Operating online can open up a world of opportunities for businesses and individuals. But it can also open up users to a world of risk. auDA’s Director Technology, Security and Strategy Rachael Falk discusses one of the most common methods criminals use to steal sensitive personal and business information: phishing.
A phishing email (or sometimes a SMS or instant message) is an email purporting to be from a usually large, trustworthy organisation or government department. These emails or messages often invite you to open a link or attachment that will either lead you to a malicious website or install malicious software — malware — on your device.
When you click on the link, and it goes to a malicious website, it may be designed to look as genuine and innocuous as the real website. However, it will encourage you to enter confidential details like name or password or date of birth, which may be captured and sent to the scammers.
Phishing emails all have one thing in common: they ask you to click on a link or attachment.
Authorities and cyber experts have been warning internet users about phishing scams for many years — we first saw them in Australia in 2003 — but an ever-increasing level of sophistication on the part of cyber criminals means internet users need to stay alert.
While some phishing scams are still unsophisticated, replete with spelling errors and incorrectly formatted graphics, many of today’s phishing messages can look every bit as convincing as legitimate emails. Even expert computer users having difficulty discriminating between scams and the real thing.
In an effort to gain the trust of unsuspecting victims, phishing emails will often purport to be from some of Australia’s largest and most recognised names, such as banks. The most effective phishing emails or messages use similar language and graphics to what you’d expect the real deal to look like and, according to the ACCC, have cost Australians more than $260,000 in 2017 alone.
While phishing is one of the most widespread cybercrimes, it’s also one of the easiest to thwart.
At its simplest, don’t click on links in unexpected emails or messages. For even better security, don’t click on any links in any emails. Instead, go directly to the sender’s website in a browser and log in to view any details that way.
While avoiding clicking links in emails can protect you from phishing scams, it is unfortunately inconvenient in practice. One way around this is to check the URL of links in emails before clicking on them. If, for instance, you receive an email purporting from XYZ Bank, it would be reasonable to expect any links in the email to link to xyzbank.com.au. If the links do not, it does not necessarily indicate that the email is a phishing email — organisations have many reasons to use domains other than their own main domain — but it would be worth visiting XYZ Bank’s website directly, or if clicking through the link, not entering any personal details on the resulting page.
If you are in any doubt about the veracity of an email you have received, the simplest action is no action: don’t click on any links and either visit the genuine website of the business or contact the business directly. While there isn’t any single indicator of a phishing email, a glance at the email, the sender and any links may raise red flags that the email is malicious. Interacting online need not be inherently unsafe and following these simple steps, you can ensure you have safe and productive interactions online.
Facts and Tips to Avoid Getting Scammed
So far in 2017:
Read more: Protection from the inside out
- More than 11,000 reports of phishing scams
- Nearly $260,000 lost
- Phishing is the most popular type of reported scam
- Australians aged 65+ are the most vulnerable to phishing
- Phishing usually utilises email, but may also use the phone
- “Are you expected?” By far the simplest way to mitigate damage from scams is to avoid the scam in the first place. For example, have you received a bill from a company you don’t have an account with? Then it is simple, delete the email! If you are not expecting an email from a sender and they are asking for personal details, then don’t click on it and treat it with extreme caution!
- Consider the Sender Take a look at the address the email comes from, not just the sender’s name, but the actual domain. You can double click on the sender to see whether they are sending from the company email the purport to come from. For example if they say they are from XYZ Bank then their email address should read email@example.com. If the address is not what you expect, exercise caution with the email. It is important to note that while sender addresses can be spoofed to look genuine, it is a good indicator whether the email is malicious or not.
- Dear Sir/Madam Genuine emails from organisations like banks, telcos and utilities will often include your name and identifying details known only to you and the sender, such as an account ID. If the email’s content is predominately generic, the email may not be genuine.
- You’re Account is Due to Expiry Real content writers usually value the use of correct grammar and spelling. Although even the largest, most professional companies miss the occasional typo in their content, some phishing emails are replete with obvious spelling and grammar errors.
- Think Before You Click Are there links in the email? To avoid visiting a malicious site, it’s best not to click them. If you must click them, check that the URL they link to is what would be expected from the sender (i.e. an email from XYZ Bank goes to XYZbank.com.au).