Preparing for Black Friday Sales

Another year, another “Black Friday Crowds rampaging through Walmart” Youtube compilation for me to relax too while doing my online Christmas shopping! But for those of us who prefer to shop online and avoid the probability of being trampled to bits over a discounted microwave, there are still some big risks to consider.

Australians are seeing some of the largest damages from online scams to date, with reported losses of over $4 million in 2019 (a staggering $700k increase from 2018’s total losses). The amount of Australians who shop online has been steadily increasing every year, with the national average going up an ever further 20% in 2018, and cybercriminals are increasing their efforts accordingly. 

We recommend sharing these seven safety tips in the office to close out the week, especially for the colleague browsing 20+ tabs in search of the best deals:

  1. Don’t open PDF catalogues in emails. How many infected attachments does it take to cause a ransomware outbreak? Not many! Any deals/offers should be in the email itself, not hidden in a risky PDF.
  2. Watch out for fake websites in emails. If an email convinces you to shop at a particular store, dodge the risk of a scam email and just Google search the store directly for a safe link.
  3. Watch out for gift card scams. Gift cards are the recurring most popular item on wish lists, and attackers will often ask for payment via Gift Cards themselves. Don’t get stuck laundering money by mistake, or purchasing a dead card.
  4. Keep your money off of public Wi-Fi. The thing about public Wi-Fi is… it’s public. You don’t know who else is sitting on that network and monitoring your transactions. Switch to mobile data or wait until you’re home/at the office.
  5. Checkout using safe payment gateways. Have you ever seen those scams where a fake EFT reader is put onto an ATM to steal funds? Lately, scammers have been doing the same thing on website checkouts! They intercept your order and steal your card data using a tactic called e-skimming. Always check for https, or just stay safe using services like Paypal. 
  6. Switch to credit, or limit your spending account. If you must use a debit card, make sure it has a limited spend-per-day and transaction alerts set up with your bank.
  7. Classic advice: Don’t Click Popups. If an offer sounds too good to be true, it is. Hit that beautiful x button and move on. 

Did we get them all? What? “No” you say? Well, please leave a comment below! Let us know what you’ll be doing to stay safe online this Black Friday/Cyber Monday. 

Have a scam-free weekend people! 

Hackers capitalise on Covid 19: Exploiting the sudden boom of at-home workers

The immediate and rapid migration from our workplaces to the household has greatly expanded the cybercrime landscape:

Cyber-criminals across the globe are tailoring their efforts to remote workers and developing new scams designed specifically to exploit individuals during this vulnerable time.

As we leave the office and migrate to our respective homes, we need to take a step back and consider a few things:

  1. We’re taking our office with us: not just the pens and pencils, but our sensitive company data and system logins. Assets that we as individuals need to keep safe during the transition to working from home.
  2. In doing this, we’re simultaneously leaving behind one of the biggest benefits of working in the office: security.

Amidst the endless news-cycle of COVID-19, we’re seeing constant public safety warnings extending not only for our hygiene and physical wellbeing, but also our mental health, socialisation, and cybersafety.

The Australian Cyber Security Centre (ACSC)and countless government bodies are warning of the surge in online risks and vulnerabilities that COVID-19 has introduced.

All of a sudden, we’re incurring dangers of network security, access control, data management and a whole slew of cyber-security necessities that the majority of us have never had to consider before.

For cyber-criminals, this is an opportunity to profit and exploit like never before. To put it into an analogy, it’s as if the all of the shopfronts in the world have unanimously removed their locks and taken their inventories out on to the streets.

Countless workplaces have just had their security scattered to employee households with little-to-no central safety measures, and to ensure that both staff and the organisation at large are operating safely during these changing times. there are two key factors that every business needs to account for:

  1. Network security: This means a centralised standard of VPN, secure Wi-Fi and access control to any data and systems of the organisations when accessed remotely

This is typically performed by a dedicated I.T. team, member of staff or service provider. In the event that you haven’t already arranged this, I’d recommend moving fast to get ahead of the demand.

