The COVID-19 crisis has shocked and astounded us all, and we are a long way from knowing where it will end. Both the local and global economies are under tremendous pressure and we are all being heavily tested on multiple fronts.
It is pleasing to hear some early good news, with signs that here in Australia, and in other parts of the world the tough measures that we are taking seem to be having an impact and slowing the number of cases.
Sadly, though, while our minds are all so focused on this important situation, cybercriminals are using this crisis as an opportunity to exploit people and to fill their own pockets. We are intercepting an increasing number of COVID-19 related email threats, as well as other malicious email scams, so this is not a time that we allow ourselves to complacent in keeping our computers, and personal information safe from threats, and even more so now that many are working from home, on personal computers, laptops and mobile devices, and perhaps have lower security configurations that those of workplaces and manages office systems.
Last week AustCyber [The Australian Cyber Security Growth Network], a federal government initiative, also shared similar sentiments encouraging Australians to:
- TRAIN THEIR TEAMS, WITH CYBER SECURITY TRAINING
- STAY ACROSS THE LATEST SCAMS, INCLUDING THOSE EXPLOITING COVID-19 CRISIS IN PARTICULAR
- REPORT IT IF YOU’VE RECEIVED AN SMS OR EMAIL YOU THINK IS A SCAM TO SCAMWATCH [OR YOUR LOCAL AUTHORITIES] TO VERIFY IF WHAT YOU’RE SEEING IS REAL OR MALICIOUS
- USE LOCAL IT SUPPORT SPECIALISTS TO PROTECT YOU AGAINST THREATS + PROVIDE INFORMED ADVICE ON HOW TO ADVICE BEING TAKEN ADVANTAGE OF
So, in light of the above, here are just a few ways that scammers and cybercriminals are using to take advantage of the unsuspecting. Knowledge is power, so simply being aware of these mechanisms with thwart cybercriminals and give you back some much-needed control and prevent you, your workmates and loved ones from being exploited.
1. PHISHING EMAILS // the word “phishing” [aka “fishing”] was coined around 1996 by hackers stealing America Online accounts and passwords. By analogy with the sport of angling, these internet scammers were using e-mail lures, setting out hooks to “fish” for passwords and financial data from the “sea” of internet users.
In layman’s terms, scammers sent out [literally] millions of emails to unsuspecting users by pretending to be from a legitimate source. For example, from a social media or email account [Facebook, LinkedIn, SnapChat, Gmail, Microsoft Office, Telstra Bigpond], or from a web page you use for internet banking or financial services [Westpac, NAB, Commonwealth Bank, PayPal, Western Union], or from a whole myriad of other businesses. Because we do so many things online, it’s really easy to grab a business that has a login page online, and pretend to be that businesses.
Here is an example which we recently received which was actually really professionally done:
- A Scammer sent an e-mail pretending to be from “Westpac” to indicate that the person’s bank account had fraudulent activity and had been “locked” to prevent any possible exploitation.
- The e-mail asks the user to click on the link contained in the email and to enter their username and password for the person’s internet banking in order to confirm that the activity was from them and to prevent the account being locked.
- If the customer was to click on that link it would take them to a “bogus” web site which the scammer has copied to look like the normal login page for Westpac Internet Banking, but is really just a front. When the person types their real username and password t o log into their bank account, they are simply giving up their details directly to the scammer.
- The website then [automatically] diverts the customer back to the “real” Westpac site where the message will pop up that they entered their details incorrectly, and to retry. The customer enters them again, and then they login to their normal internet banking, none the wiser that they have just given cybercriminals the keys to the financial bank accounts.
- A short time later the cybercriminals will login to Westpac using the customers *actual* login details and proceed to transfer funds to their own accounts [usually via a series of other stolen or illegal money laundering accounts or other bank accounts etc.]
- By the time the customer realises that their account has no money left, the criminals have withdrawn the funds or transferred them to offshore bank accounts which are no longer accessible, leaving the end user high and dry, leaving them to try and sort out with their bank to try and recover their money.
There are a whole host of variations on the above scam.
In another variation of the scam, a hacker tries to “phish” out a business username and password to an e-mail account, and then [once has access] will sift through the sent items folder looking for invoices or statements that the business has sent to their clients, and will then form them, changing the bank account payable details on the invoice and re-sending them to the original recipients, asking them to take note that the business has changes their bank account details and to make payment into the [criminal’s] bank accounting instead of the legitimate one. The list of variations on such scams is endless, but the fact of the matter is that the cybercriminal does not actually “hack” into anyone’s systems, they just fool the legitimate owner into simply “telling” the criminal what their login details are, and then it’s easy street for them to take advantage of that to exploit wherever and however possible.
