Phishing - Phony Emails & Fake Websites

The words “cyber crime” are hot on everyone’s lips - the Sony hack, Target breach or Ashley Madison leak are topical examples, but don’t let the media’s disproportionate coverage of large-scale cyber crime vs. small-scale cyber crime blind your senses. If you use the Internet then you ARE a target for cyber crime. If you email your colleagues, indulge in online shopping, use internet banking, watch YouTube videos, get updates on sports scores or even just read the news, then this article is for you.

Not all online use has to be risky; Adult Learners’ Week is the perfect opportunity to get a bit more tech-savvy, but to also get a lot more tech-safe. A little awareness can go a long way for online use. Use these tips to sniff out anything fishy a mile away….

Fishing (verb): The activity of using bait to catch fish, for sport or leisure.

Phishing (verb): The criminal activity of using fake bait to acquire sensitive information, for malicious reasons, usually money.

What is phishing?

Phishing occurs when a cyber criminal masquerades as a trustworthy entity to attain sensitive information such as credit card details, usernames and passwords, generally to steal your money.

How is it done?

The most common form of phishing is via email, where an attacker sends fraudulent emails to victims hoping for them to surrender sensitive information or click malicious links. Attackers can also use phishing websites, whereby the phishing email leads the victim to a corresponding fraudulent website.

 Attackers can also use human interaction to obtain sensitive information. Social engineering is often used in conjunction with phishing, to maximise the amount of information and to appear more legitimate – asking for credit card details through email is a red flag for most people, so attackers may pretend to be a reputable company via email to access things like date of birth, address and employment details over email, followed by a phone call from the same company’s fraudulent sales representative requesting credit card details.

What happens next?

The victim either authorises a direct bank transfer or provides the attacker with enough details to fake the victim’s identity. Using this information, the attacker can apply for credit cards, bank accounts and financial services, apply for benefits such as housing benefit, income support, job seekers allowance, apply for a drivers licence, register a vehicle, apply for a job, apply for a passport or apply for a contract (mobile phone, internet, Foxtel, subscriptions) all in the victim’s name.

 Malware, more formally known as malicious software, works by infecting a computer system causing undesirable effects such as slowed computer functioning, unexplained crashing and spontaneous rebooting. Malware can also work to obtain sensitive information like login usernames and passwords for emails, online banking and private accounts by creating text logs to track the keyboard use.

How to spot malicious emails and web pages:

The following are red flags for suspicious emails and webpages:

Sender:

• Unfamiliar senders - can sometimes be fraudulent users.
• Emails from friends asking to forward or click links and attachments – colleagues and friends’ emails can be hacked to trick victims into thinking the email is from a trusted source.
• Sent from a country that you don’t live in.

Subject lines:

• Subject lines claiming giveaways or “congratulations!”, “winner!” – offers that are too goo to be true are seldom authentic.
• Traditionally suspicious subject lines such as “Invitation to connect on LinkedIn”, “Mail delivery failed: returning to sender” and “Dear ANZ Customer”.
• Subject lines and contents that don’t match.

 Content:

• Generic greetings and non-specific salutations such as “Dear Telstra User”.
• Requests for money, especially distress emails requesting large amounts of money – these can even be faked to come from a friend or family member.
• Requests for urgent action – threats to terminate a particular account/service or incredible offers that have an expiry are an easy trap for victims act irrationally in the heat of the moment and supply personal details.
• Requests to “validate” or “confirm” personal details by clicking on a link or attachment.
• Requests to forward email to multiple people.
• Poor spelling, grammar and sentence formation – fraudulent emails can often come from other countries so may contain imperfect English. Words can also be intentionally misspelt to bypass spam filters, which are used to detect spam mail and send directly to the “junk” folder.
• Not quite right logos, colours, fonts and layout – attackers create emails and websites that look almost identical to those of well-known, reputable organisations, such as banks, phone companies and even the government. Incorrect small, finer details can help detect fraudulent pages.
• Contains attachments and links.

Websites:

• Unusual URLs and browsers – fake sites sometimes have an extensive, peculiar web address that can be detected however some fake sites can use a mask browser to make the user think they are on the genuine website.
• Unexpected pop-ups on computer or mobile device asking for permission to run software.

 How to prevent the negative effects of phishing:

An online user that knows the basic methods of spotting a phishing attempt can use the following tips to protect their information and the information of others:

• Do no open suspicious emails – delete them straight away. If an email is opened and doesn’t feel quite right, do not respond to it.
• Always know who you are talking to – check your sources before providing any sensitive information.
• Verify the authenticity of any organisation by calling them directly using a phone number from an independent source – do not use the contact details in the email provided to you.
• If a friend or family member emails requesting money, as they are in trouble overseas – contact them directly or phone their hotel to verify their identity – don’t just send money without checking first.
• Never send money, financial/credit card details or personal details and documents by email.
• Never forward emails that you aren’t 100% genuine.
• Ensure passwords are complex, changed regularly and use a different password for every account you own – if you use the same password for everything and an attacker discovers it, all of your information is vulnerable.
• Ensure your computer uses up to date software and antivirus and avoid using public computers and open WIFI hotspots to access or provide personal information.

Phishing attempts can be dangerous and detrimental but can mostly be stopped with some increased awareness and caution with online use. Help to reduce the occurrence and effects of cyber crime by sharing your knowledge of phishing and this article with others.

The Australian Government Department of Communications is a great resource for alerting the community on current online threats and how to manage these.

This alert (https://www.communications.gov.au/what-we-do/internet/stay-smart-online/alert-service/be-aware-new-paypal-phishing-emails-sso-alert-priority-moderate-0) is a prime example of a PayPal phishing incident and includes an image displaying a fake PayPal site, only able to be distinguished as fake due to it’s incorrect URL: