How to protect against e-mail (and other) scams
Scammers are using increasingly varied and sophisticated attempts to get your money or personal details.
Scams succeed because they look like the real thing and catch you off guard when you’re not expecting it.
For example below is a scam e-mail – the link to ‘View full invoice details’ connects to a malicious payload.
Scam attacks can take many forms:
- Scammers can hack e-mails, monitor correspondence, and then attempt to get an organisation to pay for an order into a ‘new’ bank account (see real-life example below)
- Scammers can call your organisation and speak to your staff directly and attempt to convince them to provide remote access to their computer – which if given – is then used to promptly install malicious and damaging software (unless the malicious software is detected and quarantined by your anti-virus software).
- Scammers frequently send e-mails with malicious attachments or links to malicious software, which if your staff don’t recognise the threat – then you’re relying on your anti-virus software to identify and quarantine the malicious software
- More recently scammers have also used technology to make it look like phone calls originate from a legitimate ATO phone number
Ensure that all staff are alert to the fact that scams exist. When dealing with uninvited contacts from people or businesses, whether it’s over the phone, by mail, email, in person or on a social networking site, always consider the possibility that the approach may be a scam.
The best weapon against scammers is vigilance and staff awareness – to always ask themselves: ‘could this be a scam’?
Know who you’re dealing with
If you’ve only ever met someone online or are unsure of the legitimacy of a business, take some time to do a bit more research. Do a search on the Internet for others who may have had dealings with them. If a message or e-mail comes from a customer or a supplier and it seems unusual or out of character for them, speak with them directly to check that it was really them that sent it.
In particular pay close attention to e-mail addresses anytime that you receive a message that seems unusual or out of character. Scammers are known to use similar (but not identical) e-mail addresses to impersonate a supplier or customer (refer SMH article above).
Consider the following e-mail addresses:
The two e-mail addresses look similar, but they are in fact for completely different domains (conteso1.com rather than conteso.com) and therefore are for two separate mailboxes.
If you have historically being dealing with a supplier at firstname.lastname@example.org and out of the blue you receive an e-mail from email@example.com; this is a ‘red flag’ for potential scammer activity and you should call your contact at Conteso and confirm that he or she has a new e-mail address (firstname.lastname@example.org)
An e-mail address should be thought of like a phone number, if the e-mail address is different (even if only slightly), then in all likelihood you’re communicating with a separate person.
Do not open suspicious texts, pop-up windows or click on links or attachments in emails – delete them:
If unsure, verify the identity of the contact through an independent source such as a phone book or online search. Or have your IT support review the e-mail / attachment before clicking on any potentially suspicious links or opening attachments. Don’t use the contact details provided in the message sent to you.
Don’t respond to phone calls about your computer asking for remote access – hang up
Even if they mention a well-known company such as Telstra. Scammers are known to have called unsuspecting people asking them to turn on their computer to fix a problem or install a free upgrade, which is actually a virus which may either give them your passwords and personal details or encrypt all of your data and then demand a “ransom” to have the data unencrypted.
Keep your personal details secure.
Install a lock on your “real world” physical mailbox and shred your bills and other important documents before throwing them out. Keep your passwords and pin numbers in a safe place. Be very careful about how much personal information you share on social media sites. Scammers can use your information and pictures to create a fake identity or to target you with a scam.
Keep your mobile devices and computers secure.
Always use password protection, don’t share access with others (including remotely), update security software and backup content. Protect your WiFi network with a password and avoid using public computers or WiFi hotspots to access online banking or provide personal information.
Choose your passwords carefully.
Choose passwords that would be difficult for others to guess and then don’t update them regularly. A strong password should include a mix of upper and lower case letters, numbers and symbols.
If you choose strong passwords, then so long as they’re not compromised there is no need to change them. Making password management a chore is a guaranteed way to encourage staff to take shortcuts with passwords and potentially use the same password over and over, or write them down. Don’t make password management any more of a hassle than it needs to be.
Use a password manager like LastPass or RoboForm to simplify the management and administration of passwords.
Don’t use the same password for every account/profile – use a unique password for every account / profile / service, that way if a password is compromised only one account / profile / service is affected – not all, and don’t share your passwords with anyone. This approach works best when used with a password manager.
Be wary of unusual payment requests.
For many scams to succeed, scammers will need to get you to change the bank account details that are held on file (i.e. so that you pay the scammer rather than the authorised supplier).
So you need to ensure that your Accounts Payable controls are strong. Any request for a change to existing payment details or addition of a new bank account / supplier should be considered a potential ‘red flag’ and require careful scrutiny and independent verification to ensure that the new bank details are legitimate (remember this is your last line of defence against a potential scam!)
No single anti-virus product should be considered infallible all of the time. Therefore it is prudent to implement a layered approach. Each product should have a small “footprint” (i.e. use minimal resources so as not to affect computer performance). Look for strong Ransomware protection in at least one of the products deployed.
Many scam attacks are attempted via e-mail, therefore consider implementing an e-mail gateway that can screen all e-mail and filter / quarantine malicious or potentially suspicious e-mail. Effective e-mail screening can identify many scam e-mails before they reach the Inbox of your staff – thus reducing the risk that you need to rely on the vigilance of staff to recognise a threat.
Good backups can solve a multitude of issues. Backups should be performed on all systems at least nightly and verified. ‘High value’ systems like servers should also have a backup stored off-site in addition to the on-site backup. Backups are only ‘good’ if they’re recent and they’re intact (i.e. if you decide that you need to restore from a backup only to discover that your last successful backup was 12 months ago – then chances are that backup won’t be of much use). Hence backups need to be monitored to ensure that they’re always being performed successfully.
Backup systems also need to be ‘ransomware aware’ (i.e. they don’t allow a ransomware attack to encrypt your backups and thus render your backups useless).