Commentary by Ankur Kumar, UNE Chief Information Security Officer
With high speed internet connectivity and devices that are always connected to the internet, cyber-attacks are increasing year on year.
Let’s look at ‘phishing’ emails and how we can successfully defend against them. We’ve all received phishing emails at least once over the last 6 months. If we’re informed and aware, we’ll identify that it’s a phishing email and not fall into the trap the scammers have set for us.
Here at UNE, we’ve already implemented security measures to protect against phishing emails being received by our staff. However, the scammers are constantly upgrading the level of phishing emails that they create and even the best of technologies are not 100% successful in preventing them and we still need to exercise due diligence.
So, what is Phishing?
In simple terms, phishing is a social engineering attack performed over email or some other communications platform. These attacks are designed to get someone to click on a link, download an attachment, share sensitive data, or take some other action for the benefit of the attacker – and often at a cost for the victim.
Social engineering is the art of manipulating people so they give up confidential information. The types of information these scammers want can vary, but often will be passwords or bank account access details. They may want to access your computer to secretly install malicious software in order to get this information next time you log in or access your bank account.
Scammers use social engineering tactics such as Phishing because it’s usually easier to exploit our natural inclination to trust than it is to discover technical ways to hack your computer. For example, it is much easier to fool someone into giving their password than it is for the hacker to try brute forcing their password.
Phishing is a general term used when the same email is sent to a large number of potential victims. When a scammer uses a customised email using some information that they have about you, and it’s sent just to you, we call this Spear Phishing.
Examples
Phishing attacks are most commonly performed through emails. Many of these emails are designed to look just like a legitimate email and some common examples are the following:
Account Issues: A common phishing tactic is to tell someone that there is an issue with one of their online accounts (Amazon, Netflix, PayPal, etc.) and direct the victim to click a hyperlinks. If the link is clicked, the attacker would be able to take control of the system.
Business Email Compromise (BEC): in this form of Phishing, the scammer will impersonate a person in authority (Vice Chancellor, Deans, Executive Principals, members of the management team, etc.) and instruct the victim to, for example, transfer funds to the scammer’s account.
Fake Invoice: This form of Phishing is where the scammer masquerades as a vendor seeking payment for an outstanding invoice. This scam is either designed to have the victim send money to the scammer or to get them to download and open an attachment containing malware.
Fake Parcel Delivery Notifications: These notifications are typically an email or SMS message pretending to be from a legitimate parcel delivery business like Australia Post, DHL or FedEx, claiming you have an ‘undelivered package’ awaiting your collection.
Don’t get caught in a scam
Scammers want to trap you – but don’t let them. We’ll take care of as much scamming and spamming as we can, but be on the lookout for any signs that an email is a phishing attack. So while most of your email will be legitimate, use the SCAM rule to do the four basic actions.
Verify the sender before you open an email. If it’s from a legitimate sender, check the content and any action that you are being asked to take. If the email is suspicious and you’re just not sure what to do, please contact the IT Service Desk on ext 5000 or via the Contact IT portal on the UNE website for help.
How to detect a scam
Phishing emails are designed to look as genuine as possible in order to maximise their probability of tricking you. However, there are some signs of typical physical emails which we can verify to confirm if the email you received is a phishing email. Some of them are listed below:
Sender Address: Phishers will commonly use email addresses that look like a trusted or legitimate one in their attacks. Always check the sender’s address for errors, but remember that an attacker may have compromised the real account and is using it for their attack.
Salutation: Most companies personalise their emails by addressing them to their recipient by name, but a phisher may not know the name that goes with a particular email address. Be suspicious of salutations such as “Dear Customer”.
Mismatched Links: Always check any hyperlink in an email by hovering over without clicking the link. If the link doesn’t match the legitimate company’s address, the email is likely to be malicious. An example:
Odd Attachment Types: Phishing emails are frequently used to spread malware. If you receive an “invoice” that is a ZIP file (files ending with ‘.zip’), an executable, (files ending with ‘.exe’) or something else unusual, then it’s probably malware.
Tone and Grammar: Phishing emails often won’t sound right and will include spelling and grammar issues. They may invoke urgency by threatening to close your account. Legitimate businesses don’t misspell emails and certainly don’t threaten you with imminent closure. The email is likely a scam.
