Phishing is one of the most commonly-used cyberattacks in Australia. Statistics from the Office of the Australian Information Commissioner show that phishing accounts for 39 percent of all breaches reported. Therefore, it’s important to be aware of how to protect yourself at home and at work from phishing.
How does phishing work?
The victim receives an email that is simple in format and generally personalised and potentially from a known sender. It may look like an official email from a known organisation or company, and it invites the victim to click on an embedded link. Wording varies, but it may say, “click to learn more” or “click to see the image.” After clicking, the victim is redirected to a webpage and asked to enter their user name and password or for other personal information. Once the personal information is filled in the attacker then sends emails to everyone in the victim’s address book and the cycle repeats.
It’s a spam email issue?
It is and it isn’t. While having spam email issued from your own email account is annoying and a problem, the larger issue is that the victim has given the attacker their user name and password. With an email and password, the attacker can easily hack into anything the victim uses that email and password for. Most people repeat email and password data for multiple accounts. In the world of cloud storage, this can be several accounts including email, CRM, file storage, banking, and proprietary applications.
Will changing the password mitigate further damage?
Changing your password is a start. Depending on what each account holds, it may be appropriate to cancel or disable the account and set up a new one. However, an aggressive attacker can get into a lot of personal and/or sensitive information from the original login information. Changing just one email password may not be enough. You may need to change all of your work and personal passwords.
How can I know if changing the password has solved the problem?
Look for history of logging in and out of accounts. Once you change the password, there should be incidents of logging failure (from the attacker). However, there is some lag time, because your login information may access more than one sub-account or cloud account synchronised to the main account.
Once the password is changed, am I clear?
No. Depending on what has been accessed, the breach may fall under the Privacy Act and Data Breach Notification. If you’re at work, discuss your breach with the IT department immediately, so they can take the appropriate action. Within an organisation, it’s possible that you aren’t the only person affected, and other people may have fallen for the same trap. Everyone who received the same email should delete it completely without clicking on it. Communicate with anyone who is involved and determine whether this needs to be reported to the Commissioner.
All accounts are secure and communications sent. What next?
Once the fire has been put out, there still may be lingering security issues to strengthen or counter. These can be talking to IT to double-check everything, blocking email addresses, or improving the filters. Then you’ll have to investigate the compromise to see if it is an “eligible data breach” according to the NDB scheme.
You will have to ask some hard questions such as what information has been sent and received via email, stored in the cloud, or accessible via their login. Ask if that data were to be made public knowledge, what would the consequences be? Is there any kind of financial or personally identifiable information (PII) available? Will anyone come to harm (physical, financial, reputational, or emotional) as a result? In Australia, you have 30 days to conduct an investigation to determine whether it is an eligible data breach. If you’re certified for the European Union (EU) General Data Protection Regulation (GDPR), you have 72 hours to decide. Check with your legal department for further instructions.
For better results in the future, it’s helpful to repeat training with all employees yearly on how to identify phishing and what to do in the case of a cyberattack.
Published on 23rd July 2019 by Ian Brady.