Already companies such as Cisco Systems Inc have seen a 1000% increase in demand for support services that cater to work-from-home security setups. Ensure that all members of your team are working from home under company networks and a secure connection.

  1. An individual understanding of risk and cyber safety: While working from home, you’ll find yourself facing a whole range of new cyber-threats and scams specifically designed to capitalise on individual mistakes. From opening the wrong email to clicking the wrong link, we’re all at risk of exposing corporate data from our own household if we aren’t careful.

You can expect to see scams that play on concerns surrounding COVID-19, especially on matters of personal safety and job security.

Already, cyber-criminals are disguising key-logging scams, malicious viruses and password theft as urgent warnings or health tips pertaining to COVID-19. (You can report and read on said scams via the Scamwatch website)

This is common practice for scammers: Finding a hot topic of public concern or vulnerability and using it to exploit those in distress for a profit. Even as recently as the Australian Bushfire Crisis, scams were quickly tallied by Scamwatch to be in the hundreds, some with damages in the thousands. (Further reading & advice regarding Australian Bushfire Scams can be found via the ACCC)

Considering COVID-19 is a global crisis and incomparable epidemic, expect to see plenty of scams. Make sure to operate with both caution and a hefty grain of salt. We’re all surrounded by a lot of information at the moment. A lot of it bad news. We’re inundated and the majority of us are feeling overwhelmed. It’s especially important during this time in which we may not be processing things at our usual standards, that we take a step back and reconsider what we’re looking at online.

It’s especially easy at the moment to click the wrong link or open the wrong email by mistake. To avoid falling into a malicious or compromising situation, slow down while you’re checking your emails and try your best to stay mindful while you navigate through your work-day.

In addition to staying aware of the current scams surrounding COVID-19, you can further protect yourself by keeping work devices and home devices separate. We recommend that you both refrain from doing work on personal systems and keep your personal accounts logged off of your work-devices to prevent cross-contamination of potential threats between work and home.

Finally, here’s a quick-guide image to follow for some work-from-home essentials:

For more information on staying safe at home and protecting your corporate data, we’ve developed an awareness program tailor-made to working from home:

Is Your Business Set For The New Mandatory Data Breach Notification Laws?

New mandatory data breach notification laws take effect in Australia on 22 February 2018. This latest legislation seeks to protect consumers’ personal information, it requires that public agencies and private organisations, report all eligible data breaches to the affected individuals and the Privacy Commissioner. An eligible data breach occurs when there is unauthorised access to, exposure or loss of personal information held by an agency or organisation, which is likely to cause serious harm to those individuals. As yet, there is no definite measure of serious harm. However, we may consider serious harm to include physical, financial, and reputational damage, as well as adverse emotional or psychological impact.

This mandatory notification applies to all public and private entities that are governed by the existing Privacy Act, which includes organisations that have an annual turnover exceeding $3 million. Mandatory reporting also applies to those companies that make under $3 million and are in the business of handling personally identifiable information (PII) such as names, social security numbers, personal contact and credit information, as well as health and financial records. If an organisation is related to another that is governed by the Privacy Act, then that organisation is also subject to the mandatory data breach notification requirement.

Current State of Preparedness

Although the Privacy Amendment (Notifiable Data Breaches) Bill of 2016 had established the upcoming mandatory reporting requirement, there is some unpreparedness among organisations-especially small businesses. According to a recent survey, 44% of Australian businesses reported that they were not ready for the mandatory notification requirements. This may have resulted from a mistaken belief that small firms would not be subject to the new legislation. It may also be the case that information security has long been viewed as the domain of IT professionals, and so sufficient attention has not been directed to this aspect of business operations. However, given our growing digital economy with increasing cyber threats, it is becoming clear that the usual risk management framework must now also consider the mitigation of cyber risks.

