23 August 2018

How to protect businesses and individuals from increasingly sophisticated phishing scams

How to protect businesses and individuals from increasingly sophisticated phishing scams

Businesses, government organisations and individuals are being subjected to increasingly sophisticated phishing scams. These scams – designed to trick victims into disclosing sensitive information such as bank account numbers, passwords and credit card details – use a range of techniques to achieve their malicious aims.

Email is a key channel – along with phone calls and text messages – for phishing scams. Many early phishing emails were easy to detect due to poor grammar and spelling and email sender addresses that bore no relation to the person or business the message claimed to be from. However, in recent years, scammers have appropriated logos, graphics and text from legitimate organisations – including major telecommunications companies, banks, electricity providers and government organisations – and used more authentic-looking email addresses.

Government security advisory service Stay Smart Online recently provided an example of a convincing email phishing scam. The email hijacks legitimate branding from Medicare and the MyGov website to solicit information such as login details, user security questions and answers and bank account details.

The groups and individuals behind phishing scams are becoming increasingly adept at using social engineering techniques to extract information from users. These techniques may be used in attack types called ‘spear phishing’ or ‘whaling’. The Australian Competition and Consumer Commission describes these attacks as targeting ‘businesses using information specific to the business that has been obtained elsewhere’. Scammers typically misrepresent themselves as business executives to convince other people within the business to disclose sensitive or financial information.

So how can businesses and government organisations minimise the risk phishing presents to their operations and to their people in business and personal contexts? A key step is to educate people about the threat presented by phishing scams. Businesses should also implement processes for the handling and disclosure of sensitive or financial information that address the risks presented by spear phishing or whaling. Finally, they should deploy sophisticated filters as part of a comprehensive email security platform to minimise the risk of scam emails entering the business environment.

If you would like to learn more, please contact Roger at info@firstwave.com.au