Articles by the cybersecurity community

Showing posts with label phishing. Show all posts
Showing posts with label phishing. Show all posts

Guest Post - Ella Donald - How do I spot a #phishing scam? #cybersecurity

Thank you to my lovely colleague, Ella Donald, for generously taking time to write this article supporting the demystifying cyber project and helping people to stay safer from cybercrime.

How do I spot a phishing scam?

As society becomes more digitised, our lives are increasingly conducted online. We must give our banking details, identifying information, and more to many sources, and may be prompted to provide them again. Our email inboxes are, more than ever, a receptacle of sensitive information. So, if many organisations – from our bank, to gym, to phone company, postal service, and government – have our details, how can we tell that an email from them is legitimate?

Phishing scams are attempts by an attacker to extract personal information from a victim. This information can include banking and credit card details, passwords, and other personal details; and can be done through emails, phone calls, and text messages. Phishing scams can also install malicious software (eg. Ransomware) on a computer. These scams are becoming increasingly common and complex in this digital age, with attackers impersonating trusted brands and organisations from Australia Post, to the Australian Taxation Office, to Netflix. How can we keep our information safe in these circumstances? Below, learn how to spot a phishing scam, and how you can stay safe online.

Navigate to the website yourself to check

Phishing scams usually have a sense of urgency – for example, an email telling you that your account or computer has been compromised, or a call informing you of a charge on your credit card. Attackers have recently posed as Amazon and Microsoft to carry out scams like these, designed to elicit a knee-jerk reaction from the victim. When receiving a message such as this, it's important to not panic and respond to the call, message, or email – and never open a link or attachment on an email that has this tone. This could trigger ransomware or another malicious software to be installed on your computer.

Instead, open your web browser and navigate to the website of the organisation or brand that the email claims to be from. Then log into your account, and check your details, transactions, or other information that the message is claiming to be compromised. If you can’t access their website, ring their official number (not that listed on the email, or the number that called you) and ask to speak to a representative, who will be able to verify the legitimacy of the message. This will ensure that you’re accessing a legitimate website and are avoiding any possible viruses.

Check the email address it is coming from

Official emails – whether from PayPal, Google, the government, Netflix, or a bank – will come from an address that includes the official domain name (eg. ‘(name)@google.com’, ‘(name)@paypal.com’). When receiving an email that asks for banking or other personal information, click on the sender to check the address it is coming from. If the address doesn’t match the official domain name (you can always navigate to the organisation’s website yourself to check what it is), and is perhaps a mess of letters and numbers, this is an indication that the message is a phishing scam. Again, you can always log into your account on their official website or give them a call to check. Better safe than sorry.

Look out for misspellings and other imperfections

One hallmark of phishing emails is their subtle imperfections, that may not be immediately noticeable to the panicked eye but are obvious upon closer inspection. These can be everything from slightly pixelated images, to a misspelled domain name, to poor grammar in the email text. Alternatively, it may be that the layout and style of the message doesn’t fit previous communications you’ve received. These are a sign of a phishing scam, caused by the use of translation programs (that can provide a word without the proper context) and templates. If something looks not quite right, delete the email, and get in touch with the company through another method.


Ella Donald works with The University of Queensland’s Data Strategy and Governance team, and has a background in journalism and communications.

#Phishing - Microsoft Teams

 #Cybercrime - beware of spoofed Microsoft Teams emails. Similar to the recent spate of Dropbox phishing that appear to be form a colleague sending a file via Dropbox, these emails look like a notification from a colleague via Teams and request the recipient to log in via the supplied link to see the message. The link/s in the message goto a #phishing page made to look like a Microsoft Teams log in page. These phishing emails are designed to obtain Microsoft log in credentials.

** What can you do? **

  • All users of technology need to remain vigilant against cybercrime.
  • When you receive an email with a link to a log in page, consider NOT clicking that link, instead goto the page yourself with a URL you know/find yourself.
  • If you have inadvertently been tricked by phishing, change your password/s immediately.

Guest Post - Vaishnavi Shimpi - let's stop phishing


Thanks to Vaishnavi for this great reminder about phishing!



