Phishing Scams that lead to Data Breaches + Identity Theft ➲ Business Brand + Personal Protection

31/10/2022

Privacy + CyberSecurity Law

Phishing Scams that lead to Data Breaches + Identity Theft ➲ Business Brand + Personal Protection

This article details how I recently nearly fell victim to an elaborate + convincing "phishing" scam. It also suggests what you can do to mitigate this real + growing risk. Scams pose a dual threat 1️⃣ To your business brand if it is used to perpetrate these scams; and 2️⃣ To you personally if you become a victim. In light of the recent high-profile large-scale data breaches across major Australian companies, it appears some are still fumbling around in the dark!

James D. Ford Esq.

Founder & [iC]℠ a.k.a Outside General Counsel

Contents

If it's too good to be true, then it is most likely a scam!

What is masking?

What is Web Domain Spoofing?

How can you prevent Spoofing?

Is your domain protected?

What about the recent data breaches from Optus, Medibank & AHM, etc.?

A recent Phishing Scam example: Selling on Gumtree

Reply from Gumtree 'This is a Scam!"

Scamwatch

Mitigation Strategies

If it's too good to be true, then it is most likely a scam!

As a general rule, beware of online communications which send you into an urgent panic that you need to do something right now to prevent losing something or suffering some kind of harm, or that seem too good to be true!

Phishing Scams are designed to penetrate through your normal defences so you overlook important details which if you did notice you could use to conclude that the communication is attempting to set you up to disclose important information either personal or financial.

Q: What is it they are trying to get you to overlook?

A: The source of the communication

If you are able to determine that the communication is not actually being sent from a trusted source, then you will instantly know it is a scam.

What is Masking?

In email communications, a feature of email address protocol is that a long email address can be shortened and displayed as a handle or contact description.

It is important to know that the description is not the actual email address, it is meant to simply display the name of the owner of the email address.

In some cases a scammer might use the name of a trusted company or person or even use a trusted email address as the mask (masking the actual email address).

If you investigated such an email it might look something like the following:

➲ DHL EXPRESS ®COURIER COMPANY <[email protected]>

The above email address has been extracted from my junk folder; or

➲ [email protected] <[email protected]>

I created the above email address to show that you can type anything as the mask, even a realistic looking email address.

We recommend at they very minimum you always ensure you determine the actual email address an email has been sent from to determine if it is from a trusted source.

What is Web Domain Spoofing?

In some cases, sophisticated scammers are capable of using or in other words "spoofing" the web domain of a sender you trust so it can actually appear as if the trusted source has sent the email.

Therefore, if there is no masking and the communication or link is from a web domain you trust, there is less chance that the communication is part of a scam, but you still need to remain vigilant regarding what you are being presented with.

If you are unsure, you should directly contact the owner of the web domain to verify the matter to your satisfaction.

What is interesting is that in such as case if you reply to the spoofed email, your reply will be sent to the real owner of the address—not the spoofer.

That doesn't matter to scammers and phishers, as they are just hoping you'll click links or open attachments so they can achieve their desired purpose or obtain the information they are seeking.

How can you prevent Spoofing?

The unfortunate truth is that as at 2018 circa 91% of the Fortune 500 businesses had no effective email authentication policies, and therefore no protection against hackers' spoofing their web domain.

If this is the position for these larger companies, you can only imagine how wide open smaller businesses are to this form of attack on their business brand and reputation.

Small Law firms (without effective email authentication) are prime targets!

Whilst a bit technical (this is part of the problem regarding why the solutions are not widely adopted) the following text and pie chart have been extracted from Microsoft 365's website (emphasis added).

Use email authentication to help prevent spoofing

DMARC prevents spoofing by examining the From address in messages.

The From address is the sender's email address that users see in their email client.

Destination email organizations can also verify that the email domain has passed SPF or DKIM.

In other words, the domain has been authenticated and therefore the sender's email address is not spoofed.

However, DNS records for SPF, DKIM, and DMARC (collectively known as email authentication policies) are optional.
Domains with strong email authentication policies like microsoft.com and skype.com are protected from spoofing.
But domains with weaker email authentication policies, or no policy at all, are prime targets for being spoofed.
As of March 2018, only 9% of domains of companies in the Fortune 500 publish strong email authentication policies.
The remaining 91% of companies might be spoofed by an attacker. Unless some other email filtering mechanism is in-place, email from spoofed senders in these domains might be delivered to users.
DMARC policies of Fortune 500 companies.

The proportion of small-to-medium sized companies that publish strong email authentication policies is smaller.

And the number is even smaller for email domains outside North America and western Europe.

Lack of strong email authentication policies is a large problem.

While organizations might not understand how email authentication works, attackers fully understand, and they take advantage. Because of phishing concerns and the limited adoption of strong email authentication policies, Microsoft uses implicit email authentication to check inbound email.

