Security Education Part 1: Phishing Scams

I have been surprised at the number of people falling for phishing scams. According to a Sydney Morning Herald (SMH) article, Australia ranks third most likely country to fall for a phishing scam behind USA and Italy. 18% of Australians say they have been tricked by a phishing scam.

Phishing scam example

A call comes in identifying themselves as Microsoft, telling you they have detected a virus on your computer or network and informing you of a website to download a fix or getting you to download “team viewer”, so they can investigate.   They log on to the users’ computer and “verify” that the computer has a virus. To add insult to injury, they ask for your credit card. Some users are tricked by the assurance of the phone call, mistakenly thinking that Microsoft have improved their updating software processes to call you directly for a “major virus”.

Never give your credit card out to someone claiming to be Microsoft who wants to remove a virus.

The familiar Nigerian letter scam which tells a fantastic story to convince you to provide your bank account details has morphed into more sophisticated methods. Phishing is a modern type of fraud usually conducted on-line.  Wikipedia defines Phishing as:

“…a way of attempting to acquire information (and sometimes, indirectly, money) such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.”

Early Phishing

Early phishing involved fake admin/staff members who sent e-mails or an instant message asking the reader to “confirm their password” or “enter your account details”. It is almost always an attempt to lure information out of an unsuspecting reader. The subject line says “Account Maintenance Update (Urgent)” and then asks you to re-enter account information to ensure you can continue getting service.

Customers of banks and on-line payment facilities have been targeted with more sophisticated spoofing. Usually you click on a link in a “legitimate” looking e-mail, which installs some malware which uses a fake website modelled on a real website such as Commonwealth Bank. The user is tricked into believing they are entering information directly into a legitimate website.

How to recognise a phishing email

Fraudsters have tricked people into providing email log-ins, bank details, eBay account or PayPal details. One way of telling a fraud from real is to hover your mouse on the URL link.  You’ll notice the actual address in the lower left corner of most browsers. They usually use a name that looks very similar to the actual one, but uses misspelling or different characters on closer inspection. For example they may have:  or

How to avoid Phishing

  1. Delete any e-mail from a stranger with a story that you’ve won the lotto
  2. Ignore anyone that is asking for money to buy an airline ticket home by asking you to send it to a Western Union account. (If you trust them, insist on paying directly to the airline.)
  3. Delete any e-mail from a stranger wanting assistance in moving a large amount of money out of a foreign bank account (usually a “deceased estate”).
  4. If you know the person well in the e-mail, give them a phone-call to ensure you are communicating with the person you know as many scammers steal e-mail identities and use their contact lists to milk money with a fake story.
  5. Avoid putting your details in any website that does not have an “s” in website prefix https or a padlock symbol.

Further reading: Security Education Part 2: Safe Passwords.

Call us today to keep your business out of harm’s way.


Sydney Morning Herald (SMH), “Phishing for your cash”, 18th September 2011 by Nicole Pedersen-McKinnon.