The Process of Mandatory Data Breach Notification

If an organisation suspects that it may have been subject to unauthorised access, disclosure or loss of personal information, that may cause serious harm to any of its stakeholders, then it has 30 days to investigate and conclude whether or not an eligible data breach occurred. However it may not be prudent to wait an entire month before deciding on the eligibility of a data breach. The factors to consider when an organisation needs to determine if an eligible data breach has occurred include:

·      the type and sensitivity of the information in question;

·      whether or not steps were taken to protect the information (for example, data encryption)

·      how likely it is for the protection measure to be breached (such as the encryption being cracked) and the information revealed;

·      the scope of the potential serious harm to affected individuals; and

·      any other relevant factors.

In the case of an eligible data breach, the company must prepare a formal statement for the Privacy Commissioner and each of the affected parties. This statement must include details on the nature of the data breach, and the remedial actions to protect those adversely affected. In cases where it may not be possible to inform every affected individual, then the statement must be published on the company’s website. We recommend that legal counsel be obtained in the unfortunate event of a data breach, so that the organisation can be sure that all aspects of the mandatory notification requirement are met.

Non-Compliance Consequences

Failure to report eligible data breaches will be costly in several ways. The Privacy Commissioner is empowered to apply fines in cases of non-compliance with the mandatory notification requirement. Individuals (such as sole traders and general partners) may face fines of up to $360,000, while corporate organisations may have to pay fines up to $1.8 million.

However the consequences of non-compliance not only originate from the Privacy Commissioner. The Privacy Act enables an individual to make a representative complaint (on behalf of several affected parties) directly to the Privacy Commissioner. There is also the possibility of class actions being initiated in the wake of a data breach. Another pressing concern is the loss of consumer and investor trust. This goodwill is vital for a company’s success, and non-compliance may be perceived as a lack of trustworthiness, which may then have greater adverse effects on the organisation in question.

Compliance Matters

We recommend a two-pronged approach of both prevention and corrective measures to ensure full compliance with the new mandatory data breach notification law.

Prevention Measures

The mandatory notification requirement means that organisations need to establish robust information security systems, or review their existing systems in light of this new legislation. Information security covers all the cyber-safe policies and procedures governing the collection, storage and retrieval of personal data. However companies will need to do more than merely install commercial security software. The latest data-stealing malware are being delivered via email, which means that users at all levels of an organisation need to be trained to navigate and actively support the information security framework. Small businesses may need to outsource certain security needs to IT vendors. Therefore it is also important that all vendors are employing the latest cyber security innovations and are ready to quickly comply with any requests for updates and formal reports.

Corrective Measures

In the event of an eligible data breach, it is useful to have a set of templates and procedures on hand. It is vital to have a detailed incident response plan which includes an organisation’s breach assessment criteria, templates to notify affected parties and the Privacy Commissioner, and procedures to implement remedial measures. We recommend that any incident response plan be tested with all members of an organisation and external vendors, so that each person is aware of their role in responding to any possible data breaches. We further recommend that all organisations obtain legal counsel to ensure that all elements of the mandatory notification requirement are conducted appropriately.

The mandatory data breach notification law will definitely alter the way in which businesses operate within Australia. Other countries such as the USA, Germany, Canada and the UK already have such legislation in place, so successful adaptation to these new requirement have already proven possible. We urge all Australian organisations to become familiar with their new legal obligations, to access all of the available resources and services, for both information security and notification support.

Beware of Real Estate Hacking Attacks

Hacking attempts are not just a problem for large corporations. Unfortunately, cybercriminals are equal opportunists, a fact which has been corroborated by the recent real estate hacks. The Australian real estate industry is valued at approximately $14 billion, which makes it a tempting target for these criminals.

Consumer Affairs Victoria reported that a few of the state’s homebuyers were victimised in an email scam and they lost over $200,000. The buyers said that they received emails containing contracts of sale and trust account details for the payment of their deposits. This first email was then followed by another email, which instructed the hapless buyers that there was an error in the original email and that they should deposit their funds in an alternate account. These criminals hacked the real estate agents’ email accounts and used the second round of emails to divert the funds to their bank accounts.

