It might arrive in the form of an unexpected email containing the promise of financial payment, or a phone message requesting the recipient to ‘press 1’ to discuss a package delivery.
In other cases, it could be a post on social media, apparently from an old friend, asking you to get in touch or an enticing product advertisement on a website urging you to ‘click’ for more details. Everything from PayPal to shipping companies, even instances claiming to be from Microsoft support helping you to clean up an infected PC whilst installing remote access and key logging software.
They come in many forms and via different channels, yet they have one thing in common: they’re scams. Cleverly designed to illicit a response, these devious creations try to trick recipients into opening attachments or visiting websites that contain malicious code.
Once a user’s device has been infected with this code, a range of things can occur. It might scour the device for personal details before sending them to a criminal party. Alternatively, it could encrypt data on the device and then demand a ransom payment in exchange for the keys.
According to the Australian Competition and Consumer Commission’s Scamwatch service, Australians have lost more than $222 million so far in 2021. The top types of scams have been fake investments, followed by dating and romance, false billing, and fake remote access requests.
To increase consumer awareness and understanding of the threat of scams, the ACCC is conducting its annual Scam Awareness Week. Running from November 8 to 12, the week is designed to provide details of the latest techniques and the steps that can be taken to avoid falling victim.
Partners involved in the week include a range of private and public-sector organisations as well as industry associations, community organisations, and clubs.
When it comes to the subjects used by cybercriminals to make their scam communications as enticing as possible, one of the most popular at the moment is COVID-19. According to Scamwatch there have been more than 6415 reports of scams mentioning coronavirus since the initial outbreak in early 2020. Topics include requests for personal information, online shopping offers, and superannuation claims.
Other COVID-related campaigns have focused on public interest in vaccinations. Some have been in the form of requests for payment for early access to vaccines while others have been offers of the chance to invest in new vaccine development.
In an analysis conducted between October 2020 and January 2021, Barracuda researchers found that hackers were increasingly using vaccine-related emails in their targeted spear-phishing attacks. In the period after pharmaceutical companies announced availability of vaccines in November 2020, the average number of vaccine-related spear-phishing attacks was up 26 per cent in one quarter alone.
While these types of scam campaigns, known as phishing, continue to grow in number, cybercriminals are increasingly are taking a different, more targeted approach.
Dubbed spear phishing, the technique involves creating messages that are specifically targeted at the intended victim. Rather than spamming hundreds or thousands of people in the hope that a few will respond, spear phishing attempts are sent to small groups or even individuals.
Before initiating a spear phishing attack, a cybercriminal is likely to spend time gathering personal information about the intended victim. For example, they might determine which bank they use and then craft a message that appears to have come from that institution.
In other cases, the cybercriminal might make it appear as though the message has come from a co-worker or business associate. If the potential victim thinks it’s originated from a known source, they are more likely to open an attachment or click on a link.
Faced with a rising tide of potential cyber scams, there are a number of steps that individuals can take to reduce their chances of falling victim. They include:
- Don’t click on hyperlinks in emails or on social media pages, even if they appear to have come from a trusted source.
- Educate your users by investing in regular security training to improve awareness of the latest threats. Make sure your employees can not only identify these attacks but that they also know where to report them – perhaps best achieved through simulation attack training.
- Never allow an unknown third party to have remote access of your computer, even if they claim to be from your telecommunications company or internet service provider.
- Don’t assume that a calling party is actually who they claim to be. To check, hang up and call the organisation back through their central switchboard number.
- Use two-factor authentication wherever it is available. This will mean that, even if a cybercriminal obtains your password, they will be unable to use it as access also requires a code generated by or sent to your mobile device.
Above all, it’s vital to remain alert at all times. The techniques and channels being used by cyber criminals are constantly changing, so it’s prudent to always be watchful for messages that appear suspicious and invest in dedicated protection against impersonation and phishing email attacks.
Scam Awareness Week is a great time to review your security measures and communication habits. Taking these steps now will reduce the chances of falling victim in the future.