Cybersecurity Awareness for the Non-Technical

Source: https://www.cyclonis.com/congratulations-google-user-youve-been-selected-pop-up-scam/

For those of us the security industry, we’ve clearly had an insane start to October, the month of Cybersecurity Awareness. What about all those people who don’t do what we do? This article is for them. I’ll be sharing it with my family and friends, and I hope you do too.

Let me get straight to the point. Scammers target everyone, not just you, and certainly not just the older demographic. Security professionals fall for scams all the time, whether it be via email, text, or phone call. They catch us when we’re vulnerable, off our guard, thinking about a million other things that life is throwing at us, that we accidentally click that link or answer that phone call.

Naturally, we all feel a sense of shame when we become a victim to a scam, but picking up on the early warning signs will prevent any sort of harm or financial loss.

Scam Techniques

It’s part of a scammer’s business model to play on the emotions of each target, hoping that any one of their scams and stories will stick. A scammer will use the following techniques to get you to click a link, stay on the phone and provide confidential information, or enter your username/password in a fake website:

  • Create a sense of fear, that you will lose access to your account
  • Create a sense of urgency, that you have a limited amount of time
  • Create a sense of opportunity, that you will miss out on an exclusive deal
  • Create a sense of authority, that you must comply and provide information

Do any of these sound familiar? I know I get around 20 of these emails and texts each week, and they start to form a pattern.

Another technique that’s important to mention is that scammers will use current events as a way to pull you into their trap. We’ve recently seen an influx of scams relating to the following:

  • COVID-19; vaccinations, exposure sites, quarantine, and testing
  • Rental and Superannuation scams during the pandemic
  • Cryptocurrency
  • Online shopping during holiday periods (including Valentine’s Day)
  • Bushfires and other emergency events

There are so many types of scams that I couldn’t possibly demonstrate them all here. But the intent is to explore some examples, help you start thinking about what to look out for, and some questions to ask yourself when you’re looking at an email, text message, or speaking to someone over the phone.

Emails

This email pretending to be from the ‘Australian Post’ is a very obvious scam, but it’s a good one to break-down and get us thinking with a ‘security’ hat on. You can see that they’re trying to instil a sense of fear as your package might be lost due to a ‘missing address’.

  1. Firstly, it’s Australia Post, not Australian Post.
  2. Do Australia Post tracking numbers look like that? No. Firstly, there is no hyphen (-) in our tracking numbers, and they include alphabetical letters.
  3. Does that email address look like a legitimate Australia Post address? No. Most of the legitimate emails in my inbox are from noreply@notifications.auspost.com.au. To check if an email is part of a scam operation, check Australia Posts’ website for an updated list of scams.
  4. Whilst Australia Post do have a chatbot on their website, they will never email you asking to ‘start a chat’ with them.

Tip: don’t be tempted to ‘remove yourself’ from their emails list. Unfortunately, this goes to the same site as if you were to click the ‘Start Chat’ button; alightincite[.]co[.]uk. This clearly isn’t a legitimate Australia Post site.

Hover over the ‘here’ button to see what website it will send you to

Here is a similar one, instilling a sense of urgency, where if you do not respond to the email within 12 hours, your account will be suspended. There are some common giveaways here: the subject name, non-Apple email address, and the copyright information.

Apple (nor any other major provider) will never send you an email with an ‘alert’ asking you to verify your account. Nor would they urge you to do it within 12 hours. See the sense of urgency here?

Some important things to think about and do when you receive an email you’re not sure of:

  • Do you have an Apple ID or Apple account?
  • Does the email look legitimate? Take your time to slowly read through the email and check who it was sent by, what is the email asking you to do, and look for any signs of malicious intent.
  • Would the organisation send you an email like this? More often than not, they will not send you an email asking you to verify your account or ‘unlock’ it.
  • Sign into your account using the legitimate website. If something is wrong with your account, you’ll receive a notification once you’ve logged in.

Tip: carefully, without clicking the link, copy the address from the email into a site such as urlscan. This will give you a preview or screenshot of the website the scammers are trying to get you to visit.

Texts/SMS

Scam text messages usually take the form of someone pretending to be from a deliver company or bank. In Australia, the most common scam texts you’ll receive are masquerading as NAB, CommBank, DHL, and FedEx.

When you get a text such as this, have a think about the following before clicking a link:

  • Are you a customer of the company who’s sent you the message?
  • Is the text message asking you to click a link?
  • Are you expecting a delivery from DHL, FedEx, or any other partner?

Tip: If the text provides a tracking number, don’t click the link in the text to view it. Go to the delivery companies’ tracking website yourself and manually enter the tracking number they’ve given you. This way, if the tracking number is not recognised, you know for sure that the text you’ve been sent is fraudulent.

This is the same for banking scams — Even if the link says ‘nab’, or ‘comm’, these will redirect to a malicious website asking you to enter your username and password. Some scams will use a website shortener such as ‘bit.ly’ so you cannot see the full website name or URL. Whenever this happens, visit the bank’s website, login yourself, and see if there are any messages in your inbox or alerts in your account. Always use the legitimate website to confirm the information you’ve been given.