Unfortunately a similar case of virtual fraud occurred in the real estate sector last May. The Real Estate Institute of New South Wales reported that a real estate agency’s online bank account was hacked and $757,000 was siphoned away in a series of transfers.

There are significant losses associated with such cyber hacks. Director of Consumer Affairs Victoria, Simon Cohen advises that persons who are purchasing their homes do their due diligence before making deposit payments. He recommends that buyers beware of emails that give different banking information. In fact, it is always best for buyers to call their real estate agents to verify all payment details before transferring any funds. Any individual or business that discovers that payment was made to an incorrect account should contact their respective financial institutions immediately. Furthermore, real estate agencies are encouraged to regularly review and secure all online systems to rebuff any hacking attacks. If you become a victim of cybercrime, we recommend that you make a formal report to the Australian Cybercrime Online Reporting Network.

We all operate in a globally connected world and we face increasing threats. Therefore it is prudent to adopt the best cybersecurity practices to protect ourselves and our assets.

How much could ‘Free Wi-Fi’ be costing you?

We can all appreciate the availability of an Internet connection when we are away from our home or office connectivity. Some people are on limited data plans, so very often, love the fact that they can save their data and use free Wi-Fi. Free public Wi-Fi is now commonly available throughout most Australian cities as a result of renewed investment in this area. While it is good to have greater accessibility, public Wi-Fi is often unsecured, which makes it fraught with multiple threats to the security of consumers’ personally identifiable information (PII) and banking credentials.

A number of news outlets have conducted experiments to show how easy it is for cybercriminals to access personal and financial information by using public Wi-Fi to hijack mobile devices. In each case, the unwitting participants in the exercise are astonished at how easy it was to convince them to sign on to the rogue Wi-Fi networks and the extent of the exposure of their confidential information.

Last year McAfee conducted a survey of 1200 Australians, of which 42 percent said that they believed that their personal information was as safe when they connected to Wi-Fi while on vacation as when they were at home or at work. This is compounded by the fact that 62 percent of these respondents also indicated that they either did not know or did not care if they were using a secure Wi-Fi connection.

A related survey by Symantec, found that 83 percent of Australians have used public Wi-Fi to log into their email accounts, share media online and even check their bank balances. The prevalence of Wi-Fi connectivity in retail spaces has also influenced consumers to access their financial accounts on unsecured Wi-Fi networks.

A study conducted by lead researcher Dr. Ian McShane at the RMIT University corroborates this trend. The most used public Wi-Fi networks were provided by restaurants and cafes, followed by shopping centres and hotels, and then parks and city squares. Approximately 10 million Australians have accessed public Wi-Fi networks, with 2 million persons conducting financial transactions, and one million performing work-related duties such as accessing emails and sharing files on these networks. According to McShane, Australia ranks as the sixth highest on an international scale for cyber attacks. Public Wi-Fi is also a popular hotspot for criminal activity, so appropriate care must be taken when accessing any such networks.

It is also not enough for adults to be careful when using public Wi-Fi. A lot of children have their own mobile devices (or frequent access to family devices), which generally means that they are accessing Wi-Fi as well. This means that children need to be monitored whenever they are using the Internet, and older children must also be educated about safe Wi-Fi use.  According to Alex Merton-McCann, McAfee cybersecurity blogger, it is important to manage Wi-Fi use among children, especially when vacationing.

The inappropriate use of public Wi-Fi can be very costly. In December 2017, a diner lost $155,000 worth of Bitcoin when he used a restaurant’s unsecured public Wi-Fi. The man had logged into his Bitcoin account at the restaurant to check his account balance. The cybercriminals moved the stolen funds to an untraceable account. Companies located in Japan and South Korea, have also suffered significant financial losses as a result of cyber criminals hijacking digital currency accounts. The vulnerability of these digital currency accounts also extends to payment cards and other online payment vehicles.

