What is phishing? A guide to cybersecurity awareness

As a small business, you and your team have undoubtedly encountered the term 'phishing'. But what does phishing mean? What is a phishing scam? And what do you need to know about how to report scam emails?

The impact of phishing should not be underestimated. In 2022, Australians collectively lost over $3 billion to scammers. According to the Australian Competition and Consumer Commission (ACCC), phishing was the most common type of scam reported in 2022.

Small and micro businesses are far from exempt from scam attempts. The ACCC reports that small and micro businesses reported losses of $13.6 million in 2022. So, how can you protect your business from phishing? And how does phishing happen in the first place?

Read on to find out how to keep your business and clients safe.

What is phishing, and how does it work?

Phishing is when a scammer impersonates well-known brands or government organisations and induces the victim to share sensitive information. Phishing can lead to the victim losing money or data, or having their identity stolen.

Phishing scammers often target victims through email, text messages, fraudulent websites, social media or over the phone, with the ACCC reporting that phishing via text message was the most common scam in 2022.

Victims fall for scams because they look and feel authentic. For example, fraudulent text messages might appear on the victim's phone in the same text thread as authentic text messages from a trusted service provider, like their bank. In these messages, scammers might prompt victims to click through to a link, transfer money, or divulge their banking details.

In Australia, Medicare, MyGov, and Centrelink are all routinely impersonated as part of phishing attempts.

What does phishing cost Australian businesses?

Businesses in Australia lost a total of $23.2 million to scams in 2022, according to the ACCC's Targeting Scams report. But it's not just money on the line. Falling victim to a scam can lead to data breaches like the ones experienced by Optus and Medibank in 2021.

The reputational risk of being the victim of a phishing attack is huge - businesses lose not only money but time and their clients' trust. The value of these losses is hard to quantify.

Common types of phishing attacks

What is an example of phishing? Phishing is now so widespread that most types of online communication can be used by scammers in phishing attacks.

Here are the top ways in which data is stolen.

Fake SMS/text message phishing

Also known as smishing, this form of phishing involves scammers texting their victims. It’s among the most common types of scams..

Unfortunately, scammers are now so sophisticated that they can make texts appear in the same text thread as other legitimate communications from a provider. Whether it's a request to update personal details from your health fund, a prompt to correct an incorrect shipping address, or a government organisation urging you to pay an outstanding bill, scammers can impersonate legitimate organisations with terrifying accuracy.

Invoice fraud

Invoice fraud involves scammers altering the invoice details your business receives, such as a renewal notification or paying a bill. Without additional scrutiny, a bill might be paid without you noticing that the details on the invoice are incorrect and the money goes directly to the scammers.

Email phishing

Scammers send emails pretending to be from reputable organisations, the government, or the police. The email often includes a link or attachment that can compromise your data, gaining access to passwords and other sensitive information.

Spear phishing

Spear phishing is a particularly insidious type of phishing because it’s highly personalised. Typically, scammers target large groups of people at once, trusting that of the thousands of potential victims, at least a few will fall for the scam. Spear phishing, however, is different. Individuals are targeted with personalised information, making the scam seem even more legitimate.

Vishing

Voice phishing, aka phishing over the phone, often uses automated text-to-speech technology to direct the victim to contact a specific (fraudulent) number or service. Vishing typically aims to gain banking or credit card details and steal money. Some vishing attempts use live callers.

Latest phishing trends

Certain groups should be extra vigilant about phishing attempts. These include those whose information has been compromised by previous data breaches. Some scams come and go; unfortunately, some have stood the test of time and are used repeatedly.

Here are some of the most common forms of phishing, meaning you and your business should be extra vigilant about these types of communication.

Toll/Linkt scams

The Toll/Linkt scam has been running for a long time. Victims receive a text informing them they must pay an outstanding toll immediately to avoid further fines. Linkt has confirmed that these texts are scams and that Linkt users won't be asked to pay any outstanding tolls via text link. In 2022, $24.6 million was lost to Toll/Linkt scams alone.

Medicare scams

Victims receive a text asking that they update their details as their medicare card has expired or they have an unclaimed payment or rebate. You should only update your Medicare details through the official Medicare website or app.

