Beware of Phishing Scams ➲ Business Brand + Personal Protection

26/11/2021

Privacy + CyberSecurity Law

Beware of Phishing Scams ➲ Business Brand + Personal Protection

This article details how I recently nearly fell victim to an elaborate + convincing "phishing" scam. It also suggests what you can do to mitigate this real + growing risk. Scams pose a dual threat 1️⃣ To your business brand if it is used to perpetrate these scams; and 2️⃣ To you personally if you become a victim.

James D. Ford GAICD

Founder, M.D. & General Practice Lawyer

Contents

If it's too good to be true, then it is most likely a scam!

What is masking?

What is Web Domain Spoofing?

A recent example: Selling on Gumtree

Reply from Gumtree 'This is a Scam!"

Scamwatch

Mitigation Strategies

If it's too good to be true, then it is most likely a scam!

As a general rule, beware of online communications which send you into an urgent panic that you need to do something right now to prevent losing something or suffering some kind of harm, or that seem too good to be true!

Phishing Scams are designed to penetrate through your normal defences so you overlook important details which if you did notice you could use to conclude that the communication is attempting to set you up to disclose important information either personal or financial.

Q: What is it they are trying to get you to overlook?

A: The source of the communication

If you are able to determine that the communication is not actually being sent from a trusted source, then you will instantly know it is a scam.

What is Masking?

In email communications, a feature of email address protocol is that a long email address can be shortened and displayed as a handle or contact description.

It is important to know that the description is not the actual email address, it is meant to simply display the name of the owner of the email address.

In some cases a scammer might use the name of a trusted company or person or even use a trusted email address as the mask (masking the actual email address).

If you investigated such an email it might look something like the following:

➲ DHL EXPRESS ®COURIER COMPANY <officemessage3481@gmail.com>

The above email address has been extracted from my junk folder; or

➲ Deliveries@DHL.com <officemessage3481@gmail.com>

I created the above email address to show that you can type anything as the mask, even a realistic looking email address.

We recommend at they very minimum you always ensure you determine the actual email address an email has been sent from to determine if it is from a trusted source.

What is Web Domain Spoofing?

In some cases, sophisticated scammers are capable of using or in other words "spoofing" the web domain of a sender you trust so it can actually appear as if the trusted source has sent the email.

Therefore, if there is no masking and the communication or link is from a web domain you trust, there is less chance that the communication is part of a scam, but you still need to remain vigilant regarding what you are being presented with.

If you are unsure, you should directly contact the owner of the web domain to verify the matter to your satisfaction.

What is interesting is that in such as case if you reply to the spoofed email, your reply will be sent to the real owner of the address—not the spoofer.

That doesn't matter to scammers and phishers, as they are just hoping you'll click links or open attachments so they can achieve their desired purpose or obtain the information they are seeking.

A recent example: Selling on Gumtree

Recently, when selling an item on Gumtree, I was approached by a buyer who stated that as they were a distance away it was impractical to collect the item in person.

They advised me that Gumtree offers an online payment and delivery system and proposed to pay in advance.

I was not aware of this offering, but it made sense as it is a customer service orientated process, which allowed for an increased range of buyers.

They did not attempt to negotiate the price, and it was clear that by opting for this collection process they as buyer would be paying for the pickup.

At this stage other than feeling "good fortune" as I had made a fairly quick and profitable sale (normally buyers on Gumtree make lowball offers) I did not suspect anything untoward.

I agreed to the deal, who wouldn't right!

The buyer advised they had made the payment and they sent me the following message showing proof of payment.

They also sent a link so that I could accept the payment and co-ordinate with a Gumtree or Australia Post person to organise a convenient time next week to have the item picked up.

Note that the web address in the link provided starts with Gumtree, but is not actually Gumtree's website.

The link was to a fake copy of the Gumtree website specifically designed to offer the payment service, and to attempt to scam my financial information.

The fake website also included the image of the item I was selling, along with the asking price, and the delivery address and name of the buyer which helped make it appear more genuine.

The scam is based on the fact that you need to provide your credit card information in order to be sent the funds.

The offer is made later in the day, so presumably you might provide your financial details, and then by the time you chase up the issues the next day, presumably your financial information has already been used to rack up purchases on your account.

It is a weblink specifically created (using my own image) and images from the official Gumtree site, to impersonate the official Gumtree site.

The fake website address starts with gumtree, but is not actually the gumtree website.

Reply from Gumtree "This is a Scam!"

"You were absolutely right to be suspicious, this is a scam.
Gumtree does not offer any online payment or delivery system, and we do not send communications through text or Whatsapp messages.  