According to Dr. Mark Gregory of RMIT University, the implementation of widespread public Wi-Fi in Australia means that government, industry and consumer agencies should develop awareness campaigns on the matter of public Wi-Fi security. Merton-McCann emphasised that it is best to avoid public Wi-Fi to ensure personal and banking information security. Admittedly, it can be difficult to reduce public Wi-Fi use to zero, so as a compromise, consumers should never access personal and banking accounts while using these networks. Public Wi-Fi security can be improved through the use of Virtual Private Networks (VPNs) and also by ensuring that websites and services accessed operate under HTTPS.

What everybody really needs to know… about Cyber Security and Australian Banks

The recent Mandatory Breach Notification legislation has brought the issue of cybersecurity to the forefront of national dialogue. The Australian Prudential Regulation Authority (APRA) asked banks, insurers and superannuation funds to be aware of the risks of cyber attacks.

The Australian banking industry reported a cash profit of $31.5 billion for 2017 and a 6.4% growth rate relative to 2016. It is also important to take into account our nation’s $2.6 trillion superannuation pool, as well as the vast numbers of customers who conduct daily online banking activities. Understandably these facts render the industry, and its customers, as prime targets for cybercriminals.

APRA’s executive board member Geoff Summerhayes indicated that a major data breach at any Australian financial institution is “probably inevitable”, and could even adversely impact the longevity of that institution.  Unfortunately, a number of financial institutions have yet to fully consider how they would handle an online attack, which would be guaranteed to generate significant and costly risks.

According to Summerhayes, cybercrime is a growing and lucrative industry. In the face of the relatively slower adaptation of institutions to the reality of rapidly evolving cyber crime, virtual criminals are reaping huge benefits with very little prospect of being apprehended.

The APRA believes that cyber risk is a significant prudential threat to financial organisations. Large corporations that invest heavily in their own cybersecurity have a reduced risk of an attack resulting in sufficient damage to put them out of business.

However, APRA surveys showed that while there was an increasing awareness of cyber risks, improvements still need to be made. While some companies may have documented incident response policies to counter any possible virtual attack, these plans have not been tested and incorporated into their overall disaster recovery framework.

In light of these circumstances, the APRA has revealed its first prudential standard on information security, which will set the minimum requirements for the sector to manage cyber risks. Financial institutions will be required to conduct regular testing of their cyber defenses, implement strong detection systems, and delegate senior staff members to be in charge of cybersecurity. According to Summerhayes, these preventative measures will strengthen the banking sector, reduce the likelihood of successful virtual attacks, secure Australians’ confidential information and support national stability.

To Businesses Who Want to be Cyber Safe… but Don’t Know How to Get Started

Small and medium-sized businesses (SMB’s) are not exempt from cyber attacks. In fact, close to 60% of all breached organisations can be categorised in this segment. The recent Mandatory Data Breach Notification law now also means that there are hefty consequences for ignoring the protection of customer information.

This legislation requires that all eligible data breaches are reported to the affected individuals and the Australian Privacy Commissioner. Any failure to report an eligible breach can result in heavy fines levied against sole proprietorships ($420,000), partnerships and/or companies ($2.1 million). Therefore it is essential that SMB’s keep abreast with the latest developments and relevant statistics in the cybersecurity sector.

The issue for most businesses is though, that they don’t know where to start. The segment known as ‘cybersecurity’ is rather large and covers many areas. For SMB’s in particular, they often don’t have a designated person to look after this for them, unlike larger organisations, and they are left to wade through the many options available themselves, or turn to their dedicated IT person.

So where does a business start? To best answer that question, it is important to know the motives behind these attacks in order to be able to deter them. According to data published in the 2018 Data Breach Investigations Report (DBIR), approximately 76% of breaches are financially motivated, no real surprise there I hear you say.

The 2018 DBIR indicates that phishing is the most popular initial access method used by criminals, with roughly 92% of malware being delivered via email. Phishing is a form of social engineering where cybercriminals use emails to pose as legitimate persons or institutions to deceive others into revealing personal, confidential and financial information.