There are many common scams in circulation. Being aware is the first step in protecting yourself and your business. Watch out for these common scams:

• MyGov scams
• Centrelink scams
• Services Australia scams
• Australian Taxation Office scams

Recognising phishing red flags and protecting your personal information

Now that you understand some of the most common phishing attacks, you're probably wondering how to avoid them. After all, you or your business can't just no longer issue or pay invoices, answer the phone or receive emails.

Thankfully, there are a few obvious and less obvious giveaways when communication is a cleverly disguised phishing attempt. Consider these points to help determine whether someone is trying to scam you.

• Are there grammar or spelling errors in the communication? Official and legitimate communications from banks, government services and reputable brands won’t have spelling and grammar mistakes in the text or hyperlink. Spelling and grammar mistakes clearly indicate that the communication you've received is fraudulent
• Are you expecting the communication? There are plenty of scams in which you receive a fake email or text urging you to update your details, click a link, pay a fine or toll, transfer money or similar. Ask yourself whether this communication is something you expect. If you've had no contact with your bank recently, it’s unlikely they will text or call you about fraudulent activity on your account. If you're unsure, call them back on the number listed on their website
• What kind of information is being requested? Your bank won't ask you to share your banking password or personal information via email, phone, or text. Many service providers list what information they will or won't ask you to share. Knowing the basics of what you will and won't be expected to share is helpful in spotting a phishing attempt
• Are the details correct? Confirm invoice details independently before paying, for instance, by contacting the provider directly

You can protect yourself and your business further by following these cyber safety best practices:

• Use strong passwords: Most people are tempted to use the same password across many different sites or devices. This temptation is understandable, given the number of passwords most people use daily. However, using the same password for everything means that your information across all these platforms is compromised if a scammer can access your password. Most browsers can suggest and store a strong password for you. You won't have to remember the passwords for multiple sites while maintaining your cyber safety
• Don't overshare online: The more information about yourself you share through your social media profiles, in particular, the more vulnerable you make yourself. Cybercriminals can use benign-seeming details against you in a phishing attack
• Recognise secure websites: Secure websites typically display a padlock icon in the address bar. The icon indicates that the content of the website and your interaction with it is encrypted. You should also check that the address begins with https://, in which the 's' stands for secure
• Use two-factor authentication: Two-factor authentication is the safest way to access websites. When offered this option, it's a good idea to take it up. When using two-factor authentication, you'll sign in to a website with your email and password before receiving an email, text, or fingerprint sign-in prompt. This offers an extra level of security

How to prevent phishing attacks in your business

As a business, your risk exposure to phishing attacks is two-fold. Your business could fall victim to a scam and lose money, or a phishing attempt could seriously damage your reputation if scammers impersonate your business to target your clients. But how can you prevent phishing when it's seemingly so widespread? Here are some simple steps you can take to protect your reputation, data and money:

Protect your business

• Train your staff. One thing your staff can easily do to minimise the risk of phishing is to call the organisation listed as the sender of any dodgy-looking communication. For example, if your accounts team receives an email from your bank and is unsure whether the email is fraudulent, request that they contact your bank through its publicly listed contact details
• Install antivirus and anti-malware software on all devices
• Install email filters to help weed out phishing emails
• Use browser extensions that block deceptive-looking pop-ups, advertisements and websites
• Stay up-to-date on the latest phishing trends in your field. Refer to reputable sources like Scamwatch, the Australian Signals Directorate, CHOICE, and the ACCC

Protect your clients

• Protect your clients by clearly listing the information you will or won't request from them on the phone, via email, or in a text message
• Educate your clients about current scams in your field
• Encourage clients to contact you immediately if they are concerned about a communication purporting to be from your business

How to report scam emails

It's important to report scams that you come across. Community vigilance is critical to combating phishing and can only be achieved if everyone reports scams they encounter.

You can report scams to Scamwatch, the Australian Government’s National Anti-Scam Centre. Now that most Australians have been contacted by scammers, many are no longer reporting scams they haven't fallen victim to. All scams should be reported to Scamwatch to protect the Australian community.

If you suspect you've fallen victim to a scam involving money, contact your bank or credit card provider immediately. If you act fast, they may be able to halt the transaction.