Don’t get reeled in by Australia’s most common scam

17 July 2018 | Joyce Harkness, BSc ChEng, MBA, Chief Information Officer, Avant

Phishing continues to be the most common scam experienced by Australian consumers and businesses by far – 68% higher than the next category, identity theft, a new report reveals.

According to the Australian Competition & Consumer Commission’s recently released report on scam activity in 2017, 26,386 phishing incidents were reported last year. This is more than double the amount of incidents reported only three years earlier.

In a practice or hospital setting, a successful phishing scam can have particularly detrimental impacts because of the volume of personal patient data held on their systems. It's important you're familiar with the hallmarks of phishing scams so you don't get fooled, leaving your patients' information vulnerable to cybercriminals.

Spear phishing and whaling

As the name hints at, phishing is a tactic used to bait individuals to provide their sensitive data, including credit card, bank or login details, under the pretence of being a trustworthy entity such as a bank, government agency or well-known company.

ACCC’s report noted that the majority of phishing scams in 2017 were conducted via phone (43.2%), followed by email (34%) and text message (17.5%), with the phishing scam with the highest amount of reported losses being an “investment” phone scam. 

While traditionally phishing scams targeted large groups of people, modern campaigns are now targeting individuals to come across as more authentic. These tactics include spear phishing and whaling.

Spear phishing is where a specific individual is targeted by a phishing scam using their personal details such as their employer, colleagues, recent online purchases and account information to make the individual believe it is a credible communication. For example, an email that poses to be from PayPal advising that your account has been suspended and requesting you update your information.

Whaling is where the scam is specifically addressed to a high-profile or senior member of an organisation to prompt them to release sensitive company information. These communications usually take the guise of being urgent, official correspondence requesting data for legal or tax purposes.   

Tackle phishing head on

The following measures can help you avoid being a scam’s catch of the day.

Have antivirus software on your devices: Antivirus software is an easy and effective way of protecting you from the majority of mainstream scams, so long as your software is up-to-date. The firewalls and anti-spyware settings they put in place make it difficult for cyber criminals to compromise your systems by scanning your files, including your emails.   

If it smells fishy, don’t respond: Often phishing emails have subtle signs that give away they aren’t legitimate. Incorrect spelling or grammar, an email address or URL that doesn’t line up with who the sender is purporting to be, factual inconsistencies (e.g. your account being suspended, when it’s not), a fake sense of urgency or a threatening tone or offer that seems too good to be true.

Double check requests from “trustworthy” entities: If you’re asked to release personal information by what seems to be a trustworthy entity such as a government department, it’s always worth double-checking first before you act on the communication. Do a web search for any scams and contact the organisation using a phone number from their website (do not call phone numbers within the email or text message) to verify whether the communication is authentic.

Be wary of hyperlinks and attachments: Before clicking on a hyperlink, hover over it to show you where the link will direct you to. If the website address of the link looks suspicious, this is usually a sign of phishing. Another point to keep in mind is to only visit secure websites – their web addresses will start with ‘https’ rather than ‘http’.

Implement a verification process: By implementing a verification process within your practice or hospital environment, emails can be double-checked for validity before data is released. For instance, all staff including senior management are required to send requests for financial information to their accounts manager. These individuals often deal with government entities and providers, so may be able to spot fake communications more easily. 

More information

Read our article ‘Managing cyber risks while on the move’ for more cyber security tips. You can also view our resources on data protection specifically for practices on our website

Subscribe for email alerts on the latest scams on the ACCC’s Scamwatch website: https://www.scamwatch.gov.au/  

Share your view

We welcome your feedback on this article.