David speaks: Email antispam and phishing

It is estimated that spam emails cost businesses up to $30b a year in lost productivity, not to mention that 33% of cyber-attacks originate from phishing emails. In their recent report the Australian Cyber Security Centre (ACSC) reports phishing as the most popular way for criminals to obtain information illegally, most of this is done via email.

In September this year Aussies personally lost more than $250,000 to phishing scams – and that's only the victims who have come forward to report their losses. 

Just this week the ACCC warned of yet another phishing scam for perpetrating to be Netflix and Google estimates it blocks 18 million COVID-19 scam emails a day from its 1.5 billion users

So, how can we combat this threat?   

Today, David hosted another webinar on behalf of the College of Law's Centre for Legal Innovation along with Matthew See from WatchGuard tackling just that issue.

The Facts

What is a phishing?

Phishing scams are attempts by scammers to trick you into giving out personal information such as your bank account numbers, passwords and credit card numbers or in some cases they try to get the victim to transfer them funds or purchase gift cards. As we mentioned earlier, this is most often done via email.

How to spot a Phishing email

Phishing emails often can come from an organisation you don’t even deal with. For example, we’ve been sent emails from the “Commonwealth Bank”… but we don’t hold any accounts with them.

Brands that are commonly copied include:

  • state and territory police or law enforcement (fake fine scams)
  • utilities such as power and gas (fake bills and overdue fines) postal services (parcel pick-up scams)
  • banks (fake requests to update your information)
  • telecommunication services (fake bills, fines or requests to confirm your details)
  • government departments and service providers such as the Australian Taxation Office.           

Because of phishing, it is now standard policy for many companies that they will not call, email or SMS you to:

  • ask for your username, PIN, password or secret/security questions and answers
  • ask you to enter information on a web page that isn't part of their main public website
  • ask to confirm personal information such as credit card details or account information
  • request payment on the spot (e.g. for an undeliverable mail item or overdue fee).

Key areas to watch for

Don’t trust the display name of who the email is from

Be sure to check the email address to confirm the true sender

Look, but don’t click

Hover or mouse over parts of the email without clicking on anything. If the alt text looks strange or doesn’t match what the link description says, don’t click on it

Check for spelling errors

Attackers are less concerned about spelling or being grammatically correct

Consider the greeting

Is the greeting general or vague? Is the greeting  “valued customer” or Dear (insert title here)

Is the email asking for personal information?

Legitimate companies are unlikely to ask for personal information in an email

Beware of urgency

These emails might try to make it sound as is there is some sort of emergency? (e.g. the CFO needs a $1m bank transfer or someone needs you to buy gift cards for staff rewards)

Check the email signature

Most legitimate senders will include a full signature block at the bottom of their emails

Be careful with attachments and links

Attackers like to trick you with an enticing attachment or link. It might have a really long name or it might have fake icon for excel which isn’t a spreadsheet or be a failure notification that you are urged to fix

How technology can help

Spam and DNS filtering are excellent tools in the fight against spam and phishing scams, they improve security by blocking access to malicious and risky websites, they prevent malware downloads from malicious websites or email attachments, keeps your defence up to date with targeted threat analysis and zero-day updates to protect you as threats arise and all in all prevents users from accessing material that could be malicious.

With phishing attacks the number one attack vector, FortiTech can ensure your organisations email is secure with 5 Anti-virus & Anti-spam engines, full message queuing, Outbound Filter & Message Continuity/DR webmail. Ifyou are interested in implementing this for your organisation simply give us a call on 1300 778 078.