“2.2 million Woolworths MyDeal customers exposed in data breach”
“Hi mum, I’ve changed provider/lost/broken my phone – I’m temporarily using this number for now.”
“Your package has been redirected to your local branch due to a pending delivery fee: for more info https://cutt.ly/auspos”
“Suspicious credit card activity is noted. Please confirm your personal data, otherwise, we will be forced to block it. https://activation-stgeorge.com/”
These are just a few examples of cyberattacks. Cybercrimes like Hi Mum scam, Linkt scam, Optus data breach, Dating scams, and Gift card scam are becoming increasingly common. And there are thousands of ways hackers are finding out new ways to exploit people. Staying cybersafe is crucial to prevent such attacks.
We have all been there… we opened an email that was actually fake. We clicked on a link that promised us a huge reward. Remember the Nigerian Prince scam? A wealthy prince needs to get an enormous sum of money out of the country and requires your assistance in return for a major chunk of their treasure. That seemed like winning an unexpected lottery ticket!
We have been all duped at some point in our lives. And we have lived and learned from our mistakes. So if you have been a victim of a cybercrime… you are not alone. Now, it is even more important to make sure your data is safe.
So how do you protect yourself and remain cybersafe?
- When in doubt, remember your childhood lesson of “stranger danger.”
- Ignore emails from untrusted sources
- Ignore messages that say you need to pay a fine or you have received a gift
In this article, we discuss what is a cyberattack and the types of cyberattacks, and 10 things you can do to remain cybersafe. Plus a bonus tip from the newsletter of the Barefoot Investor.
Let’s dive in.
What is a Cyberattack or Cybercrime?
Simply put, cyberattacks are unauthorised access to an online account or resource.
The primary intention behind a cyberattack is to steal money or data. For individuals, it could lead to financial loss. While for organisations, it causes financial losses and hurts their reputation.
Think of Optus and how the incident has affected your trust. Your first instinct would be to stop using their services and go to another provider!
5 common types of cyber attacks
Here are a few ways hackers crack passwords.
- Phishing – The simplest way to steal someone’s password is by asking for it. You simply reveal your personal information (password, account number, etc.) on a website that looks legit. But it isn’t. Phishing is carried out using email or text messaging (known as smishing).
Here’s how it works –
Phishing – You get an email from a company that looks legit and they tell you to take an action immediately. They will encourage you to change your password, download a file or open a link. It’s a trick to get people to submit their sensitive information and infect their devices with malware or install malicious software in your device to carry out future attacks.
Commonly copied brands include:
- Postal services – Australia Post (pick up a parcel)
- Telecommunication services – fake bills, internet issues, fines
- Government departments – ATO, Medicare, myGov, Centrelink, etc
- Law enforcement – state and territory police (fake fine scams)
- Utilities – power, gas, water bills (fake fines and overdue bills)
- Online services like Netflix, Amazon, Paypal, eBay
For example, this email from Netflix looks legit but it is actually a phishing attack (The ‘Dear’ is a dead giveaway).
Linkt Scam is also doing the rounds these days. If you have received an email or SMS from Linkt to pay your tolls. Unsuspecting users think this is real and end up losing thousands of dollars in this scam. If you have received any message like this, ignore it as this is a scam.
If you need help identifying if an email or text message is authentic, please check The Australian Government Scam Watch Service
2. Brute force attack – It is a technique of trying out a combination of different usernames and passwords. And eventually, figure out the right one.
Source : Norton
3. Man in the middle or Eavesdropping attack – Here the hacker alters the communication between two parties. The hacker would make independent communication with you and the second party and control the ongoing communication. So you would believe that you are communicating with the actual organisation, but no… you are actually communicating with the hacker.
This information is used to steal data – usernames, passwords, and credit card information.
4. Denial of service (DoS) – A Denial-of-Service (DoS) attack aims to bring down a machine or network so that its intended users are unable to access it. DoS attacks achieve this by providing the network or machine with an excessive amount of traffic or information that causes a crash. In both instances, the DoS attack denies the service or resource that legitimate users (such as employees, members, or account holders) expected.
5. Malware attack -Ever heard of viruses, trojans, spyware, or ransomware? They are all examples of malicious software that may get installed on your computer. You open a link and install a software program that looks legit but is actually not. You could also get malware from an infected USB or an email attachment.
