Following on from our May blog on Cybersecurity: Building Digital Resilience in a Virtual World this blog will look in more depth at phishing scams. In an increasingly online work environment due to Covid-19, phishing scams are becoming more common and anyone can be targeted. As with many risks, prevention is the best approach. This is why PASAI is encouraging all member SAIs to increase your cyber resilience to phishing scams so that you are less vulnerable to phishing scams.
What is a phishing scam?
A phishing scam is a cybercrime that tricks people into giving confidential personal or organisational information. People hand over this information because they trust the source of the request and believe that the party is acting with the best intentions.
In a phishing email, cybercriminals will typically ask for your:
Date of birth
National ID numbers
Phone numbers
Credit card details
Home address
Password information (or what they need to reset your password)
This information is then used by cybercriminals to impersonate the victim and apply for credit cards or loans, open bank accounts, and other fraudulent activity.
Protecting yourself and your SAI against phishing scams
Cybercriminals and scammers can produce phishing emails that look very legitimate. There are some key things to look for to determine if a text message or email is a phishing scam:
The email is poorly written: Read the message carefully, look for anything that isn’t quite right, such as tracking numbers, names, attachment names, sender, message subject and URLs.
It contains unsolicited attachments: typically, authentic institutions don’t randomly send emails with attachments, especially when there is no previous relationship involved. If in doubt, contact the legitimate company by searching for their website.
It requests sensitive information: Emails that ask you to send sensitive information, such as banking details or login credentials, are likely a phishing email. Do not provide personal information to unverified sources. Remember that reputable organisations locally and overseas - including banks, government departments, Amazon, PayPal, Google, Apple and Facebook - will not call or email to verify or update your personal information.
There’s urgency involved: Some scammers use urgency in their emails – often with threats of account expiration, fines or even prize giveaways – to encourage people to make quick decisions without proper thought.
It sounds too good to be true: Scammers often include ‘limited’ and unmissable’ prize giveaways in their phishing emails in an attempt to lure people in.
It doesn’t address you by name: many phishing scams are sent to multiple people, with no (or limited) personalisation involved. Before opening an email, consider who is sending it to you and what they’re asking you to do. If you are unsure, call the organisation you suspect the suspicious message is from, using contact details from a verified website or other trusted source.
The email address looks altered: Scammers can make their email address look legitimate by including the company name within the structure of their email. Hover over links to make sure they don’t look altered.
Check that URLs are legitimate: On a PC or laptop, hover your mouse over links to see if the embedded URL is legitimate, but don't click. Do not open attachments or click on links in unsolicited emails or messages.
Check if others have received similar messages: Google information such as the sender address or subject line to see if others have reported it as malicious.
Examples of an email phishing campaign
Compromised Credit Card
The cybercriminal knows the victim made a recent purchase at an online store, and sends an email disguised to look like it is from the online stores customer support. The email tells the victim that their credit card information might have been compromised and to confirm their credit card details to protect their account.
Transfer Funds
An urgent email arrives from a SAI staff member who is currently traveling. The email asks the recipient to help out the staff member by transferring funds to a foreign partner. This phishing email tells the victim that the fund request is urgent and necessary to secure the new partnership. The victim doesn’t hesitate to transfer the funds, believing they are helping both the SAI and the staff member.
Social Media Request
A Facebook friend request arrives from someone who has the same Facebook friends as you. You don’t immediately recognise the person but assume the request is legitimate because of the common friends. This new friend then sends you a Facebook message with a link to a video which when clicked installs malware on your computer and potentially the wider SAI network.
Fake Google Docs Login
A cybercriminal creates a fake Google Docs login page and then sends a phishing email hoping to trick someone into logging into the faked website. The email might read “We’ve updated our login credential policy, please confirm your account by logging into Google Docs.” The sender’s email is a faked Google email address, for example accountupdate@google.org.com.
What’s next
Stay tuned to read more about the following topics upcoming in our blog series:
The upcoming work of the Working Group on Environmental Auditing and how your SAI can get involved.
How to effectively collect data at your SAI.
We welcome your feedback and look forward to hearing about other priority topic areas of interest to you. Please email: secretariat@pasai.org
-----------------------------------------------------------------------------------------------------------------
The Pacific Association of Supreme Audit Institutions (PASAI) is the official association of supreme audit institutions (SAIs) in the Pacific region, and a regional organisation of INTOSAI and promotes transparent, accountable, effective and efficient use of public sector resources in the Pacific. It contributes to that goal by helping its member SAIs improve the quality of public sector auditing in the Pacific to recognised high standards. Due to the global coronavirus pandemic (COVID19), this has restricted PASAI’s delivery of our programs to our Pacific members and in lieu of this PASAI will be providing a series of blogs on various topics that may help auditors think about some implications to service delivery as a result of COVID19.
For more information about PASAI refer www.pasai.org