Implicit email authentication is an extension of regular email authentication policies. These extensions include: sender reputation, sender history, recipient history, behavioral analysis, and other advanced techniques. In the absence of other signals from these extensions, messages sent from domains that don't use email authentication policies will be marked as spoof.

To see Microsoft's general announcement, see A Sea of Phish Part 2 - Enhanced Anti-spoofing in Microsoft 365.

Is your domain protected?

We recommend you check whether your domain is protected against abuse by phishers + spammers by using this free Domain Health Checker.

Blueocean.law ➲ Protected

Here is the result showing that our web domain blueocean.law is protected!

blueocean.law is protected against abuse by phishers + spammers
Protected Result for: blueocean.law as at circa November 2021.

What about the recent data breaches from Optus, Medibank & AHM, etc.?

Here is a quick overview of the current status (as at 31 October 2022) of the domain email authentication policies for these companies.

Optus ➲ Protected

Protected Result for: Optus.com.au as at 31 October 2022

Medibank and AHM ➲ Not Protected against abuse by phishers and spammers!

Negative Result for: medibank.com.au as at 31 October 2022
Negative Result for: AHM.com.au as at 31 October 2022

A recent Phishing Scam example: Selling on Gumtree

Recently, when selling an item on Gumtree, I was approached by a buyer who stated that as they were a distance away it was impractical to collect the item in person.

They advised me that Gumtree offers an online payment and delivery system and proposed to pay in advance.

I was not aware of this offering, but it made sense as it is a customer service orientated process, which allowed for an increased range of buyers.

They did not attempt to negotiate the price, and it was clear that by opting for this collection process they as buyer would be paying for the pickup.

At this stage other than feeling "good fortune" as I had made a fairly quick and profitable sale (normally buyers on Gumtree make lowball offers) I did not suspect anything untoward.

I agreed to the deal, who wouldn't right!

The buyer advised they had made the payment and they sent me the following message via WhatsApp showing proof of payment.

They also sent via WhatsApp a link so that I could accept the payment and co-ordinate with a Gumtree or Australia Post person to organise a convenient time next week to have the item picked up.

Note that by using WhatsApp they have bypassed any ability to enforce domain authentication (see above discussion regarding email authentication) regarding the origin of the website link that they included in the message which was purportedly a Gumtree website address.

The web address in the link provided starts with Gumtree, but is not actually Gumtree's website.

The link was to a fake copy of the Gumtree website specifically designed to offer the payment service, and to attempt to scam my financial information.

The fake website also included the image of the item I was selling, along with the asking price, and the delivery address and name of the buyer which helped make it appear more genuine.

The scam is based on the fact that you need to provide your credit card information in order to be sent the funds.

The offer is made later in the day, so presumably you might provide your financial details, and then by the time you chase up the issues the next day, presumably your financial information has already been used to rack up purchases on your account.

It is a weblink specifically created (using my own image) and images from the official Gumtree site, to impersonate the official Gumtree site.

Reply from Gumtree "This is a Scam!"

"You were absolutely right to be suspicious, this is a scam.
Gumtree does not offer any online payment or delivery system, and we do not send communications through text or Whatsapp messages.  

We can also confirm that currently there is a scam trend where a supposed buyer takes the conversation to WhatsApp and supplies a link to a third party payment site, asking the seller to provide their payment details.
Gumtree Delivery Scam via Whatsapp / SMS
Gumtree does NOT currently offer delivery and is not affiliated with any delivery service.

If you receive any Whatsapp or SMS messages from potential buyers offering Gumtree delivery as a service, do NOT click on the link or enter your payment details.

You should immediately end the conversation and report this activity to our team here.
If you have already provided your payment details, please contact your bank or credit card provider so they can assist further.

This is a payment fraud attempt, and you should never send money or payment details to people you don't know.

We recommend keeping conversations within the Gumtree messaging system, rather than using personal email, SMS, or WhatsApp.
You may also want to consider removing your phone number from your ad, so that interested buyers can only contact you through the site.
You can always exchange contact information once you are comfortable that the person is genuine." 

Gumtree has now added the following popup at login.

Scamwatch

The number and sophistication of scams are on the rise, and so to I presume are their success rates!

We strongly recommend that as a starting point you take the time to review the known reported scams.

You can become familiar with the different types of scams listed on the Australian Government website Scamwatch.

As new scams are being constructed all the time you also need to be on the look out of any Red Flags or any gut feeling that things don't look right.

Just as a physical break-in and robbery can be devastating on many levels, being scammed can be worse.

As after the fact the victim comes to realise that they were fooled + handed the keys to the scammers.

Additionally, loss of important information can lead to "Identity Theft", which can cause further financial losses, havoc on your credit record and your life in general as it can continue and be very difficult to stop, like chasing a ghost who doesn't want to be found.

