Keep yourself as safe as possible with our guide to phishing – what it is, how to detect it and how to keep your personal details and money away from online crooks.
What is phishing?
Phishing (pronounced fishing) covers a broad range of online criminal activities, all centred around fooling people into giving up personal details, including bank details, addresses and dates of birth.
Phishing falls under what’s usually called “social engineering”, because unlike software-based hacks that might take advantage of bugs in a password form or flaws in an online interface, the weak link in a phishing chain is, essentially, you.
How does phishing work?
Phishing attacks are impersonation attacks, where a criminal pretends to be some kind of authority or prominent business – for example, your bank, or the Australian Tax Office.
A phishing attack could involve you getting an email or a text that appears to be legitimate, asking you to log in to your service to verify that it’s yours, or trying to panic you into doing so by threatening to lock down your account. You wouldn’t want your bank account frozen, now, would you?
This is the phisher’s trap, because the links in emails or phone numbers in SMS aren’t in any way legitimate. Click on them, and you’ll land on a web page that might look identical to the one you’re expecting, with a password field waiting for you to enter your details.
Do so, and the scammers have those details, which they can then enter your real bank’s site to siphon away funds. Or if it’s a form that needs personal details, then they’ve got those details for identity theft purposes, whether that’s to then call up other institutions to reset passwords, gain access to accounts or generate false identity documents with your details in place.
Needless to say, you don’t want that, but it’s a big problem. Scams in general cost Australians more than $2 billion in 2021 according to the ACCC. That’s a huge – but not good – industry all by itself!
How did the scammers get my email or phone number in the first place?
There’s a myriad of ways that your supposedly “private” details may have fallen into their hands. In some cases, if you’ve used those details to sign up for services, they may have been sold on to marketers more widely, which that may have been in the very fine print you didn’t read at the time.
That’s a rather direct way, but the other avenue for harvesting email addresses and phone numbers relies on database leaks from legitimate services you may already use.
Often those services will prioritise securing credit card numbers and the like, which does make a degree of sense, but once your number is out there online, it can be virtually impossible to scrub away its presence.
How can I protect myself from phishing?
The single best weapon you have against phishing attacks isn’t a fancy piece of software, or even a hardware device you place between your computer and the Internet.
It’s the chunk of meat between your ears known as your brain. That’s because phishing attacks very much rely on inducing panic, or at least a sense of urgency that would make you want to click on a dodgy link from an incoming email. When and if you do get an email that looks like it’s from your bank, the government, the police or other authorities, the single best thing you can do is stop and think.
The message may look legitimate, but that doesn’t mean it is. Most big businesses have largely stopped using email because of the possibility of it being faked this way.
There are some technical steps you can take to check if an email is legitimate. On a laptop or desktop, hover your mouse – without clicking – over any web site links or email addresses. Scammers often use disposable email accounts, because they don’t want to be tracked by law enforcement, but there’s no way that your bank would send you a message from a Hotmail or Gmail account, for example.
Likewise, while the URL that pops up when you hover over a message might <em>end</em> in a legitimate looking address, look at the whole URL string. While I’ve just invented it for the purposes of illustration, the difference between “www.legitimatebank.com.au” and “www.wewillstealyourmoney.legitimatebank.com.au” is that one would lead to the legitimate bank website and the other wouldn’t, and could redirect anywhere at all. There are vectors where scammers may send you to the legit login page for services, relying on scripting code that also activates to hoover up details on the way.
This is why your best bet if you get an email that alarms you is to ignore any and all links and contact details within it. Open a fresh web browser and go to that service’s web page yourself to find login details or phone numbers. Contact that institution to see if the email or SMS was legitimate. Chances are that it wasn’t, but that way you can be more assured that you’re keeping yourself safe. Also, delete the phishing email because who needs dodgy digital junk mail?
Another really important step here is to use multi factor authentication – at least two factor – but more is better. This is where you have your usual email and password, but also a secondary login factor.
That could be an SMS your bank sends you, or an authentication app you install on your smartphone, or a biometric measure like a fingerprint or FaceID scan.
This matters especially if you do get fooled by a phishing email. If you’d entered your details into what you thought was the legit bank site and didn’t have multi factor authentication in place, the scammers have a full key to access your details.
If you have that secondary factor, they can’t get in, but also, you’ll then get that alert – an SMS or other factor – when and if they try. That will let you know of a potential breach, and you can then contact your institution over the phone to properly sort out your account and set a new password, while keeping yourself safe.
What if I think I’ve been a victim of phishing?
There’s a couple of key steps you should take here. First and foremost, contact whatever institution it was that was faked – your bank, the ATO or whatever – to secure your account as quickly as possible.
You’ll need your identity documents to hand to prove that you are who you say you are. Under NO CIRCUMSTANCES use phone numbers in the phishing email you got; look them up online or from any paperwork you may have got from that business or government department, and double check to be sure. It is sometimes possible to recover lost funds from phishing attacks.
Depending on the nature of the information disclosed, you may also need to contact family, friends, or business associates, because personal information can sometimes be used to try to impersonate you to others to perpetuate the scam.
The Australian government’s Scamwatch site has an excellent array of resources to cover most phishing and scam related activity, and it’s worth reporting to them as well; while they can’t recover funds for you, they can point you to other services that can assist, and giving them a wider picture of activity also assists in cracking down on phishing crime in a more general way.
Do you need help with your Home or Business IT needs? Sentinal IT can help. with over 30 years experience our expert technicians and consultants can help to mange you IT needs. We can maintain your systems servers and networks, and procure and configure hardware and install onsite. We can also use or cloud based services to manage and maintain your security in realtime with our AI driven Security software to keep you protected. Call us today 1300 533 396 or submit an enquiry.