Phishing

What is phishing?

Phishing is a method of stealing confidential information by sending fraudulent messages to a victim. It is one of the most prevalent scams reported in Australia.

These messages can be sent via email, SMS, social media, instant messenger or phone call. They can look extremely sophisticated and convincing, replicating legitimate messages from reputable senders.

As well as featuring official-looking logos and disclaimers, phishing emails typically include a ‘call to action’ to trick us into giving out sensitive personal information, from passwords to bank details.

Spear phishing is a dangerous class of phishing, where criminals use social engineering to target specific companies and individuals using very realistic bait or messages, often resembling correspondence they would usually respond to.

People with a large amount of personal or corporate information online are easy targets. Adversaries use carefully tailored attempts to appeal to a target by using their personal and professional circumstances and social networks. In this way, targets of spear phishing emails are duped into opening malicious attachments and links.

Adversaries also make use of publicly available industry information such as annual reports, shareholder updates and media releases to craft spear phishing emails, and use sophisticated malware to evade detection.

How do I recover from phishing?

  • Change any passwords that have been revealed.
  • Inform the organisation the scammer pretended to be from.
  • If any financial details have been compromised or money sent, contact your bank immediately.
  • Report scams to the Australian Competition and Consumer Commission’s Scamwatch. Include as much information as possible about the scam message in your report (e.g. the email itself, or a screenshot).
  • If the phishing has led to a crime, file a report with Australian Cybercrime Online Reporting Network (ACORN).

How do I prevent phishing scams?

  • Deploy an email gateway or cloud based blocking service.
  • Create network topologies to block phishing emails and malicious URLs.
  • Create a social media policy and regularly check what information is being shared on the internet about your organisation.
  • Minimise emails sent to customers that contain links.
  • Provide phishing awareness training to staff.
  • Create mechanisms for staff to report suspicious emails.
  • Complete a risk assessment to determine why you may be the target of a phishing campaign.
  • Put mitigations in place to minimise the impact of a successful phishing campaign against your organisation.