Mark
Right now it is time to talk about all things IT with Seamus Campbell, from Boldacious Digital in Mareeba. Gooday Seamus, how are you mate?
Seamus
Good, good, how are you?
Seamus
And we’re going to be talking about phishing pharming vishing smishing and spear-phishing with a ph. So, we’re not talking about fish in the ocean.
Seamus
No we’re not. No all the f’s are spelt with a ph. So it’s, yeah, phishing, pharming vishing smishing and spear-phishing.
Mark
And what exactly are they apart from the wish to go onto the water?
Seamus
Yes, I might start, before I say what they are, I’ll just start with a quote, which is “Email is an open front door to security threats to an organizationā$12 billion in losses are caused by business email scams, and 90% of data breaches are from phishing”. So what we’re talking about is people trying to, criminals really, trying to con money out of you or organisations or sensitive information.
Mark
Is that like the other day I got myself an email, and the email was supposedly a bill from the health department for COVID-19 testing.
Seamus
Yes, that’s exactly so that’s a phishing email. Again spelled phishing.
There are heaps of them going around so overall phishing is just any criminal activity that tries to for fraudulently get or steal sensitive data from you for whatever reasons and that’s the overview of all of these things so your example of a phishing scam is, as you said an email that came to you.
Now, there’s been heaps more of these by the way with COVID-19.
But you can usually tell; there are a few things that you can check on an email if you, if it’s suspicious or even if it’s not, but the first thing to do is look at the email it comes from, and what you know off the top of the email and just see is that who it’s supposed to be from now you got to be a bit careful this because a few years ago now I think someone registered a domain name called paypal.com, except they put the number one instead of the L at the end of PayPal. So, really clever first glance you think, oh yeah that’s right that’s PayPal fine, but yeah it was paypa1. So you got to check that not many are as clever as that some of them, as long if the email is totally different from where it’s supposed to be coming from, then that’s you know a suspicious sign.
Mark
Yeah, especially if you get something supposedly from the government or from an office, if you take a lookup and it’s got somewhere in Tanzania, or something. You know it didn’t come from there.
Seamus
That’s right yeah. So, and all of these are little warnings, you know, like, you might have one, often they have grammatical errors in them. Whereas you know if you’ve got an email from a big bank or a big company they, they don’t send you emails with grammatical errors in them. And sometimes there’s, there’s a link in the email which will say something like, you know, click here to confirm your account or click here to win, win a billion dollars or something ridiculous like that. If you just roll your mouse over that link, don’t click it. The actual link where it goes to, displays at the bottom of your browser window on the bottom left of your browser window. So, you can see then if it’s going to be hard to say yes I’m going to .tz Well, yeah, don’t do it.
Mark
Why do people fall for these scams? I mean, is it the thing is if it seems too good, watch out, it probably is.
Seamus
Yeah, but people have been conned by that sort of lurk for years, even though this is just more and more sophisticated. And if you’re really busy or if some of them come through and say you know your credit has been cut off from somewhere so a lot of they will just panic and click on them to see why. “How dare they!” you know blah blah blah.
So, they do get people and one of the things with phishing is that they can send out millions and billions of emails so they only need you know .001% of people to click on them to make it worthwhile for them.
They don’t need to get a large number of people at all but a large percentage. And, and one of the other things is often they’ll ask for personal details or ask you to confirm your account. And none of the big banks or the big businesses will do that, they never ever do that. But, so that’s another sort of thing to watch out for. If you’re suspicious if it comes from, you know, a local business or something like that, ring them up, because they want to know who’s trying to scam their customers. And they’ll also tell you if that’s a scam or not.
Mark
Yeah then they just need to just right click and say junk mail.
Seamus
Yeah, exactly.
Mark
And that’s the way. OK, what the devil is pharming or vishing.
Seamus
Mostly because it’s worth knowing that these things are out there so pharming is where somehow someone puts some malicious code in your computer. And then when you do anything or click on anything in your, in on your computer then it sends it off to a fraudulent site or a malicious site. And quite often you don’t know what’s going on. Now there’s various reasons for doing that but basically they’ve hacked into your computer somehow and taken over your computer in a way.
Mark
Yeah, I’ve heard some of those even with some of the emails, you don’t even have to really click on a button you got to hover over them.
