For The Same Scams

Last night, I finally sat down and watched Netflix’s new trending film The Social Dilemna; a docudrama exploring the intentionally addictive patterns found in social media. The film sheds light on gloomy and often over-looked statistics, such as the fact that 210 million people are estimated to suffer from social media addiction. Naturally, I couldn’t help but draw parallels to my passion for cybersecurity, and the clearest comparison that stood out was our tendency to fall for the traps that we already know about.

Many of us have gone through the cliche “quitting social-media” phase. Whether it’s Facebook, Instagram, or simply mitigating our time spent on Youtube, the reason that this is considered a mere “phase” is that the vast majority of us fail to stick with it, despite the fact that we know quitting these platforms is linked to increases in happiness.

According to this study by Cornell University, only ten percent of surveyed participantshad actually managed to quit Facebook entirely. Even Tim Kendall, the former Director of Monetization at Facebook found himself addicted to the same systems that he helped to design.

In The Social Dilemma, Tim recalls how he would come back from a long day of working on Facebook’s systems, only to find himself spending his time at home largely on the app for personal use.

Tim personally worked on making Facebook as addictive as it could be, and despite this inside knowledge, he too struggled with social-media addiction! He found his screen-time so concerning that he is now actively working to combat screen-addiction in his new company, Moment.

From Tim we can see that the reason we spend too much time on social media isn’t that we don’t know how addictive these platforms can be, but because we stop thinking about it.

We get distracted, and scams are designed to manipulate our attention span in the same way.

We all know what an email phishing scam is, and phishing scammers know that we knowwhat a phishing scam is. But they also know that it only takes one error for a full data breach to occur. Scammers aren’t operating under the impression that the victim is unfamiliar with the scam; they’re operating under the knowledge that we all eventually get distracted and slip up.

Scammers know that 99% percent of the time, you aren’t going to fall for the scam. However, they also know that 1% of the time, you will. And they gear their efforts towards that one percent.

For example, look at pedestrian accidents in traffic. We were all raised on the classic slogan “stop, look, listen, think”, and in theory, we know how to avoid accidents. Yet pedestrian traffic accidents are still an ongoing issue, with nearly 40 fatal pedestrian accidents per year in Victoria alone.

The reason these accidents occur isn’t that drivers & pedestrians aren’t informed on road-safety, but that it wasn’t front of mind at the moment of the incident. The safety precautions we know to take simply slip our mind, and an accident occurs. The reason that school crossing supervisors are so effective isn’t solely because they tell kids when it’s safe to cross, but because they serve as a constant reminder to be safe when crossing the road. The lollipop person serves to remind us every single day “Hey, this road is dangerous, don’t forget it!”

And when it comes to cybersafety, sure we may have attended one or two training seminars, or enrolled in training that we sped through in one day and never re-visited, but that doesn’t do much for our ongoing awareness. Even though we know how scammers target us, it doesn’t mean that we’re adequately equipped to keep it front-of-mind.

The irony of Tim falling for the same addictive systems that he himself designed is not too dissimilar from what you find in the cybersecurity industry: hackers starting careers in cybersecurity after falling for hacks themselves, or cybersecurity professionals falling for the same scams they educate others on! Despite having the knowledge on how these hacks work, they were inevitability made victims through a lack of caution.

Again, in 2020 the average person knows what a typical scam looks like, but that isn’t enough. The only thing preventing you from clicking that malicious link is the current and active awareness that every link can be malicious. Without this, you can easily gloss over your own best advice and end up like Tim Kendall, falling for his own algorithm.

To keep your cybersecurity in front of mind, we recommend the following;

  • Awareness Posters: Especially during COVID-19, wherein not all of us have a workplace with safety posters and colleagues to converse with, having a general reminder near your workstation is crucial. Even a few post-it notes or a small poster can do wonders in keeping you aware and cyber-safe.
  • Ongoing Awareness Training: This is important. It’s one thing to finish a basic awareness course, but what really counts is regular and repeated training. It’s far more effective to take one lesson a month than ten lessons in a single day.
  • Phishing Simulations: Rather than wait for an employee to experience it first hand, train your staff with simulations, the same way we do in a fire drill. Run semi-regular phishing campaigns so staff have a better idea on what to look out for in a malicious email.

For more information on cyber awareness and work-from-home cyber safety, visit portal.cyberaware.com/remote

Work-at-home fatigue and cyber safety. How low-energy leads to high-risk

In a recent Ray Morgan survey, 39% of Australians working from home reported that they ‘find it difficult.’ This coincides with a Society of Human Resources Management study that found 35% of remote workers feeling regularly tired or working with low energy, and a further 32% of that pool feeling this way at least sometimes.