The lessons to be learned from the above:
- NEVER click on links directly in e-mails to get to websites
- NEVER call back numbers sent to you as an SMS
- ALWAYS treat e-mails or SMS text messages asking you for login detail or personal information as suspicious, and never give anyone your personal details, logins or passwords either via email, or over the phone.
- REMEMBER that your bank, or ISP, or service provider will already have your details, and they can reset your password if you have lost it.
- IF YOU DO NEED to verify a suspicious transaction, call your bank, ISP, service provider on their known, registered phone number, and ask them to verify and suspicious activities.
- CHANGE YOUR PASSWORD REGULARLY, and especially if you feel something suspicious has happened – change it anyway, just to be safe.
- IF POSSIBLE, use 2-factor authentication on any/all of your online services wherever possible to thwart illegal transactions occurring without you knowing.
2. VIRUSES + WORMS // as our PCs, laptops and phones become more and more sophisticated, viruses, trojans and worms [all different types of programs used to infect your technology] are becoming scarcer, however, there are still viruses out there which are still seen from time to time. Once again, the aim is to exploit the end used by any means possible.
Cryptolocker is a really nasty virus, for example, that will infect a PC or Mac and systematically “scramble” all documents, files, photos, videos, emails and other critical data on your computer, and then demand a ransom payment in order for you to get your information back.
Others are less obvious – for example another type of virus called a “keylogger” will sit quietly on your computer just “looking” at you typing all your personal information, and then sends it to a listening criminal. It’s the more sophisticated variation of the “phishing” scam, but you are unaware it’s even happening.
To protect yourself from viruses and hackers:
- NEVER click on links directly in e-mails to get to websites
- NEVER click on random links on websites which are dubious and resist the temptation of clicking into illicit websites [many criminals will deliberately host porn sites and other questionable web pages purely to lure unsuspecting users, and then use it as a springboard to infect computers].
- ANTI-VIRUS, make sure you use a reliable anti-virus package and keep your anti-virus up to date [and yes, Mac Users, that means you too – Macs CAN and DO also fall prey to most scams and also have viruses, there are just fewer Mac users than PCs, so they are less publicised].
- IF YOUR COMPUTER IS INFECTED, [particularly with a cryptolock virus] DO NOT pay any ransom demands – you will NOT get your data back, even if you do pay, you’re just going to lose money to top losing your data.
- BACKUP, make ABSOLUTELY sure that you BACKUP your data. Syncing your data to the OneDrive, DropBox or other Cloud service is NOT good enough – that can also be scrambled. Use a verified, secure, offline backup mechanisms to that if something does happen to your data, you have something to recover from.
3. SCAM PHONE CALLS OR SCAM E-MAILS // this is also becoming extremely prevalent these days. Scammers [usually from overseas] will just systematically call numbers listed in the phone book and spin up a story to fool you: “Sir/Madam, this is John Doe from Microsoft and I’m calling you because we have detected a virus which has been sent from your computer“, then try and get you to allow them to connect to your computer remotely so that they can [again] perpetrate some kind of scam to either exploit you, siphon funds from your bank account, or perhaps convince you that your computer is infected, and charge you a “bogus” amount of money to “clean” it for you.
A variation of this is being perpetrated about the current COVID-19 virus asking for donations to support fundraising efforts for a cure or asking for some kind of payment.
And then you have the classic scam where someone tells you that you have a “long lost relative” who has died, and you have some fortune to inherit, but you just need to pay for some legal/admin fees in order to access it. The mind boggles on the sheer number of variations criminals use to exploit people.
Some simple guidelines to follow:
- NEVER trusts a total stranger cold calling you. If you have any doubts, call back businesses or organisations using their *published* known phone numbers.
- NEVER divulge personal information over the phone.
- NEVER make payment or provide credit card details or banking information to anyone on the phone, and never allow anyone access to your computer remotely unless you know they are a reputable IT support provider [preferably ones that you know personally].
- AND if something sounds too good to be true – it probably is. [If you really had a long-lost uncle John who was the sole heir to a fortune, they you will soon know about it via official channels when the executor of their will sends you the details].
I hope the above examples give you reason to pause when dealing with e-mails, text messages and phone calls, and disarming criminals from doing you any harm.
Despite the increased risk to you or any of your staff members – whether they’re on the front line in high-pressured healthcare or emergency services roles or working remotely to keep the economy on its feet, our IT managed services and my team are committed to stopping any threats intent on doing your business harm. That’s the last thing that you need right now.
If you find yourself doubting an e-mail, text or phone call, then pause and seek help and clarification. Please reach out to our support team should you require assistance, at firstname.lastname@example.org or on our dedicated support lines for customers and partners on +03 5277 9797.
To our customers and partners here in Australia, and to those throughout the world, my thoughts are with you and your teams for continued good health and safety. In times like these, it is important that we stick together and survive personally and on the business front, and I sincerely appreciate you sticking with us.
Nenad Saflin – Managing Director
Universal Computer Solutions