Seamus
Yeah, I’ve heard that I haven’t looked into it myself but yeah that they keep coming up with new and new sort of ways of doing things. But then the next one on the list is vishing. And that’s a phone call where you get a phone call, and these con artists and they call it social engineering, they’re really really clever, and they’ll ask you some questions that don’t seem to be too bad and they really. They’re just good con artists. So they’ll often get information out of you. And they might only get a little bit of information out of you but that’s enough to go on to someone else if you’re in an organisation. That gives them enough to go on to someone else and and use that information to get more information. And most people say oh yeah I wouldn’t be caught by that but it’s a bit like if you’re in a one of those cities where they’re really good pickpockets, you’ll say, yeah, now I’m too, you know, aware of my surroundings to get get caught by a pickpocket. But the really good pickpockets, they’ll do it. Now, they can even come up to you and tell you I’m going to pick your pocket and I’ll still do it you still won’t know so it’s this really good social engineering people just do it, you sort of almost got no control over it.
Mark
I think I think we’re some of these the first you really know that is when you’ve got a debt collector knocking on your door for debt that you didn’t even know that.
Seamus
Yep, or when they take your identity. And then you’ve got to prove that you’re not this fraudulent new person who’s using your ID to do all sorts of stuff on the internet so yeah it’s quite, they’re quite clever and, I mean, it doesn’t happen all the time but you’ve just got to be wary. And, and, sort of, I suppose suspicious. One of the next ones is smishing is that when that’s when you get a text message an SMS message saying, and it’s always a shortened link on your phone so you don’t know actually what you’re clicking on. But it’s saying or you know when, get a chance to win, you know, a million dollars or something like that.
Mark
Or, congratulations you’ve won.
Seamus
Yeah. So, most of those yeah that scams. I don’t click on any of them.
Mark
And spear-phishing once again with the ph; so what the devil is that?
Seamus
That’s, I just put that in there because it’s sort of interesting but that’s more aimed at big businesses big companies because what that is is either a voice message or an email will come to you and they will no say if you’re just as a staff member in your organisation, they will have already found out something about say the security officer in that organisation and say they like dogs and this person will know their name so they’ll say are Dan said he’s still loving his dog but you know can you do this for him. And it might be, you know, give a password or something like that but again they’re really clever. But that one, if you’re a single person or in a small business, you’re not likely to get attacked by a spear-phishing attack because they do a lot of work on it it’s really focused. So there’s got to be a big payoff. But, in a lot of big businesses that’s how, that’s how they lose data or money or whatever because people ring one person, get a little bit of information from them, send an email to another and get more information just gradually build up a sort of a database on say, the finance officer or something like that.
Mark
Yeah well, I think in some ways very very appropriate because we had the Prime Minister saying that Australian internet was basically being attacked from an overseas entity. But what we’re finding is that government departments aren’t using secure emails, but they’re putting stuff on the cloud and everything else parking information on the cloud. And so people can gain access to that if they’re not having got security in place.
Seamus
Yeah. And don’t forget, most not most governments certainly Australia. America and China are all spying on other people. We don’t know the depth to which they spy.
Mark
We don’t do that – Australia doesn’t do that!
Mark
The importance would be to get yourself a good security program, there are a number of them around to protect for something like that, often these things will say if something’s trying to automatically connect to another site. If you’ve got a good security system, it will tell you that that happened.
Seamus
Yeah, especially if you have a password manager there and just little things like, like you said in the first place if it seems too good to be true, it usually is. I don’t answer phone calls from people I don’t know anymore, or from private numbers. I just, if they want to contact me they can leave a message.
Mark
And you ring back from there.
Seamus
Yeah, and I assume that they are a spammer.
Mark
Just very quickly because we are running out of time. there’s the thing we go on Google or something like that and you go into a site and you put in your username or password, you got Google coming up and saying do you wish me to save that – whats the thing there right you don’t do it because you don’t want to have that saved and if someone gets into your computer, they just click on that link and get in.
Seamus
That’s what I recommend I recommend using a password manager, but not your browser simply because of that. And with a password manager, you’ve got to have a long, or you should have a long passphrase that’s meaningless to someone else but it means something to you. And that way you’re sort of really protected and also use two-factor authentication wherever you can. That gives you an awful lot of security doing that.
Mark
We’ve got us ourselves a thing to do, actually, Seamus, that might be the idea for next one, take a look at some of the security systems or that are out there that people can download and use.
Seamus
Yep, that’ll be good. We’ll talk about that.
Mark
Spear phishing, pharming, phishing, and vishing and I am not drunk when I say that
Seamus
You wouldn’t want to be drunk when you say that you’d muck it up!
Mark
Thank you. Thanks, Seamus.
Leave a Reply