And a similar report from Digital Ocean suggests that roles with less of a social aspect than others can be even more taxing, with an overwhelming 82% of remote developers reporting feelings of fatigue while working remotely.

Low-energy and tired faces tend to raise concerns in the office, yet the overwhelming majority of our workforce is currently operating at a strain and without an immediate support system in proximity.

This is concerning both for reasons of mental health and also for our cyber safety, both of which are increasingly threatened during the pandemic.

One of the most common things I hear victims say following a scam is “I just wasn’t paying attention.” If you perform a Google search of the terms “scam” and “I just wasn’t paying attention”, you’ll see just how frequently scam victims are left empty-handed and quoting these famous last words. Actress Jenifer Lewis predictably coined this term right after she was allegedly embezzled out of $50,000, a scam that later became the basis of a plotline for her character in Black-ish.

If there’s one thing I struggle to do when I’m feeling tired or fatigued, it’s paying attention to the small details.
The sending address on an otherwise unsuspecting email, the URL behind an embedded link or the grammar and spelling of my colleagues; these are all things that, especially when I’m under the weather, can easily slip by me if I don’t check myself and make sure to pay attention.

Considering that a large portion of the Australian workforce, and particularly the Victorian workforce, is now working from home, we all need to remain extra vigilant in our cybersafety.

“I just wasn’t paying attention” is a valid and honest response when we’ve fallen victim to a cybercriminal, and given the tiring circumstances of 2020 we’re now hearing it more frequently than ever. Since the pandemic began, Australians have seen a huge increase to an already cascading spike in cybercrime. The months of April/May saw a total of $32 million dollars in financial damages from scams, a 33% increase from the previous year. In July, the number of reported scams was the highest it’s been all year, coinciding directly with our re-entry into Victorian lockdown.

And it isn’t enough to be wary of the infamous COVID-19 themed scams alone. While there are plenty of successful COVID-19 scams circulating to date, there are endless scams that simply focus on going unnoticed via unrelated tactics. The first round of Australian lockdown saw $300,000 lost to “puppy scams” alone. Yes, these are scams simply predicated on the false promise of purchasing a puppy. And it’s quite possible that their success is simply due to the fact that we’re preoccupied with larger thoughts, we’re tired, and we’re struggling to keep our attention on cybersafety.

As we continue in adapting to the pandemic and working through these trying times, here are a few tips to remaining vigilant and aware of cyber-crime:

  • Slow it down: don’t be afraid to slow down and double-check the work that you’re doing. If you’re actioning an unfamiliar email or visiting a website, take a breath and check through for the red-flags expected with most scams.
  • Reach out to your colleagues: while we’re not working in the same space, we can still reach out to get a second opinion on suspicious activity. If you’re even slightly unsure as to the source or purpose of an email or contact you’ve received, take the time to reach out to your colleagues for a second opinion.
  • Look out for red flags: Even when we’re tired, we can always double-check the sending address of an email, the real URL of a website link, or the source of an unexpected message. The more that you look out for common red flags, the less energy it takes to spot them in the future.

For more information on work-from-home cyber safety, visitportal.cyberaware.com/remote

COVID-19 and financial scams: how the pandemic has dictated the threat landscape in 2020.

About two weeks ago, I published an article on LinkedIn and the Cyber Aware blog in which we forecasted a second wave of scams related to COVID-19. The article demonstrated that compared to the March/April period of 2019, in which Australians lost over $20 million dollars to scammers, the same period in 2020 saw an approximate 33% increase to this already colossal figure, at almost $32 million dollars in financial damages.

It’s common knowledge at this point that the current pandemic has introduced a plethora of scams to the Australian public, but what stood out to us largely was the following statistics in which there is a clear correlation between a sharp decrease in both COVID-19 daily cases, and financial damages as the result of scams.

Financial losses per month as a result of scams in Australia (Link)

No alt text provided for this image
Courtesy of Scamwatch

Daily COVID-19 cases detected within Australia over recent months (Link)

No alt text provided for this image
Courtesy of Google

In Victoria, where Cyber Aware is based, and wherein daily coronavirus cases recently broke 400, we’re gearing up for not only a second-round of lockdown restrictions and safe-practice, but also for the second round of COVID-19 related scams.