This list is not exhaustive, and there are many other types of cyberattacks that we have not mentioned here.
Have you been hacked?
The Australian Cyber Security Centre’s (ACSC) ‘Have you been Hacked?’ tool will help you assess if you’ve been hacked. It can guide you through a range of scenarios to advise you on how to best respond to the situation.
- ransomware attacks
- malware threats
- email compromise and identity theft
- phishing and fake website scams.
The tool is simple to use and includes typical warning signs, scenario explanations and easy-to-follow steps on how to remediate the situation.
Take this quiz to find out – Have you been hacked
Top 10 things to do to remain cybersafe
Here are the top 10 things you could do to remain safe from phishing, social engineering, brute force cracking and other forms of cyber attacks.
1. Protect your privacy
- Being on the AHPRA public register means some of your identifying data is accessible to the public. Personal information like Full Name, Gender, Suburb, State and Postcode and your qualification and the year you obtained it. While nothing can be done about the public register of this information, you can protect your online privacy by doing things such as anonymising your name on social media.
- Wearing an ID can leave nurses vulnerable as your full name is often required on your work ID. We have heard of some nurses turning their IDs over (which may be in breach of hospital security protocols) and covering up their Last names or other personal information on their ID badges.
- Secure your letterbox with a lock to prevent your mail from being stolen.
- Let uPaged know straight away if your email, address or contact details change.
- Never give out personal information to people you don’t know or trust.
- Shred documents containing your personal information before throwing them away.
2. Don’t share your personal information on social media
Social media is a great tool. We get it.
But we need to draw a line on what we share on social networks. Here are a few things which are a strict no-no and shouldn’t be posted on social media.
- Your date of birth
- Travel plans
- Personally identifying information – driver’s license, passport or credit card
- Personal information like where you went to school, your pet’s name
- Home address
- Phone number
- Your location data – your phone tracks your location based on your GPS coordinates and IP address. When you post on social media, you can delete your location. Some images retain location data, so platforms like Instagram and Facebook automatically remove this data from your images.
Hackers can use this kind of information for identity theft, or someone knows where you live and they know when you are likely to be away from home for extended periods, they have an open invitation to rob your home.
The hard truth is that we can’t trust social media so be careful with what you post.
How to remove location data from your images before sharing on social media
- Go to Photos
- Select a photo you want to share
- Click on Options
- Deselect the option “All Photos Data”
- Go to photos
- Click on Preferences
- Uncheck Include location information for published items.
- Open the Photos app on your Android Device
- Select the image you want to delete the location data of.
- Tap on the three dots in the upper right corner
- Scroll down and tap on the three dots next to the location data.
- Tap Remove.
- Right-click on a photo you want to edit
- Click on “Properties”
- Select the Details tab from the Properties window.
- Click on Remove Properties and Personal Information.
How to remove the location data from all your pictures?
If this sounds like a lot of work, you could disable your camera app’s access to your location.
3.Don’t open emails or SMS which look spammy or fake
Treat any unrequested emails, SMS or phone calls with caution. If it’s a work-related email, always check the sender’s email address and name. Hackers can sometimes send you an email that looks legit but is not.
A common scam right now is one where scammers send you an SMS from Australia Post saying you have received a parcel.! Or tell you that you have not paid your taxes on time. Perhaps you have received a prize. Most of these messages have been reported as fake. The rule of thumb is that if the offer looks like it is too good to be true, it probably is.
4.Use strong passwords
Do you use generic passwords like “password”, “your name” or “your pet’s name”?
For a seasoned pro, hacking into your account would be a breeze if you use weak passwords.
Using weak passwords can make our data vulnerable.
How to create a strong password?
- Create unique passwords with a mix of uppercase and lowercase letters, special characters and numbers
- Create unique passwords for all your personal and banking accounts
- Use a password manager to store passwords like Lastpass
- Change your password every few months
- Don’t store your passwords in a notebook or contact list
5.Use Multi-Factor Authentication
According to LastPass, weak passwords result in 80% of data breaches. Single-factor authentication – You need to enter only your username and password to log in to your account. It isn’t secure and can lead you vulnerable to cyber-attacks.
