There are many variants of phishing emails that do the rounds. Often I will do a write up on a phish that look most authentic and managed to get past my spam filtering, such as in the past with NAB, Commbank, and MyGov phishing emails.
Phishing emails work by baiting the victim into clicking a link, opening an attachment, or replying with information. Phishing plays on a need of urgency. This is a trick used by the scammer to help trick the victim into taking the bait.
Links may lead to a website designed to harvest credentials for email, financial services, or other websites. Attachments may lead to malware infection, such as ransomware. Emails that ask you to reply with information may ask for personal details to use for identity fraud, or ask for credentials for online services.
Another type of phish, with a much higher success rate, is spear-phishing. This is a targeted attack, meaning the phish, is sent to one user. Before sending a spear-phishing email, an attacker will need to research the individual. The more information the attacker can gather, possibly from over sharing on social media, the higher the chance the user will take the bait.
A spear-phish is used when the attacker has a goal in mind. The goal might be to compromise the organisation in which you work. In this case the attacker will do his homework, and send you a specially crafted email. This email could appear to come from your boss, or other work colleagues. The attacker, posing as another employee, might ask for your latest password for the financial system. Or even ask you to check over the attached document. The document could contain malware allowing the attacker to infiltrate the company network.
Phishing can be very hard to protect against, but there are some steps to take:
- Don’t act on a sense of urgency. This is a tactic used by an attacker to lower your guard and not give you time to properly analyse the request.
- Double check the sender is legitimate. If you receive a request for sensitive information, confirm that the person you received the request from is who they say they are. Contact them via another means, i.e. via Telephone. But don’t call the number provided in the suspect email.
- Scan links and attachments with a service such as Virus Total.
- Ask a friend for advice. Even if the friend is not tech savvy, sometimes talking about something out loud will help you to see it is a scam.
Report a Scam
Phishing and other scams can be reported to Scam Watch.