Phishing: A Guide for Perth Small Businesses

As businesses rely more on technology and are increasingly more “internet facing”, solid cybersecurity measures are important. Businesses are under constant attack from everyone – governments, criminals, hackers and even teenagers.

Phishing is one of the most common tools used by those who try to get access to your systems. Small businesses are particularly vulnerable, as they feel cybersecurity is costly, and consequently don’t have robust security in place. However, a cyber-attack can create problems for your business reputation and cost you irreparable damage. It isn’t time to put your head in the sand! There are some cost-effective steps that you can take.

There are several things that individuals and small businesses in Perth can do to protect themselves, including the ‘essential eight’. Our cybersecurity team helps you understand phishing and how you can protect your business from it.

What is phishing?

Phishing is a type of online fraud used to steal user data like login credentials, credit card numbers, or other sensitive data by cybercriminals pretending to be a legitimate organisation. The data is later used to access other important accounts leading to identity theft and financial loss.

How does it work?

Phishing usually occurs in the form of a fraudulent email, text message or instant message. The email or message is from a cybercriminal masquerading as a trusted source and looks like a real message, including the logo of the sender. It can be a message to confirm or renew your account, update payment details or other information, or other similar instructions which look very valid. The recipient is tricked into clicking the link which causes malware to be installed on the user’s system or reveal user information to the attacker.

What are the reasons for phishing attacks to be so successful?

Here are some of the reasons why victims keep falling for phishing attacks.

• Lack of security awareness
• Phishing tools are widespread and available at low cost 
• Malware is becoming more complex
• Increase in personalised attacks
• Lack of cybersecurity measures

Types of phishing attacks

Understanding the different types of phishing attacks is important to help you protect your business from it.

Email phishing – This is the most common type. A criminal sends out an email with malicious links to a large number of random people, usually in the thousands.

Characteristics

• Sent to a large number of people.
• Looks very similar to legitimate sender, including logos, language, tone, formats, and signatures.
• Clickable links look very similar to the actual links but contain a small variation of the domain. For example, the original link xyz.org/renewal is changed to xyz.orgrenewal.com.
• Message creates a sense of urgency tricking users into immediate action without giving them much time to think. Usual messages are account renewals, payment detail updating, blocked billing, stopping of services etc.

Want to learn more? Read our blog on types of phishing emails and how to recognise them.

Spear phishing – In this type of attack, the criminal targets a specific organization or individual. The attacker would have researched the victim and would have good knowledge about the communication channels and organizational structure of the entity or online habits of the individual.

Characteristics

• Email mimics the official communication template, including text and signatures.
• Usually from a higher authority to a subordinate.
• Usually asks a user to open a password-protected document. The p/w maybe employee id, or account number in the case of individuals.
• The purpose is to usually carry out an advanced persistent threat, with the criminal remaining detected for a substantial period.

Smishing and vishing – The phisher uses telephone calls and text messages as means of communication. The characteristics of smishing and vishing are the same as that of email phishing. The only difference is that the former use telephones and the latter use emails for communication.

Characteristics

• Bait victim through phone call (vishing) or SMS (smishing)
• Criminals usually approach victims by posing as an investigator, insurance agent, bank agent etc.
• Message will contain a false sense of urgency
• Deceive victims to share their sensitive data through solicitation, send money to criminal accounts or download malicious software

Angler phishing – The phisher uses social media for deceiving the victims and obtaining sensitive data.

Characteristics

• Scammers use phishing attack sites, fraudulent URLs, posts, and tweets to deceive targets into downloading malware or sharing sensitive information.
• Scammers reach out to disgruntled customers who have complained about a product or service on social media as authorities involved with the company.

Different phishing techniques

Here are a few common phishing techniques you need to be aware of to protect your business.

Website Imitations

Usually, the links in the phishing emails will be linked to a fake website that looks similar to an authentic one. Once you click through, these sites will ask for your bank login credentials, credit card number or other sensitive information.

Deactivation notifications

“Your subscription is expiring”

“Renew your subscription”

“Your account will be deactivated on…”

The above messages create a sense of urgency in you, right? That’s precisely what phishers use against you. These kinds of deactivation alert emails are among the most common techniques they use to obtain your data. These messages will mainly include malicious links that take you to fake sites. You will be asked to share your banking information or enter the old password to create the new one.

Offering technical support

Another common phishing technique is offering technical support. The cybercriminals send emails pretending to be from authentic firms providing support and usually contains a toll-free number. Once you call you get connected to a scammer pretending to offer support. The scammer will then make you download software for remote access and acts like helping you resolve the technical issue while secretly pilfering your sensitive data.

Monetary reward or donation messages

You may receive an email or message selected for a monetary reward or a donation with a detailed explanation of why you were chosen for the same. Similar to the above methods, you will be asked to share your personal details or click on a link to access the reward.

How can you protect your small business from phishing?

• Cybersecurity Audit
  The first step is to perform a thorough cybersecurity audit. As cybercrimes get increasingly sophisticated, it is advisable to take professional help. Computing Australia has been providing cybersecurity audits for businesses in Perth and keeping them safe from cyberattacks for many years.

We recommend the following to protect your business from phishing

• Adopt and enforce a comprehensive security policy.
• Update antivirus and other security systems regularly.
• Use encryption for all online messages and encrypt sensitive data.
• Deploy filters to detect and block malicious links and websites.
• Educate employees about the need for strictly following security protocols, including 2FA and strict password management.

What is ‘The Essential Eight’?

The essential eight is a list of mitigation strategies from the Australian Cyber Security Centre (ACSC) to assist in preventing malware attacks and cybersecurity incidents.

• Application controls – to prevent the execution of malicious programs.
• Configure Microsoft Office macro settings – to allow only vetted macros from trusted locations.
• Patch applications – within 48 hours to mitigate systems with high-risk vulnerabilities.
• User application hardening – to block and disable unnecessary features.
• Restrict administrative privileges – based on user duties.
• Multi-factor authentication – for all users.
• Patch operating systems – including network devices with extreme risk vulnerabilities within 48 hours.
• Daily backups – to ensure access to information in the event of a cybersecurity incident.

You can read more about Essential Eight here.

Computing Australia Security for Small businesses in Perth

A phishing attack can cause irreparable losses for victims. For small businesses, it can cause financial losses, loss of reputation and customer trust. A phishing attack can also quickly turn into a major cybersecurity event, which can paralyze a business. Protect your business now. Talk to our cybersecurity experts right away.

Jargon Buster

Advanced Persistent Threat – a cyber-attack where a criminal gains access to a system or network and remains there for a prolonged without being detected.
Malicious Links – a link created for the purpose of a cyberattack.
2 FA – 2 Factor Authorisation – Access is granted only after two steps of authentication. You will need to provide two pieces of evidence to establish your identity. This is also known as MFA (Multi-factor authentication).

Article originally published on 07/08/2020
Revised by Blake Parry on 06/07/2021
Added new sections:
How does it work?
What are the reasons for phishing attacks to be so successful?
Different phishing techniques