Two-Factor Authentication (2FA) – You need to enter two forms of identification to access an account. It is safe and ensures hackers cannot access your accounts without identity verification.
Typically, 2FA utilises push notifications, SMS verification, fingerprint authentication or a hardware token (like a key fob).
Multi-Factor Authentication (MFA) – It requires two or more forms of identification before authorising access to online resources and accounts.
Similar to 2FA, it requires
- Username and password
- A second authentication factor
- A third authentication factor to verify the user credentials and grant access
Typically, 2FA and MFA utilise:
- push notification
- SMS verification – PIN number
- biometric factors like fingerprint authentication or facial recognition
- hardware token(like a key fob)
- voice call
- authenticator app
6. Ensure the websites are secure
When you open a website, in the URL you will be able to see this:
https://www.example.com/ – the HTTPS here represents a secure website
While a website with http://www.example.com – the HTTP here represents a not secure website.
How to check if the website is secure?
- If you are on Chrome browser, open a webpage
- Can you see the padlock sign on the top left of the browser?
- If yes, that means the website is secure.
If you are on Firefox, you will be able to see a padlock icon
This means your website is secure. But if you see the padlock with a warning sign or a red strike over it, that means the website is not secure.
Do you see either of the two symbols?
- Info or Not secure
The site isn’t secure. Someone might be able to see or change the information you send or get through this site.
- Not secure or Dangerous
If you see this symbol – DO NOT PROCEED. Accessing this website can put your personal information at risk.
For example, – In this image, I open Google.com. I click on the lock symbol and I can see the connection is secure. I can access this website safely without compromising my personal information.
If you are using Safari, look for a padlock icon in the Smart Search field. A grey icon indicates the website is secure. If you see “Not Secure” in this field, the website is vulnerable.
7.Use secure Wi-Fi
Only use trusted devices and Wifi networks to do online banking. Never accept a request to download a program or certificate to your device in order to use a public Wifi network. Using the Wi-Fi at your home is secure. But when you connect your device to public Wi-Fi, it is not as safe as you think.
Using public Wi-FI can leave your personal information exposed to hackers. Since the network isn’t secure, anyone can hijack your session. They will be able to see your username, passwords, photos, documents and contacts.
How to use internet on public Wi-Fi?
If you absolutely need to use public Wi-Fi, use the following tips to stay safe:
- Avoid using your social media and banking apps on public networks
- Check if the websites you are using are secure
- If you are using a public network, use a VPN. A VPN encrypts your traffic and keeps your data away from prying eyes
- Change your settings to prevent your phone from getting connected automatically to Wi-Fi networks
- Don’t ignore the warnings
8.Use antivirus software
An antivirus program is used to detect and remove malicious software from your devices. Malicious software or malware could be spam ads, viruses, trojans, or bots. Antivirus software detects malware and removes it from your device. McAfee, Norton, Kaspersky, Avast and Bitdefender are some of the best antivirus software.
If you don’t have antivirus software on your computer, we recommend that you purchase one.
But if you already have one, make sure you check the settings so:
- The software runs a full scan automatically in the background to provide real-time protection
- It receives updates automatically
- Automatically scans all new files from your emails, USB stick, SD card or hard drive
9.Backup your data and update your OS regularly
Backup data – A backup is a regular copy of all the files on your computer. Daily or weekly backups can save your important files from getting lost or corrupted.
Apart from malware infection, events like system crash, hard drive corruption, and disk failure can lead to data loss.
Backup is the easiest way to restore lost files. Plus, setting a regular backup schedule offers peace of mind. You know your important documents, photos and videos are safe. And you can access them whenever you want.
Update your OS regularly
Software updates are released regularly to fix bugs, reduce security risks and provide new features. All your devices – mobile, computer, tablet use software to run effectively. When we say software, we mean:
- Operating systems – macOS, Windows, iOS or Android
- Mobile applications like WhatsApp, Facebook, Instagram, Commonwealth Bank App, etc
- Antivirus software
- Browsers like Chrome, Firefox, Safari
- Applications like Microsoft Office
Software vendors provide free updates for their products to improve functionality and reduce security flaws.
To keep your data secure:
- Install software updates when they become available
- Turn on auto-updates
- If your device is too old, upgrade it to a newer version. For example, if you are using Windows 8, iPhone 6, or iPhone 7, your device might not be compatible with the latest software versions.