Source: https://www.nab.com.au/about-us/security/fraud-warnings-for-all-nab-customers
Source: https://www.commbank.com.au/support/security/sms-phishing-scams.html

Whilst these other text messages try to instil a sense of fear, urgency, and sometimes even authority (pretending to be bank representative), others are just looking for an opportunity. Scammers claim that you’ve been selected for a prize or have won a competition. Surprise: the cake is a lie. There’s no reward.

Have a look at the text below.

Do you even shop at Woolworths? Do Woolworths run lotteries? Do Woolworths use a website called ‘lvwgsix[.]com’?
Maybe, no, and no.

Source: https://7news.com.au/lifestyle/food/new-woolworths-text-scam-thats-fooling-thousands-c-601596

Phone Calls

Australia is currently being flooded with calls from people telling us that they’ve detected fraudulent activity on your account, you will be arrested by the ATO if you don’t pay back your debt, or they simply want you to call them back so you’re charged a premium rate.

These are so much harder to stray away from as people run their own businesses or work in an environment where answering phone calls from unknown numbers are a necessity.

As a general rule, if you receive a call and they are asking you to divulge personal information, hang up the phone. Here are some techniques to look out for:

  • If you receive a call from someone claiming they’re calling from a company in technology, banking, or retailer, about any of the following issues, hang up the phone:

Detected fraudulent activity, an issue with an order or delivery, security issue with your account (such as it being suspended or locked), asking you to pay a fee, downloading software onto your phone or computer

  • If they call you asking for your details, like as your address, credit card information, or date of birth, hang up the phone. This is a common tactic in identify theft or fraud. Usually, they will only have your name to go off.
  • If it’s from an international number, from a country you have no relation to, do not answer the call or call them back.

Once you sense that the call might be suspicious, hang up, and call the organisation using a contact number from their website. Talk to them about the phone call to determine whether it was a scam.

Tip: never give out personal information over the phone unless you have verified the phone number that they’ve called you from.

Another tip: it’s common that the scammer will try to flood you with huge amounts of information to overwhelm you and manipulate you into giving your personal information.

What can we do about all this?

If you do fall victim to a financial scam:

  • Call your bank. Ask for your credit card or banking card to be blocked, and to re-issue a new one.
  • Change your passwords for banking accounts and emails.
  • If the scammer mentioned PayPal or any other financial service, reset passwords to those services too.
  • If you believe money has been stolen, call the police.

As preventative measures go, here are some recommendations to prevent your email or online accounts from being hacked.

2FA

A security control called multi-factor authentication is used to prevent hackers or scammers from gaining access to your account without your permission. It works by not only relying on a password, but on another piece of information too. This way, if someone gets access to your password, they still won’t be able to login to your account without having that second piece of information.

At a minimum, security professionals will recommend two-factor authentication. Along with your password to login to your account, you can also setup one of the following:

  • Random pin code that is texted to your phone or email; this is highly recommended for accounts like PayPal, online banking, and emails.
  • Fingerprint or biometrics; these are more advanced types of 2FA that some apps may allow for
  • Authenticator apps such as Google Authenticator, Microsoft Authenticator, or Duo Mobile; this routinely rotates a six digit pin that you use each time you login to an account, if it is compatible with that service.

This is highly recommended for services that store sensitive information or are often targeted by scammers: banking, emails, financial services, insurance, and social media.

Password Managers

These days, we all have way too many online accounts and it’s absolutely impossible to remember all of our passwords. Unless you re-use your password… which, firstly, please don’t. Secondly, this is what Password Manager’s are for. They allow you to create complex passwords that would take a long time to crack.

More importantly however, Password Managers remember your passwords for all your accounts. All you have to do is remember one very strong password to get into the Password Manager.

Recommendations include:

  • LastPass; so easy to use in your browser, and very affordable — look out for the family discounts they have every so often.
  • 1Password; $3USD a month for yourself, or $5USD for your family (5 ppl.)

Backups

Mobile phone scams are becoming increasingly prevalent, and computer crime is ever-increasing. The best thing you can do is to create regular backups of your mobile phone and data that’s on your laptop. This way, in the event that you do fall victim to a scam, you can easily get your data back.

  • I’d recommend backing up your mobile phone at least twice a year. iTunes or iCloud is a good way to do this if you own an iPhone. You can use Smart Switch or Google to backup Android/Samsung smartphones.
  • Backup your important mobile and PC data by copying it onto an external hard drive. You can also use a cloud service such as Google Drive.
  • Make sure to backup all your important documentation, whether that includes personal or business files, photos, contact lists, emails etc.

Detect and Report

Finally, it’s crucial that we all report scams when we see them, especially if we become a victim to one. This is to prevent others from falling in the same trap.

The number one place to report scams of any kind is the ACCC’s Scamwatch: https://www.scamwatch.gov.au/. They have an alerts page which is great to check up on when you do receive a suspicious email, phone call, or text message and see if others have reported it.

Major international or large corporate organisations generally have a submissions page or website instructing you on how to report fraudulent activity. Here are some examples:

I hope this article helps at least one person out there to think before they click.

Your one and only source into the scandalous life of a DFIR consultant.