These emails in the past used to be a lot easier to pick up, often littered with spelling mistakes, poorly replicated logos, non-matching domains from the email sender and the like. This is now not as often the case and the criminals have upped their game. The emails are now a lot more sophisticated, are not as easy to spot and in many cases, now closely resemble the emails sent by legitimate organisations.

Now here’s the key takeaway from all of this. The Ponemon Institute’s 2017 report indicates that 54% of data breaches were due to negligent employees. Therefore the recommendation is that SMB’s should invest in training their personnel to detect and avoid phishing emails, and also run frequent controlled phishing campaigns to ensure compliance.

Ransomware is the top category of malicious software that is used in approximately 40% of malware-based attacks. This form of malware is popular because it is easily deployed through phishing emails, web-based instant messaging apps, drive-by downloads and malware-laden advertisements. Ransomware is also an effective means to illegally obtain large sums of money with a low risk of prosecution and imprisonment.

According to the Ponemon Institute’s 2017 report, close to 60% of small businesses have reported that cyber attacks are becoming more complex and destructive. Cybercriminals have become savvier by using techniques that circumvent standard security measures. In 2017 a staggering 77% of these attacks utilised fileless techniques. These techniques make use of system vulnerabilities (such as browser add-ons) to launch virtual attacks. These fileless attacks are ten times more likely to succeed, as anti-malware software only detects file-based malware.

Your IT person/department can look after the software and hardware eg. firewalls, antivirus, routers, etc, etc… but as you can see here, the ‘human firewall’ is most often, your last line of defence. So make that part as bulletproof as possible. And finally, the answer to the earlier question is… to train everybody within the organisation. Awareness training, phishing simulations and generally keeping this critical issue front of mind are key.

Cybercrime – The Human Element Beyond IT

ybercrime is on the rise. Not only are rates of cybercrime increasing but its breadth and depth have reached a level of sophistication that is disproportionate to our defences. It has now become a well-organised operation perpetrated by highly skilled professionals with the capability to undermine organisations large and small.

The American based Target Corporation was the object of one particularly damaging case of cybercrime. In December 2013, Target publicised that the credit card details of 40 million customers had been the subject of cyber theft; and an additional 70 million customers had personal information including their names, addresses, email addresses and phone numbers stolen.

Closer to home, organisations are regularly scanned for weaknesses in their defences as the sophistication of cybercrime evolves, with harmful malware having the capacity to sit unnoticed for weeks before an actual theft takes place.

Our very real problem that we are now faced with is that organisations are not necessarily able to compete with this new level of sophistication. Moreover, the risk of cyber attack has always been viewed as a function of IT and responses to cyber threat have been acted upon as such.

But the IT security function alone is not an adequate enough to safeguard against this new sophisticated cyber threat. In order to build a strong defence, organisations must look beyond the IT based nature of conventional cyber crime and understand the contribution that humans often make in cyber breaches.

Organisations have become extremely savvy at building robust fire walls that are able to block just about any potential threat; however these defences are redundant if they have not been able to predict what may be planned against them.  It is critical that organisations maintain a channel into the cyber community networks where potential attacks are being plotted, in this way they will be armed with information about where their potential weaknesses are as a business.

In order to stay ahead of the cyber criminals, organisations need to acknowledge that its people that commit crimes, not computers; and that unfortunately it can be people from within organisations that are complicit in these crimes. Cyber criminals are able to infiltrate at any point of weakness, which can often mean exposing the vulnerabilities of staff or someone close to the organisation who is able to access, test and deploy malware into the system.

The Three Lines of Defence model is the ideal way to mitigate risk across an organisation. The first line of protective controls includes building a strong fire wall to secure the network. This line of defence acts as the gatekeeper of the traffic which may or may not pass through. The second line of defence revolves around watching out for external threats such as analysing conversations in chatrooms, and engaging in network vulnerability tests. Lastly, measures must be taken to protect the organisation from internal threats. This may include conducting background checks of staff, ensuring that sensitive information is only available to a select few.