The reason that we attribute the rise in scams to causation rather than a mere correlation with COVID-19, is because of how hackers and scammers have operated historically. 90% of data breaches are successful directly due to human error. Scams are designed to directly pray on human insecurity, and create a sense of urgency behind a fraudful message. Whether it’s demanding bank details to “rectify a tax-claim error”, requesting sensitive data under the guise of a trusted colleague, or deceiving an out-of-work citizen into making payment for a false superannuation claim during the pandemic.

Hackers look at the vulnerable circumstances generated by the 2020 pandemic and see nothing but an opportunity to embezzle money from innocent individuals. Already we’re seeing this resurfacing in line with the increasing cases and media-attention, as ATO and government scams against the Australian public skyrocket.

And again, this trend of hackers jumping on mass-insecurity during times of disaster is evident as far back as September 11 in 2001, all the way through to the rampant bushfire scams at the beginning of 2020.

Typically, a trusted source is used to pray on this insecurity, such as government agencies (link) or well-known brands.

Take this recent scam for example, in which attackers send fraudulent email and SMS notifications claiming to be the Australian Taxation Office. Typically, the scam will look something similar to the below and will result in the victim granting full access of their ATO account to a malicious party.

No alt text provided for this image

Furthermore, not only have there been more scams, particularly praying on public concerns surrounding the pandemic, but our relationship to technology has shifted as a result of our mass migration to work from home as well.

This has frequently resulted in a lower quality of security, with people now sending private work information via personal social media accounts, sharing said data on family-shared computers, and operating largely on less secure internet connections and often without a VPN in place.

This has all resulted in not only a challenging obstacle to our productivity and workflow, but also to our workplace security.

Moving into the latter half of this unprecedented year, stay aware and cyber-safe with the following three tips:

  • Be vigilant of scams. Any time you receive a sensitive request for action, whether it be logging in to a system, providing payment information, or supplying private/personal information, make sure that you were expecting the request and that you have verified the source of contact. Stay up to date on current COVID-19 scams via Scamwatch.
  • Keep your personal and professional data separate. It can be easy to send a file via Facebook or your personal Gmail account, but in doing so you are increasing the risk of a data breach significantly. It may be difficult, but make sure your work-from-home systems are the exact same as the ones in your office. Keep your work at work, and off of personal accounts.
  • Give each other a hand. The major difference in whether or not you fall victim to a scam is always going to be awareness. If your colleagues aren’t aware of the current scams, or if you spot an unsafe practice, let them know! Give your colleagues a friendly reminder or tip from time-to-time, and it can make a world’s (or bank account’s) worth of difference. The best defense against social scams is a social firewall.

For more tips and news on cyber-safety in 2020, visit cyberaware.com!

Hacked by an Instagram celebrity: FBI arrests popular Instagram millionaire after alleged tie-ins to major scam racket.

Social media influencer and millionaire, Ramon Olorunwa Abbas, is currently being detained for criminal charges over alleged involvement in a major scam racket.

For those unfamiliar Abbas is an Instagrammer known for his opulent, “living the high-life” persona which he regularly presents to his 2.5 million followers.

The FBI alleges that Abbas has made hundreds of millions of dollarsthrough his involvement with a ring of fraudsters and scammers, specializing in Business Email Compromise (BEC) attacks.

BEC attacks involve hacking an email account, typically corporate, to send fake and illegitimate messages to clients and trusted contacts, typically in order to intercept or redirect financial transactions.

If you’ve been following my writing for some time, we regularly cover BEC in reference to news and best current practice, due to its fast-growing employment by scammers both domestic and abroad.

And with my experience, not only in cybersecurity but also in email hosting, I’ve seen BEC used against innocent business-owners time and time again over the years for massive financial exploitation.

Abbas was accused following a thread of social media poststhat implied tie-ins to a trans-national cybercrime network. During a series of arrests throughout this investigation (video link here), 12 other individuals were arrested, and upwards of $40 million in cash was confiscated alongside the hard drives containing email addresses of nearly two million victims.

This case follows the recent arrest of Obinwanna Okekein which Okeke pleaded guilty to $11 million of computer fraud between 2015 and 2019. Okekewas previously known as a celebrated entrepreneur, and was actually listed in the Forbes 30 under 30 before his criminal activity became public knowledge.

In response to the continuously rising scam culture across the globe and particularly within Nigeria, FBI agent Michael Nail attributes the appeal of this illegal activity to the sentiment that “You can sit at home in your PJs and slippers with a laptop, and you can actually rob a bank”

The effects of this alleged scam-work not only impacts the numerous victims, who’ve lost upwards of 124 million dollars, but also wears poorly on Nigerian relations with the United Arab Emirates public, as seen in this slew of anti-Nigerian job advertisements circling around following Abbas’ arrest.