Mitigation Strategies

Business Reputation Risk

All businesses need to be aware of the potential for their business name and brand to be adopted by scammers to perpetrate an online scam.

Studies have shown that if your brand is used in this way, it can be devastating to both the level of trust in your brand, as consequently the ongoing survival of your business.

In order to mitigate the risk you can take proactive steps to have your brand, logo and images monitored for presence on the internet.

Trademark & Copyright Protection + Phishing Attack Prevention

Online image monitoring technology which is used to scan the internet for copyright infringement can also be used to proactively identify the illegal use of your brand and associated images.

This is a valuable service which has the ability to simultaneously provide both:

✅ Trademark Protection; +

✅ Phishing Attack Prevention.

The need for Phishing Attack Prevention will certainly grow in demand into the future.

Every business will need to proactively work to protect both their clients and their reputation by stopping phishing attacks using their brand.

Please read this article summarising the results of a comprehensive study about Phishing Attacks (published 9 March 2021).

We are currently in the process of negotiations to be able to offer this State-of-the-Art Reputation Management Solution to our clients.

Please contact us for more details.

Domain Protection

When you consider that the majority of large Fortune 500 companies may not have effective domain protection in place (see the extract from the Microsoft article above) it is past time that all businesses (large and small) take cybersecurity + brand reputation risk seriously.

It is noted that the above-attempted phishing scam used WhatsApp rather than email to send its phishing link.

From what we understand they could have alternatively mimicked an email from gumtree to send the phishing link.

We raise this possibility as it appeared that at the time when this article was originally published circa November 2021 the gumtree domain did not have protection to prevent a phisher or scammer from impersonating the domain.

We are pleased to report that we have just rechecked today 31 October 2022 and the positive result indicates that Gumtree have now taken proactive steps to protect its domain and in turn its users from phishers and spammers.

Negative Result for: Gumtree as at November 2021
Protected Result for: Gumtree as at 31 October 2022.

Personal Email

When it comes to email communications there are many solutions in the market which will operate to help stop scam emails before you ever see them.

New privacy settings from Apple, allow you to engage or interact with unknown untrusted parties without disclosing your actual email address.

Other solutions exist (at least in the USA, and I assume they will also become available in Australia) where you can obtain (one-time or limited use) virtual credit or debit card details which are linked to your actual credit or debit card.

These virtual details can be provided to merchants and will work for specific transaction/s but will thereafter be invalid, keeping your actual credit card details safe.

Apple Pay already makes payment to the merchant without disclosing your credit card details.

Personal SMS/Text Messages

When you are sent personalised sms/text messages, as far as I am aware solutions to help stop scammers are either non-existent or in their infancy.

You just need to beware of any messages from unknown sources.

Personal Phone Calls

If you receive a phone call from an unknown number, you can use a service like reversaustralia.com.au to lookup the phone number to attempt to determine whether others have been harassed by the same caller, and whether or not they indicate a scam or potential scam.

Identity Watch

Identity Watch is a cyber-monitoring service included in a number of Equifax personal credit and identity monitoring plans.

Identity Watch is used to help detect fraud by constantly looking for information - such as credit and debit card numbers, phone numbers and email addresses - in places on the internet where information is known to be illegally traded.

Restore your Identity with Credit and Identity Guard Insurance

Identity Theft, Identity Protection Equifax Credit and Identity Guard Insurance supports you if you've become a victim of identity fraud.

It'll help you with the cost of restoring your identity and reduce the impact and risk associated with loss and theft.

Authentic8 / Genuin Protect your Important Documents

If you want to proactively protect your Legal + Identity Documents from Fraud + Litigation please contact our legal team to assist you.

Further Reading:

Are your Legal + Identity Documents Securely Trax Print Protected to provide Fraud + Litigation Prevention? ➲ It's a No-Brainer!

How to Protect your Reputation + Copyright Online ➲ 24/7 Active Monitoring + TakeDown Notice Options

Step-Up to Sophisticated Intellectual Property / Privacy Protection ➲ Geo-fence your Trade Secrets, Personal Data, etc.

Identity Theft Protection ➲ Smart List

Verification of Identity (VOI) [Authentic or Fake] ➲ Smart List

Digital Life ➲ The Law Playing Catch Up on Privacy + CyberSecurity

Social Sharing Image: Courtesy of Justin Clark on Unsplash

Credits: This blog article was mainly compiled from extracts taken from the published GPT-3 article by James D. Ford GAICD | Principal Solicitor, Blue Ocean Law Group℠.

Important Notice:

This blog article is intended for general interest + information only.

It is not legal advice, nor should it be relied upon or used as such.

We recommend you always consult a lawyer for legal advice specifically tailored to your needs & circumstances.