The Three Lines of Defence model is a great start to circumventing any potential cyber threat. However this can only take an organisation so far, as the unpredictable nature of the human condition can ultimately leave an organisation vulnerable to cyber threat, especially in the current environment where threats may emanate from within and outside of the organisation.

Cyber Security – the insider threat

Generally when we think of online hackers, we think of faceless perpetrators whose intention is to scam us out of our hard earned money in one swift malicious attack.

But what if the actual threat of cybercrime is right in front of you, in plain sight?

Organisations of all sizes are at risk of cyber threat from within their own organisation. While companies spend a considerable amount of time and energy on evading external cyber threats, experts have argued that more than 60% of attacks are coming from within the walls of a business.

Many of these attacks have been intentional, however there have been cases where attacks have been committed inadvertently. This can happen staff may become careless with data or accidentally undermine a company’s secure IT systems.

One local case where an internal threat occurred from within was at fashion brand Showpo, whose customers were reporting that they’d been contacted by its competitor. Information began to surface implicating an internal source had obtained personal information and shared this with the competitor.

A UK analysis of insider cyber threat cases found that the motivators behind internal attacks are usually centered around financial gain and revenge.

With the rise in internal cyber threats, the Federal Attorney General’s department has overhauled its ‘Managing the insider threat to your business’ publication which aims to educate managers on how to best navigate their approach to internal cyber security. They suggest implementing sound recruitment procedures which include thorough checks of new staff and tighter security controls on internal access to data.

Experts suggest that it’s important for organisations to be as vigilant towards external cyber threats as internal threats and that there are many ways to do this by monitoring staff behaviour, directing funding and educating employees.

The rise of phishing attacks

A recent study by Tripwire has found that more than half of all security professionals surveyed had noticed a rise in phishing attacks at their organisation in the past 12 months. Alarmingly, the survey also uncovered that these professionals believed that their company was ill-equipped to protect themselves against these scams.

It comes as no surprise that the increase of phishing attacks is one of the most significant cyber security threats to organisations today. Therefore it’s imperative to arm all staff and board members with the knowledge to identify these scams in order to protect our company data.

The following list outlines 6 common phishing attacks:

1. Deceptive Phishing

This is the most popular phishing scam used. It occurs when cyber criminals pretend to be a legitimate company with the aim of stealing an individual’s personal information. These emails often use threats to get what they want. Be wary of generic greetings or requests for information that the sender should already have. Errors in syntax and spelling are often a giveaway that you’ve been targeted in a deceptive phishing attack.

2. Spear Phishing

Spear fishing is a more personalised version of deceptive phishing. For example criminals will customise their scam email with the recipient’s name, position, organisation or even phone number, in the attempt to hoodwink the target into believing that they have an established relationship. In much the same way as deceptive phishing, the aim of this scam is to trick the recipient into clicking onto a malicious link, thus exposing their personal data.

3. CEO Fraud

In this scenario, the criminals will impersonate an executive’s email address and use it to request payments and transfers from others within the organisation.

4. Pharming

This new type of phishing scam involves exploiting the internet’s naming system server (DNS) which converts website names to IP addresses. In this type of attack the criminal targets a DNS server and alters the IP address in order to redirect victims to a malicious website, even if the victims entered in the correct website name originally.

5. Dropbox Phishing

Some phishers customise their scam emails to mimic a company or service such as Dropbox. In this scenario a victim is sent a realistic looking email claiming it has come from Dropbox requesting the user to click onto a link which then installs malware onto their computer.

6. Google Docs Phishing

Just like Dropbox phishing, the criminals use the Google brand to lull victims into a false sense of security in order to harvest their personal details. A message is sent to a user to view a document on Google docs, and whilst the landing page is on Google drive, when the victim’s personal credentials are entered they go straight to the criminal.

Before you go, get a demo of our next-gen security awareness platform and see how we can help reduce your client's human risk.
Thanks, Not Interested
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.
Thanks, Not Interested
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.