Abbas’ lawyer has issued a statement on the allegations against Abbas, stating that Abbas not only earned his wealth through entirely legitimate means, but also that the FBI arrest should be deemed a kidnapping.

Regardless of the outcome of this case, here are a few steps to avoid BEC yourself:

  1. Keep your work and your personal email usage separate. If there’s one sure-fire way to fall into a BEC trap, it’s by sending confidential information on personal email or social media channels. Stick to the business email at all times.
  2. Use two-factor authentication! I and all of my cybersecurity colleagues must sound like a broken record at this point, but two-factor is just that important. Two factor is that extra layer of security that could make the difference between a breach and a close-call. It’s essentially what seatbelts are two cars. If you aren’t familiar with two-factor, read up here for some quick steps on setting it up.
  3. Keep on top of your password hygiene. This means strong passphrases, changing them regularly, and if storing them keeping them in secure locations such as a password manager. Essentially, treat your password the same way that you would a toothbrush. Pick good ones and change them regularly.

Financial scams during the pandemic: preparing for a second wave.

Now that we’ve reached the mid-way point of 2020, I can’t help but feel as though we’re resting in the eye of the storm. By all means, we’ve largely done a fantastic job of responding to the situation. We’ve acted on our feet and through our ability to remain adaptive and resilient, we’ve still landed in a largely manageable position.

However, concerns of a second wave are certainly looming. Currently, we’re seeing USA cases spike to higher points than ever, and Victorians such as myself are re-entering lockdown in an attempt to curb off resurfacing cases in suburbian hotspots.

My concern, however, isn’t solely for the virus itself. It’s also in the ramifications surrounding COVID-19. For example, I’d be remiss to see many of the local bars, restaurants, and small businesses that barely survived the first leg of the year, be forced back into a lockdown.

I’d be remiss to see individuals who’ve had a hard time dealing with lockdown back in square-one of self-quarantine.

And I’d be remiss to see the huge damages of COVID-19 related scams resurface yet again.

This year saw a plethora of COVID-19 scams in 2020, ranging from government-impersonating phishing scams through to false promises of early superannuation access to those in need. For a frame of reference in just how damaging and successful these scams have been, March & April of 2019 saw Australians facing a total of $20,466,361 in damages at the hands of scammers.

That’s a huge amount of financial damage in of itself, yet in 2020, the same months of March & April saw total losses of $31, 176, 098! That’s a gigantic increase of over ten million dollars lost in scams.

And funnily enough, if you then view the drop in financial damages during May of this year, you end up with a curve that closely resembles new COVID-cases.

Financial losses per month as a result of scams in Australia. (Link)

Financial scams during the pandemic: preparing for a second wave. 2

Daily COVID-19 cases detected within Australia over recent months. (Link)

Financial scams during the pandemic: preparing for a second wave. 3

As Australia “beat the curve” and lowered COVID-19 cases in April, the financial damages lost to scams dropped significantly in the following month of May. The drop in COVID-19 cases likely corresponds to the waning number of successful scams.

As public concern over COVID-19 softens, so to does the insecurity among individuals that scammers are working so hard to exploit.

As Australian coronavirus lowered, it’s viable to say that our susceptibility to coronavirus scams did too.

But just as we need to remain vigilant and prepared for a second-wave of COVID-19 cases (which we can see beginning to spike again towards the end of the daily cases graph), we also need to remain vigilant and aware of our vulnerabilities to scammers.

Moving into the latter half of 2020, here are some tips you can use to spot and avoid malicious scams:

  • Remain calm: Scammers are largely successful in their efforts because they know how to target our insecurities. If you’re contacted about medical results, financial benefits, or anything else pertaining to COVID, make sure you take a step back to make a calm & informed decision
  • Verify the source: A lot of scams are currently impersonated both public & private entities that we’re familiar with in attempts to lower our guard. No matter where a message claims to be from, always keep in mind that it can be a scam, and needs to be verified via legitimate contact points, such as the phone number or email on the company’s website.
  • Stay up to date on current scams: Some of the most successful scams are also some of the most well-known, and keeping an eye on publicly known scams can help you identify the tactics being used by malicious attackers now. A fantastic source for staying on top of current scams is the Scamwatch website, which I’ve personally checked regularly during this pandemic.

For more information on cybersecurity, awareness, and staying safe online, visit cyberaware.com!

Top
WAIT!
Thanks, Not Interested
GET STARTED!
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.
GET STARTED!
Thanks, Not Interested
GET STARTED!
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.
Get Demo Now