Phishing continues to be the most common scam experienced by
Australian consumers and businesses by far – 68% higher than the next category,
identity theft, a new report reveals.
According to the Australian Competition & Consumer
Commission’s recently released report on
scam activity in 2017, 26,386 phishing incidents were reported last year. This
is more than double the amount of incidents reported only three years earlier.
In a practice or hospital setting, a successful phishing scam
can have particularly detrimental impacts because of the volume of personal patient
data held on their systems. It's important you're familiar with the hallmarks
of phishing scams so you don't get fooled, leaving your patients' information
vulnerable to cybercriminals.
Spear phishing
and whaling
As the name hints at, phishing is a tactic used to bait
individuals to provide their sensitive data, including credit card, bank or
login details, under the pretence of being a trustworthy entity such as a bank,
government agency or well-known company.
ACCC’s report noted that the majority of phishing scams in
2017 were conducted via phone (43.2%), followed by email (34%) and text message
(17.5%), with the phishing scam with the highest amount of reported losses being
an “investment” phone scam.
While traditionally phishing scams targeted large groups of people,
modern campaigns are now targeting individuals to come across as more
authentic. These tactics include spear phishing and whaling.
Spear phishing is where a specific individual is targeted by
a phishing scam using their personal details such as their employer,
colleagues, recent online purchases and account information to make the individual
believe it is a credible communication. For example, an email that poses to be
from PayPal advising that your account has been suspended and requesting you
update your information.
Whaling is where the scam is specifically addressed to a
high-profile or senior member of an organisation to prompt them to release
sensitive company information. These communications usually take the guise of
being urgent, official correspondence requesting data for legal or tax purposes.
Tackle
phishing head on
The following measures can help you avoid being a scam’s catch
of the day.
Have
antivirus software on your devices: Antivirus software is an easy and
effective way of protecting you from the majority of mainstream scams, so long
as your software is up-to-date. The firewalls and anti-spyware settings they
put in place make it difficult for cyber criminals to compromise your systems
by scanning your files, including your emails.
If it
smells fishy, don’t respond: Often phishing emails have subtle
signs that give away they aren’t legitimate. Incorrect spelling or grammar, an
email address or URL that doesn’t line up with who the sender is purporting to
be, factual inconsistencies (e.g. your account being suspended, when it’s not),
a fake sense of urgency or a threatening tone or offer that seems too good to
be true.
Double
check requests from “trustworthy” entities: If you’re asked to release
personal information by what seems to be a trustworthy entity such as a
government department, it’s always worth double-checking first before you act
on the communication. Do a web search for any scams and contact the organisation
using a phone number from their website (do not call phone numbers within the
email or text message) to verify whether the communication is authentic.
Be wary of
hyperlinks and attachments: Before clicking on a hyperlink,
hover over it to show you where the link will direct you to. If the website
address of the link looks suspicious, this is usually a sign of phishing.
Another point to keep in mind is to only visit secure websites – their web
addresses will start with ‘https’ rather than ‘http’.
Implement a
verification process: By implementing a verification process within your
practice or hospital environment, emails can be double-checked for validity
before data is released. For instance, all staff including senior management
are required to send requests for financial information to their accounts
manager. These individuals often deal with government entities and providers,
so may be able to spot fake communications more easily.
More information
Read our article ‘Managing
cyber risks while on the move’ for more cyber security tips. You
can also view our resources on data protection specifically for practices on our
website.
Subscribe for email alerts on the latest scams on the ACCC’s
Scamwatch website: https://www.scamwatch.gov.au/