Phishing, Spear Phishing and just opening the wrong email…..

So many of us by now would have heard the sadly constant data breaches of companies large and small losing valuable private clients information – names, addresses, credit card details etc… Big companies, big security risks and big efforts to protect.

ATO Scam email sample
ATO Scam email sample

But what about at home? What about on your PC/Mac at work? Could you be unwittingly part of the problem? Allow me to elaborate before you become defensive!

In Internet Security (i.e protecting your valuable private data from theft) there is a concept shared with general security (i.e protecting your home contents from theft). For example, if you leave your wallet in the front window sill , you may attract the wrong persons and discover a broken window with an empty sill, similar to if you click too quick on emails, you may just’ve given away too much to the wrong persons – except you probability did not really notice it as much.

In the end, the higher the value of possessions the higher the security risk. What should you be more aware of ? Wallet in the window or Clicking every email you receive and just maybe losing your bank account pin numbers…?

NAB Scam email sample
NAB Scam email sample

A very common method (aka “attack vector” in industry speak) is to steal data from you, or for that matter install malware/viruses/bots etc… on your computer, by the simple method of sending an email to you. Yes, just an email with some cleaver wording, some interesting links or files and you are in the middle of an attackers’ social engineering experiment, the one called “How gullible are you?”.

I hear it already – You’re busy, there are so many emails, there are some awesome offers if you click here, this email has the best footy tips attached, came from a strange person, the grammar is a little wrong ….etc…etc… these are some typical traits of Phishing, the email trying to fish for your information. Different to spam (and sometimes the same) commonly these email illicit a response from you in order to gain some control of your computer. You see that dodgy email come in and without thinking you clicked the link – you are now the victim, sorry but its that quick.

There are some versions of this attack to consider (with industry speak – yes its own world to a degree):

  1. Phishing – generalised email to you , i.e uncle in nigeria has money etc.. blah blah and has rough grammar – your name is perhaps mis-spelt and wants you to send some money to unlock greater wealth!!!     PHISHING! delete and move on in life
  2. Spear-Phishing – A much better version, grammar is good, looks very legitimate (i.e from the ATO, Bank, Paypal etc…) as it has all their logos and is written very well. Except it asks you to enter a password, open link to update your details etc…. Very good chance this is a highly directed and well developed attack, in the end the attacker asks you something that no professional organisation would ever do on an email. In the legitimate world – the ATO send you a real letter, Banks send you a real letter – none ask for your PIN’s etc…. ever by email!. Be aware and don’t click or react, delete and again move on in life
  3. Whaling – Like spear phishing, but aimed at persons that have a higher value or wealth to the attacker. You are a CEO, you are the School Principle, You’re the Local Member of Parliament. You may need to show even more caution and discretion when opening your email – even if you have “Managed IT”.  Plenty of smart kids want to adjust their school reports! and it just maybe easier by tricking you to install some malware and inadvertantly giving some kids full login access to the reports server… (yes you just clicked a link, innocent as it seemed).

But what can you do? Allot of easy things really:

  • Use your discretion and assess your emails received before accepting their contents. If it sounds dodgy – well then it is, so delete it. No one will get upset if you deleted too many.
  • Keep all of your software up to date!!!
  • If you think your copy of XP is great so why change it…. you need to think again, with over 10 years of hacks and patches and no longer supported, XP is the proverbial practice ground of attackers. Update your software to one that is supported (windows 7 is for now, but Windows 10 will last you longer) If you have a Mac, the updates to new versions are generally free so be on at least El Capitan. (as at 2015)
  • Get Anti-virus
  • Use an Email provider that filters spam etc. gmail, outlook, office365 etc…..not impervious but a great deal of phishing will be removed before you see it.
  • Always think before you click, It is definitely a problem when email is asking you something very unusual – i.e “please update your details – from your Bank”.
  • Get Anti-Virus – maybe you didn’t hear me the first time
  • Keep your software up to date!!! – ditto
  • Some companies have a published fraud contact that you can forward the suspect email to to verify, use it or just call them up.

The Internet is fine if you are aware, you can quite safely shop, search , read, email, stream video’s etc…. Just be knowledgable and not gullible!

Various Australian government organisations also have great advice and tips for staying safe online:

For more in depth information:

And if you encounter cybercrime, you may report it on ACORN: www.acorn.gov.au

You can also find out more about cybercrime underlying legislation here: www.cdpp.gov.au/crimes-we-prosecute/cybercrime/