By Yoke Chui
Around the world, cyber-crime is costing $600 billion of damages a year. It has affected many different sectors from hospitals, manufacturing, government agencies to schools and small businesses. No specific business sectors are left out from cyber-attacks. New Zealand is a small country and geologically somewhat isolated, but we are not immune from cyber-attacks. According to Netsafe, the estimated financial damages in New Zealand is somewhere between $250 to $400 million. This figure could be much higher as only 4% of all attacks are reported in New Zealand.
Today we are going to look at one of the most commonly used methods in cyber-attacks called phishing.
What is Phishing?
Phishing is a technique to deceive users into divulging valuable information such as credit card numbers, usernames and passwords. Phishing is generally initiated by emails, but can also appear in instant messaging and mobile text messages. These messages typically look like they come from a trusted source such as a friend, work colleague or a business liaison to fool us into believing it to be genuine. They generally include a link to an online website (a mock version of a trusted website), which you innocently navigate to and attempt to log in by entering your username and password. Wham! The criminals now have the necessary means to log into your internet banking account. This is just one consequence, they can also trick you into entering your credit card details or to download and install malware.
At Lucidity, our customers who subscribe to the Managed email services and Managed Desktop are somewhat protected due to the routine security patching deployment, firewall monitoring, email filtering and backups carried out by our diligent team of staff. Lucidity takes information security seriously and is following the industry standard guidelines in managing Information Security.
However, despite the technologies in place to safeguard against cyber-crime, humans provide a vulnerability in the Information Security chain especially in phishing. Having an awareness of it will safeguard you against the damages and inconvenience caused by clicking a link or downloading an attachment that contains malicious code or has intent to capture personal or security details.
Phishing attacks are the most rampant and prevalent forms of cybercrime in recent years and it is lucrative. Therefore, it is here to stay and it will adapt as time goes. One of our most effective counter measures is to make ourselves aware of the tricks in phishing so that we can avoid it.
Be Phishing Wary
Cyber criminals are incredibly sophisticated and are very good at their fraudulent crafts. It can be difficult to spot a phishing message, however there are a few tell-tale signs that can indicate a message isn’t authentic. You need to be alert to spot them.
While the following isn’t proof that the message is Phishing, they should at the very least raise a warning flag, and prompt you to proceed with caution.
1. Was the message unexpected? Does it seem out of the ordinary?
2. Does the message seem to have poor grammar? Email from large organisations such as banks have a dedicated team of staff to proof read and edit an email first before sending out to their customers. So it is unlikely that they will allow such an email to be sent out.
3. Does the message contain links or attachments? Attachments can contain malicious code, websites can contain malicious code, websites can be fake imitations of trusted websites.
4. Are you being prompted to divulge personal details such as username/password, credit card details etc? This can be tricky because you probably expect your Online Banking site to prompt you for a username and password. If you have landed at a website via an email link then you should be wary.
5. Is the message invoking a sense of fear and/or urgency?
A phishing email may contain threats that your security has been compromised, “you must follow the instructions in the email or your account would be closed”. This is a trick to invoke your fear of losing access and creating urgency by prompting you to immediate action. See Gmail email phishing example.
If you spot any of the following then do not follow links and do not open attachments.
1. Sender address seems unlikely
See example of a phishing email presumably sent from Westpac bank. However, on closer look, you will see that the email address from Westpac bank is not genuine. Westpac bank will never send an email from a public gmail account.
In the 'Inland Revenue' phishing email example, the sender email address is inconsistent with the actual Inland Revenue domain name address of ird.govt.nz
2. Inconsistent links
Some phishing emails come with links. If you see a link don’t click straight away, instead hover over it to see if the address matches the link that was typed in the message, or is a recognised and trusted address. In the example below, the link reveals the real web address which looks nothing like the ASB bank’s web address. Can you spot the bad grammar in the 'ASB' email example?
What can you trust?
If you are requested to enter your username and password on any website, check that the website has a valid SSL certificate. An SSL certificate is a standard encryption technology enabling secure communications between a client web browser and a web server hence it protects your sensitive information such as credit card information, username and password from being hacked.
As per the example below, if the padlock is green then it is an indicator that the website has a valid SSL certificate and the website is safe to use.
So what should you do if you receive a suspicious phishing email?
- Delete it immediately to prevent yourself from opening it accidentally later on
- Do not reply to the sender as it validates your email address with the sender
- Black list the email address or contact Lucidity to assist you with email blacklisting
- Report it so that others can avoid the phishing scam:
You can report it to the Lucidity Support Team on 0800 467 833 or firstname.lastname@example.org
You may also contact the New Zealand National Computer Emergency Response Team (CERT) on 0800 2378 69 (0800 CERT NZ) for free advice and report a cyber security incident. CERT is a government organisation that provides advice and alerts to its customers on how to respond and prevent further attacks.