10. Spot the scams
If you feel like a call might not be genuine, hang up, and call back on an official phone number to verify the call was legitimate. You may have heard of the Gift Card Scam – the hackers might ask you to pay for something by putting money on a gift card. But that’s not the only scam. There are a few other scams doing the rounds. A hacker can:
- Impersonate a government employee or a utility company – they could pretend they are from the ATO and inform you haven’t paid taxes or need to pay a fine. Or they could pretend they are from a utility company and threaten you to pay immediately, otherwise, they will cancel your services.
- Pretend to be from tech support – Apple, Microsoft, Telstra or any other company. They can say there’s a problem with your smartphone or computer. And you have to pay money to get it fixed.
- Meet you on a dating app – You might meet someone on a dating website and they will start getting close to you. They will ask you to move the conversation away from the dating website to WhatsApp or text messaging. Once they gain your trust, they might trick you into sending them money, send them gifts or ask you to invest money in cryptocurrency.
- Pretend to be a family or friend – They could impersonate your friend or family member, pretend to be in an emergency, and ask you to send them money right away. If they have texted you – ignore it! Call your friend or family member first to check if they are alright. Don’t transfer money straight away, especially if it is not a trusted bank account or phone number.
- You won a prize – You will receive a message saying you have won a prize. But the catch is – you have to pay money first. Doesn’t work that way – first, did you enter a competition, second – no company will ask to pay them if you have won a prize.
- Promise you high returns on money – Here, a hacker might contact you about an amazing investment opportunity that can get you high returns with little to no risk. They will show you a platform and share their investment portfolio. They will share fake data about the profits they are making. If you fall prey to this, all your money will be gone. They will entice you to invest money directly on the platform or will ask you to send money to a business so they may buy it for you. They’ll then make the claim that they can either make trades for you or guide you through the process of doing the trading… A website, app, or customised trading platform will allow you to view your gains.
- If your mobile phone ever stops working, get in touch with your service provider to make sure you haven’t been a victim of ‘mobile phone porting’. This is where scammers use your information to transfer your phone number to another provider so they can intercept SMS passcodes sent to you.
The information you access will be false and falsely depict your gains (or losses as a way to get you to invest more money). You will ultimately be unable to make any withdrawals.
Scammers will invent reasons why withdrawals take longer than expected, why they’ve blacklisted you from the platform, or why the trading platform is shut down. Your money is gone when you try to contact them to find out what happened. Scamwatch is urging people to stay aware of investment scams. There are several types of investment scams:
- Romance baiting scams
- Cryptocurrency scams
- Unsolicited contacts about investing
- Celebrity endorsement scams
- Ponzi scams
Credits: St George
Bonus Tip – Lock your credit file
(With thanks from The Barefoot Investor)
Creditsavvy, a division of the Commonwealth Bank helps you lock your credit file.
If anyone tries to access your credit file, the Credit Savvy app will alert you. This feature will allow you to:
- Protect your credit score from taking a plunge due to fraudulent activities
- Credit reporting bodies won’t be able to disclose your Credit Report to lenders to prevent credit from being acquired in your name
- Protects you from identity theft.
So how do you lock your credit file?
Simple – just follow the steps below.
- Download the Credit Savvy app (either in the Apple or Google app stores)
- Verify your details ( you can use your Driver’s licence, Medicare card, or Passport)
- Press “protect” from the bottom navigation
- Press “Request a ban”. Credit Savvy will then let the other credit agencies know you’ve got a ban on your file within 2 business days.
- On the 16th day, the Credit Savvy app will remind you that your pause is ending. When you get that alert – and this is important – click “ban my credit report for 12 months”.
Note: Your ability to take credit won’t be affected. If you need to apply for credit, remove the ban on your credit file for a short period of time. Once your work is sorted, apply the lock again.
Need more info on how to protect yourself from cybercrime? Refer to https://www.cyber.gov.au/
Other important resources:
- Australian Cyber Security Centre (ASCS) – Report a cybercrime
- Data Breach – Office of the Australian Information Commissioner
- Office of the eSafety Commissioner
- If there is an immediate threat to life or risk of harm call 000