I got a call the other day
I won a lottery, such a lucky day.
They sounded very flattering
But I didn’t recollect ever participating.
You are our loyal customer, this is a special one,
Amongst many nationwide, you are the 'chosen one'!
Send us your bank details,
So that we can 'transfer' the money
We also need your 'verification'.
And they asked me for my personal history...
------------

My bank account is blocked they said.
I panicked, and asked 'why'?
Some mischievous activity was found
We'll help you, you just follow by.
We need some 'verification' so,
Tell us your account number and password.
You have provided the correct information,
Now we'll give your account a resurrection...
-------------

I got an SMS the other day
This is 'urgent' it did say,
It's regarding your parcel delivery,
'Act now' or it'll be on it's return journey.
Your 'part' payment is still pending
If you don't pay now, it'll be marked for cancelling.
I 'panicked' and clicked on the link
It took me to a portal that looked all genuine.
I didn't bother to check the URL
Didn't notice something was a bit unusual.
I gave away my bank details, not realising
it was actually someone 'phishing'.
------------

Beware of all these scenarios
They are more than common,
This'll not happen to me
Is simply a disillusion.
There are many out there,
Who are on your lookout,
They mostly sound urgent or authoritative,
It is best to be safe and stay out.
These days it is good to stay suspicious
It's a good way to keep away those mostly dubious.

--------------x-------------

BIO




Vaishnavi Shimpi
A traveller, poet, culture enthusiast, mum, software professional and cyber security and data privacy specialist. Having seen close family members falling prey to phishing attacks, Vaishnavi realised the lack and importance of cyber-security literacy amongst the older and younger generation alike. She has found a simplistic and quick way to spread security awareness through poems.
Often, you’d find her exploring places far and near, gaining new perspectives on people and cultures, currently calling beautiful Australia her home. An adventure and a nature loving person, she loves motorbiking trips with her husband. She also believes in giving back to the society and is involved in educating young school and college students in India.


Excerpt from book Unmasking the Hacker - phishing



The term phishing originates in 1996 with the
AOHell scammers and it is a type of technology-based
fraud where emails are made to appear as being sent
from legitimate companies or familiar people in order
to trick the recipients. There is nothing mystical in
why phishing is successful, and neither are the perpetrators
of this type of cybercrime shadowy figures in
hoodies. Phishing emails exploit human psychology,
using social engineering techniques, to trick the recipient
into providing their account credentials or paying
spoofed invoices. Common syntax in phishing emails,
for example, is designed to make the recipient act fast
without thinking their actions through, with their call
to immediate action, spoofed believable entities and
appeal to people to do the right thing. Phishing emails,
for example, often convey a sense of urgency2 which
encourages recipients to make panicked hurried decisions,
where they do not take the time to think
whether the message is legitimate.
Successful phishing emails rely on being believable,
playing to emotions and the false sense of security of
the recipient. These scam emails whether they are
baiting for credentials, money or intellectual property,
rely on being believable, they spoof trusted brands or
people and relate to everyday topics such as invoices,
correcting log in issues or post deliveries. Phishing
emails play to emotions with subject lines designed to
scare or promote a sense of urgency in the recipient, or
by cajoling or encouraging the recipient to do the right
thing and click the link to fix a payment for example.
Phishing emails also have success as end users may have
a false sense of security believing that spam filters will
block all malicious emails.


For more infomration on this book and where to buy it please visit this page > Demystify Cyber Book Launch <

Excerpt from book Unmasking the hacker - protect yourself from #phishing

It is Sunday 5 January 2020 as this is published and I am working on editing and writing more for my book and hope to have it in a good state to self publsh by end January 2020!

Updates of my book project are available from this page >> Book Updates << and once I have published it, this page will also have updates of new book projects and any giveaways associated with them.

Below is an excerpt of one of the chapters of my book "Unmasking the Hacker, Demystifing cybercrime", this one is about protecting yourself from phishing.


......................  As phishing emails tend to be a main way for criminals to compromise accounts, steal money and information and introduce malware into their targets’ computers, it pays to understand simple ways to help protect ourselves from this type of scam. When an email is spoofed, the display name and actual email address are different, so take care to check that the display name matches the sender’s email address.

If there are hyperlinks in an email, hover over them with the mouse but do not click, when you hover over the link, have a look at what the actual link is. Take a moment to think about what the email says, check that it is written in the usual way that individual or company writes when you receive email from them. Be wary when an email subject line or message body contains urgent or threatening language, consider if this is the way the company or person would normally address you or the situation.

