Cyber security is a fast-moving sector, as both hackers and security providers vie to outsmart each other. New threats to your data – and innovative ways to combat them – emerge all the time.
The Covid-19 pandemic forced most organisations to shift to remote work, making employees even more dependent on their devices. It’s normal for remote workers to switch between a range of mobile devices, such as tablets and phones, using public Wi-Fi networks and remote collaboration tools. As a result, mobile threats continue to grow and evolve. The ongoing rollout of 5G technology has also created potential data security vulnerabilities that will need to be patched as they become known. The ACSC Annual Cyber Threat Report, 2020-21, stated they “received over 67,500 cybercrime reports, an increase of nearly 13 per cent from the previous financial year”. The ACSC continued that a larger portion of these cybercrime reports was classified as ‘substantial’ in impact this year.
Working from home poses new cybersecurity risks and leads to new attacks/trends in cyber security. Here are five signs your data may be under attack:
SMS Phishing
Have you ever received a suspicious text from a company you may know of or one that you’ve never heard of that is providing you with an incentive to click on their link? SMS Phishing involves a scammer contacting you via text and often comes with Malware SMS links attached. Once the link is clicked on, scammers infect your device with malware or spyware. However, there are other directions scammers might take. This may include: dialling a pay-per-minute phone number, enticing you to commit to a subscription or retrieving personal information.
Case Study: PayPal
Earlier this year, a new SMS scam campaign was launched and disguised itself as PayPal, a well-known online payment system. Usually, when PayPal detects suspicious activity, an account status changes to “limited”, and temporary restrictions on sending, withdrawing and receiving payments are placed.
The scammer uses this to their advantage and mimics the SMS notification to alert people that their account has been “permanently limited” unless they click on the link and verify themselves. This link redirects their targets to a phishing page where it imitates the log-in page of PayPal. Victims enter their log-in details and are next asked to enter their name, date of birth, address, bank details, plus more. Their information is collected and used to conduct identity theft, access other accounts and personalise their attacks.
Victims who log in to their account through this link are encouraged to change their PayPal account password and details immediately through the correct web address. If you’ve used the same password for other websites, you must change the password to those accounts and alert PayPal of any suspicious activity.
Tips to avoid threats from SMS Phishing:
- When using open-source public Wi-Fi, use a virtual private network (VPN).
- Check your phone bill for suspicious activity.
- Install your phone’s updates as they become available.
- Avoid clicking on suspicious links or entering questionable giveaways.
Email Threats
Do you have large amounts of spam emails coming through every day? Email is one of the most used forms of formal communication, especially for businesses. This is why emails are a huge focus for scammers to steal your data. There are several types of email threats.
Malware delivery by spam
Malware delivery by spam is one of the most common and deadly cyber attacks delivered via email. This attack is relatively successful when targeted at employees. Scammers send spam emails, imitating legitimate senders such as customers, suppliers and partners. Victims are fooled into downloading corrupted files that contain malware and signs of infection are not always instantly noticeable. Hence, scammers can remain unnoticed when spreading the malware further into the IT systems until the entire infrastructure becomes infected.
Credential theft via phishing emails
Credential theft via phishing emails is similar to spam. However, they tend to be more personalised and direct. For example, a previous data breach could leak a list of customers and their personal details to scammers. The scammers then use this list to craft carefully curated spear-phishing emails for victims. A scammer may even outright deceive a victim and ask for an admin’s personal details.
business email compromise attacks
A very sophisticated method of spear phishing that targets executives and CEOs are business email compromise attacks. Whereby scammers invest a large portion of their time uncovering high-ranking employees’ habits and behaviours. After collecting valuable information on the victim, scammers curate a highly realistic email impersonating known or credible individuals that would associate with them. This method is mostly used to obtain secrets or steal money.
Malicious bot and DDoS attacks
Malicious bot and DDoS attacks crash the victim’s server. Scammers can use hijacked botnets to send an overload of emails to a targeted business. Eventually, the system will overload and crash.
authentication attacks on email servers
Furthermore, authentication attacks on email servers are used to gain access to email inboxes themselves and stored attachments.
vulnerabilities of email servers
Lastly, vulnerabilities of email servers that scammers identify can be used to gain access to sensitive data, information and to infect nearby IT systems.
