Dave Tyrer is the Chief Operations Officer at Squirrel. Having come from decades in banking he’s seen his fair share of cyber-crime and how it’s evolved alongside financial technology. He took the time to write down his recent experiences and tips on how to avoid becoming victim to cyber fraud.
You may have seen a range of cyber attacks on some high profile NZ organisations over the last 3 – 4 weeks, with the NZX being the most prominent. These attacks were designed to knock these organisations offline and effectively blackmail them into paying a ransom. Of course by paying the ransom, the chances of being hit again are rather high!
Over the same time, I’ve personally received an attempted ‘whaling attack’ by email, and several ‘phishing’ attempts by text message. To help raise awareness of cyber security, I thought I’d give you an overview of exactly what these attempts look like in the hope you don’t get trapped in the future. I’ve also jotted some notes on places you can find out more, and what to do if you do get trapped.
Whaling attack
What on earth is a whaling attack – best I describe this before I go on! This is an attempt by a fraudster to specifically target someone who may have control of a company’s funds to scam money from them. The mode of attack is email, often from a spoofed or hijacked email address that is close to a real address you might expect to receive email from.
Best to show you an example:
The email above was sent to me, purportedly from the Chair of the Squirrel Board (Rob Craig). In my role as Chief Operating Officer, it’s conceivable to a fraudster that I may have control of payments on behalf of Squirrel. Both Rob and I have our photos and titles on our website. The indicators that this was suspicious are:
- This isn’t the normal email address that Rob might contact me on
- The subject indicates that this is a reply to an earlier email – I’ve never had an email with that sort of subject line from Rob.
Out of my own curiosity, I decided to see where this one might go, with this article in my mind.
So I replied with:
“Sorry not free, but if you email me, I’m happy to take a question.”
Here’s the reply I got:
If you happen to get this far, then things get more suspicious. Why?
- This is a highly unlikely request from the Chair of the Board to me.
- The body of the email is in two separate colours, and the request for urgent action via the tone hopes to catch out the unwary to jump to action.
- The language and grammar also aren’t great – I expect a bit better than that from Rob!
I got several follow up emails within an hour attempting to prompt me to act. Unfortunately (or not) I wasted the fraudsters’ time on this one.
People fall for these types of things. Imagine if this email purportedly came from your best mate asking you to do this, you had a busy day and weren’t paying attention…I’ve seen situations where this has occurred, and I’ve been trying to help the scammed person recover their money.
Whaling attempts can be significantly more sophisticated than this; the most successful attempt I’ve seen reported saw the fraudster pick up over $12million from a blue chip corporate in Australia. That money was never recovered. Those fraudsters certainly got their whale that time.
Phishing
Phishing is an attempt to get you to click on a link in an email or a text message.
By clicking the link, any number of things could take place. You may end up with malware on your computer or phone, or they get you to provide personal information often so that the fraudster can access your bank accounts.
My recent examples are three text messages I received over the course of a week in late August:
Having worked for a bank in the past, I’ve seen more examples of these types of attacks than I care to remember. More people are fooled than you might imagine, and it’s so easy/tempting to click the link if the message is pitched appropriately.
So, here’s what’s suspicious about these texts:
- The phone number has way more digits than I’m used to seeing – interestingly they are in a sequence.
- I know a bank will never send a link in a text message or an email
- The grammar isn’t quite right in two of the messages
The fraudster is trying to get you to click on the link and enter your username and password on the web address that you end up at. The web address appears to be valid, however I can promise you this is spoofed and will not be the actual web address you’ll end up at. If you enter your username and password into this fake web address, you may find money withdrawn from your account within minutes and sent overseas.
Trying to get money back that has left NZ is almost impossible – less than 20% is recovered.
I sent the first example through to ASB so they were aware of this. I also reported the attempted phishing to CERT NZ. This brings me to where to go for information.
More information if you’re attacked
Start by getting hold of your bank or the organisation the attack is purportedly from. Ring them, don’t email or text – you may have malware on your device and the fraudster may be able to see what you’re doing.
You can also find a heap of information on the CERT NZ website, and report attacks (both attacks you’ve ignored and if you’ve actually been scammed or are feeling suspicious about an attack). They may be able to help you decide what to do next.
CERT stands for Computer Emergency Response Team, and numerous countries now have them. In New Zealand, CERT NZ is run by the government, and helps coordinate the governments other agencies around cyber security. They’ve been operating since late 2016.
Netsafe is another organisation that has a strong resource base that can help you learn about your digital security.
Tips for staying safe online
- If it looks suspicious, it probably is. Look for grammar, weird email addresses, and colours that don’t look quite right.
- Don’t click links in emails or text messages unless you are certain you know who it is from and are expecting something from them.
- If you’re unsure, ring the organisation using a phone number that you’ve found independently to verify something you’ve received.
- Never enter your username or password unless you’re certain you’re on the right web page – look for the padlock in the corner of your browser’s search bar to show that the address is secure.