If an email contains an attachment, consider whether or not you were expecting one form the sender or if the attachment is something you would normally receive. If an email requests money to be transferred or sensitive information to be provided check with the purported sender via other means before actioning the request to verify the email is legitimate.

While spam filters, email gateways and anti-virus applications provide some layers of security, it is important to not allow a false sense of security in them or your own abilities in spotting a scam. Just because your company, or even you as an individual, may be using the best spam filters and other security software, does not means you will not receive a malicious email. ......

Guest Post - Shelly Mills - What does #phishing have to do with black juju?

Thanks to my colleague Shelly Mills  for writing this post to provide an interesting look at phishing.

Phishing is a form of fraud used by scammers to steal sensitive information such as account credentials or banking information, by disguising emails to look like legitimate emails from reputable organisations and people you trust. 

Because of the ease of sending bulk phishing emails, it has become a common method for criminals to use to try and obtain your money. In Australia, citizens lost $1 444 162 to phishing scams in 2019 (https://www.scamwatch.gov.au/about-scamwatch/scam-statistics?scamid=31&date=2019 

But, who exactly is phishing you?  

Phishing scams are usually run by criminals. There are various different types of criminals who use cyber as a method to commit their crime [follow this hyperlink to the story on cyber criminals]. Organised crime syndicates, lone-wolves, etc...  

 ....... And then there the Ghanaians, who believe their phishing scams need to be blessed though a black magic ritual in order to be successful.  
This practice is called “Sakawa” - the combination of internet-based fraud (usually via phishing scams) with traditional African black magic rituals (commonly referred to as “juju”).   Once sending out a mass phishing email, the scammer will visit their local black magic priest to bless the scam through a voodoo ritual.  

In fact, as Sawaka grows, there are now fake black magic priests scamming the internet scammers who are getting their scams blessed by these fake priests, who then send their scams out to scam the rest of the world. 

Further watching: 

Further reading: 




Excerpt from book Unmasking the Hacker - phishing

It is Sunday 24 November 2019 as I write this. I am working on the draft of my book and hope to have it in a good state to do edits and rewrites in December to have it published by January 2020!

Updates of my book project are available from this page >> Book Updates << and once I have published it, this page will also have updates of new book projects and any giveaways associated wiht them.

Below is an excerpt of one of the chapters of my book "Unmasking the Hacker, Demystifing cybercrime", this one is on phishing.


The term phishing dates back to 1996 with the AOHell scammers and it is a type of technology-based scam where emails are made to appears as being sent from legitimate companies or familiar people in order to trick the recipients. There is nothing mystical in why phishing is successful, and neither are the perpetrators of this type of cybercrime shadowy figures in hoodies. Phishing emails exploit human psychology, using social engineering techniques, to trick the recipient into providing their account credentials or paying spoofed invoices. Common syntax in phishing emails, for example, is designed to make the recipient act fast without thinking their actions through, with their call to immediate action, spoofed believable entities and appeal to people to do the right thing. Phishing emails, for example, often convey a sense of urgency[i] which encourages recipients to make panicked hurried decisions, where they do not take the time to think whether or not the message is legitimate.

Successful phishing emails rely on being believable, playing to emotions and the false sense of security of the recipient. These scam emails whether they are baiting for credentials, money or intellectual property, rely on being believable, they spoof trusted brands or people and relate to everyday topics such as invoices, correcting log in issues or post deliveries. Phishing emails play to emotions with subject lines designed to scare or promote a sense of urgency in the recipient, or by cajoling or encouraging the recipient to do the right thing and click the link to fix a payment for example. Phishing emails also have success as end users may have a false sense of security believing that spam filters will block all malicious emails, or maybe having an over confidence in their own abilities to spot scams. Criminals send, or use bots to send, bulk phishing emails that they know will have success somewhere as so many are sent.



[i] Ferreira, A., & Lenzini, G. (2015, July). An analysis of social engineering principles in effective phishing. In 2015 Workshop on Socio-Technical Aspects in Security and Trust (pp. 9-16). IEEE.


Be wary of phishing - what to check for


Be wary of scam emails
·      Check the display name against the email address
·      Hover and check links (do NOT click on them to see where they go)
·      Analyse the salutation and sentence style
·      Beware of urgent or threatening language in the subject line
·      Be cautious of attachments you weren’t expecting
·      Don’t offer to pay/change accounts/ or provide information without verifying the sender’s legitimacy