Tips to avoid email threats:
- Clients, employers and employees should remain educated and aware of cyber threats.
- Due to the increased sophistication of email threats, it’s important to secure the server, so spam emails are filtered.
- Research email security tools.
- Look into load balancers to avoid system overloads that affect performance.
- Keep email servers up to date with the latest patch to avoid software vulnerabilities that remain a target for scammers and hackers.
One Ring Scams
If you’ve seen one missed call from an unknown or private number, you may feel inclined to call them back to see what the purpose of their call was. One ring scammers use curiosity to their advantage in the hopes that their targeted victim will call back. Consequently, the victim doesn’t realise they’re being charged an international calling fee. On some occasions, a voicemail will also be left to encourage the victim to ring back.
Tips to avoid threats from one ring scams:
- Screen unknown caller IDs with your voicemail. Avoid encouraging scammer activity by not picking up unknown numbers.
- Before calling unfamiliar numbers, check to see if the area code is international.
- If you do not make international calls, ask your phone company to block outgoing international calls on your line.
- Always be cautious, even if a number appears authentic.
Voice Phishing
Voice phishing is when a scammer rings up their victim and pretends to be a trusting organisation. You may know them as telephone scams.
Scammers use the technique “call spoofing” to appear with a legitimate caller ID such as Telstra or the ATO. These calls commonly have an automated script when a victim picks up the phone. However, real individuals may answer too. Both typically pressure the victim or threaten them with penalties to encourage a desired action and outcome.
Tips to avoid threats from Voice Phishing:
- Screen calls with your voicemail. Avoid encouraging scammer activity by not picking up unknown numbers.
- Block numbers from unwanted callers.
- Do not press buttons or respond to prompts.
- Install your phone’s updates as they become available.
Charity Scams
Unfortunately, while genuine individuals and organisations want to help people through a difficult time, scammers are using people’s caring nature to profit. Scammers ensure their charity scams appear authentic and credible by imitating existing charity organisations or creating sophisticated fraudulent charity organisations. These charity scams usually target the general public and charity workers themselves.
Case study: AUSTRALIAN BUSHFIRE Charity SCAMS
In 2019 and 2020, Australia saw horrible bushfires rage and rise. Sadly, so did the number of fraudulent charity scams. Hayley Chamberlain was one of many victims targeted by scammers. She encountered a man asking for bushfire donations through her inbox and grew suspicious of his claims. ABC News pointed out that there were “500 bushfire-related scams circulating, including fake websites that look identical to a charity’s”.
Tips to avoid threats from Charity Scams:
- The government will register authentic charities and organisations. To check the Australian charity registry, click here.
- Remember, individuals are unlikely to contact a stranger for money directly.
- A scammer’s website may look exactly like a genuine charity organisation’s website. Be cautious.
- Look out for vague wording and information; this could be an indicator of a scam.
- Research additional information and media coverage. This could prove their credibility and provide reviews.
- Question GoFundMe pages and stay cautious with charities you find on social media.
- Donate directly to an authentic registered charity rather than third-parties.
- If you’ve been scammed, contact your bank to recover lost funds and contact the ACCC via through the ‘report a scam’ website.
As technology advances, scams are becoming more sophisticated and harder to detect. Trust your gut, and if unsure, question everything and do research. Educate and inform your employees and develop a cybersecurity system that can prevent minor to major cyber attacks.
To ensure your business’ and customers’ data remains secure, consider becoming certified to ISO 27001. ISO 27001 addresses your information security risks and kick-starts a cycle of continual improvement in digital threats and information security management. Cybercriminals often target small and medium-sized businesses due to the recognition that information security is not a priority for them. However, anyone at any time can be a target. Getting certified to ISO 27001 shows your customers that their confidential data will remain exactly that as they do business with you.
Are you interested in learning more about implementing an Information Security Management System? Click here.
