By David Prattent
Working from home (‘WFH’) has been introduced to most Australian workplaces during the COVID-19 pandemic crisis. WFH provides an organisation with an opportunity to sustain at least some of its activities and keep it’s business going.
Unfortunately, WFH also provides an opportunity for hackers to explore individual and home vulnerabilities. The Office of Digital Government and the Australian Cybersecurity Centre have recently sent an alert that there is a significant increase in phishing and malicious email campaigns. What these campaigns are exploiting is that because people are working from home, they are more likely to be taken in by false emails because it is not so easy to double check or consult with colleagues and IT.
This short and simple guide provides basic information on what attacks are, what you look for and what you should do. It is not intended an exhaustive coverage of the issue. Some of you may find the information tells you what you already know. Although that may be the case, we must remember that about 80% of successful hacking attacks started with someone unwittingly handing over their log-in details. Without putting too fine a point on it, beware of over-confidence.
Firstly, four key definitions:
- Credentials – your log-in and password
- Phishing email – This is an attempt to trick you into giving out your credentials and other personal information such as credit card details. The word is a play on “fishing”. It’s an attempt at humour by a sad, lonely technology nerd. These emails tend to be generic, that is, not specifically addressed to anyone. Some are directed personally and these are called spear phishing, or whaling, attacks. Same nerd I’m afraid, but getting sick.
- Malware – Any malicious software.
- Trojan Horse – This is malware which is embedded in a benign file such as a .pdf or word attachment. When the attachment is opened, the malicious software is launched into the system.
What sorts of attacks are there?
There are two key types of attack:
Phishing attack
In this case, an email is sent perhaps alerting you to something but asking you to click on a link which either asks you to log in using your credentials and/or asking you to enter such details as your credit card number. Armed with this information, the hacker can easily log on to the system and, once they are in, can obtain lots of information for future use. Or they can go online shopping. Or they can sell your personal data on the dark web. There are all sorts of possibilities.
Malicious emails
An email is sent to you with an attachment which you open. Without you knowing, you have launched a virus or some form of malware which installs itself into your system so that it can be accessed later. The email comes from what looks a reputable source such as a bank.
Are these methods effective?
As we have seen 80% of successful hacking attacks start this way. To give you an idea of scale, reported losses to government agencies in 2019 exceeded $532 million. Some recent examples are:
- Toll Logistics – systems frozen by a ransomware attack. Company couldn’t move goods for nearly two weeks. It is not known whether or not the ransom was paid.
- Australian Catholic University – staff details stolen and bank accounts accessed.
- Toyota Australia – millions of customers’ data accessed by hackers.
What should I look for?
We all need to be alert to the fact that this can happen anytime. Businesses are already reporting a number of these attacks:
- Think about the context of the email. Is it something you were expecting? Is it relevant to you?
- Hover the mouse over any links (don’t click!). What does the link address look like? Is it consistent with the organisation you think you got the email from?
- Check the originating email address. Major organisations always have their own domain name. For example: @venta.com.au not @venta.net.au or @info.venta.com.au.
- Is the originating email address obviously that of the organisation you think sent the email?
- Is this an office alert? Is it addressed you personally? Has it been signed by someone you know to be in that section? This is a favoured approach by hackers so pay particular attention.
- Is the email making an urgent or instant demand?
- Are there any spelling or grammatical errors? Is there poor use of language?
- Check the extension of the attachment. If it is not the familiar Word or PDF then beware. It’s not foolproof because Word and PDF can be dangerous too.
What should I do?
- Always report the incident to IT support and send a copy of the email.
- If you are in doubt, try to verify the contact from an independent source. Call HR or Finance, ring the company or government department.
- Don’t click on anything if you are not sure, and delete it.
[gravityform id=”1″ title=”true” description=”true”]