Early June 2017, a number of Australian inboxes received an email purporting to be from Westpac advising them that their accounts have been temporarily locked. Victims are then instructed to follow a link and try to log in with their credentials to unlock their account.
In following the link, victims are taken to a replica Westpac site which is being hosted on a Tanzanian Guesthouse site which has been clearly compromised in a previous hack. When victims input their username and password, cybercriminals are able to capture their credentials and use these to transfer funds from victims accounts to accounts of their choosing.
Whilst it does not sound terribly sophisticated in today's cybersecurity landscape, harried consumers may not look too closely especially with it coming from an email which could pass off as legitimate - in this instance, firstname.lastname@example.org.
In Australia, for the most part, the large banks and financial institutions cover consumers for such losses however, with banks pushing every service they can online to reduce overheads, this sort of activity can put a dent in this strategy through loss of trust for victims of such cybercrime.
Given such attempts are not going away, only getting more sophisticated, where does this leave us?
Essentially, our best line of defence is awareness. Here are some key things you should look out for:
- An email with little branding, no personalisation
- Unusual or unexpected use of capitals - particularly one purporting to be from a large organisation
- A bank asking you to click on a link to fix an issue with your account
- By hovering on the link, you can see the target site. In this instance, it clearly is not the Westpac URL, rather a Tanzanian Guesthouse
- When landing on the target URL, it is clearly unsecure - a legitimate banking website will always have an updated security certificate
Here are our top tips when assessing the legitimacy of emails:
- Poor grammar, formatting, spelling errors
- A lack of personalisation in the email
- An email asking you to verify data which is sensitive in nature
- The use of capitals to create urgency for actions
- Poor use of imagery
- Unexpected source email