We can also confirm that currently there is a scam trend where a supposed buyer takes the conversation to WhatsApp and supplies a link to a third party payment site, asking the seller to provide their payment details.
Gumtree Delivery Scam via Whatsapp / SMS
Gumtree does NOT currently offer delivery and is not affiliated with any delivery service.

If you receive any Whatsapp or SMS messages from potential buyers offering Gumtree delivery as a service, do NOT click on the link or enter your payment details.

You should immediately end the conversation and report this activity to our team here.
If you have already provided your payment details, please contact your bank or credit card provider so they can assist further.

This is a payment fraud attempt, and you should never send money or payment details to people you don't know.

We recommend keeping conversations within the Gumtree messaging system, rather than using personal email, SMS, or WhatsApp.
You may also want to consider removing your phone number from your ad, so that interested buyers can only contact you through the site.
You can always exchange contact information once you are comfortable that the person is genuine." 

Scamwatch

The number and sophistication of scams are on the rise, and so to I presume are their success rates!

We strongly recommend that as a starting point you take the time to review the known reported scams.

You can become familiar with the different types of scams listed on the Australian Government website Scamwatch.

As new scams are being constructed all the time you also need to be on the look out of any Red Flags or any gut feeling that things don't look right.

Just as a physical break-in and robbery can be devastating on many levels, being scammed can be worse.

As after the fact the victim comes to realise that they were fooled + handed the keys to the scammers.

Additionally, loss of important information can lead to "Identity Theft", which can cause further financial losses, havoc on your credit record and your life in general as it can continue and be very difficult to stop, like chasing a ghost who doesn't want to be found.

Mitigation Strategies

Business Reputation Risk

All businesses need to be aware of the potential for their business name and brand to be adopted by scammers to perpetrate an online scam.

Studies have shown that if your brand is used in this way, it can be devastating to both the level of trust in your brand, as consequently the ongoing survival of your business.

In order to mitigate the risk you can take proactive steps to have your brand, logo and images monitored for presence on the internet.

Trademark & Copyright Protection + Phishing Attack Prevention

Online image monitoring technology which is used to scan the internet for copyright infringement can also be used to proactively identify the illegal use of your brand and associated images.

This is a valuable service which has the ability to simultaneously provide both:

✅ Trademark Protection; +

✅ Phishing Attack Prevention.

The need for Phishing Attack Prevention will certainly grow in demand into the future.

Every business will need to proactively work to protect both their clients and their reputation by stopping phishing attacks using their brand.

Please read this article summarising the results of a comprehensive study about Phishing Attacks (published 9 March 2021).

We are currently in the process of negotiations to be able to offer this State-of-the-Art Reputation Management Solution to our clients.

Please contact us for more details.

Personal Email

When it comes to email communications there are many solutions in the market which will operate to help stop scam emails before you ever see them.

New privacy settings from Apple, allow you to engage or interact with unknown untrusted parties without disclosing your actual email address.

Other solutions exist (at least in the USA, and I assume they will also become available in Australia) where you can obtain (one-time or limited use) virtual credit or debit card details which are linked to your actual credit or debit card.

These virtual details can be provided to merchants and will work for specific transaction/s but will thereafter be invalid, keeping your actual credit card details safe.

Apple Pay already makes payment to the merchant without disclosing your credit card details.

Personal SMS/Text Messages

When you are sent personalised sms/text messages, as far as I am aware solutions to help stop scammers are either non-existent or in their infancy.

You just need to beware of any messages from unknown sources.

Personal Phone Calls

If you receive a phone call from an unknown number, you can use a service like reversaustralia.com.au to lookup the phone number to attempt to determine whether others have been harassed by the same caller, and whether or not they indicate a scam or potential scam.

Identity Watch

Identity Watch is a cyber-monitoring service included in a number of Equifax personal credit and identity monitoring plans.

Identity Watch is used to help detect fraud by constantly looking for information - such as credit and debit card numbers, phone numbers and email addresses - in places on the internet where information is known to be illegally traded.

Restore your Identity with Credit and Identity Guard Insurance

Identity Theft, Identity Protection Equifax Credit and Identity Guard Insurance supports you if you've become a victim of identity fraud.

It'll help you with the cost of restoring your identity and reduce the impact and risk associated with loss and theft.

Trax Print Protect your Important Documents

If you want to proactively protect your Legal + Identity Documents from Fraud + Litigation please contact our legal team to assist you.

Further Reading:

Are your Legal + Identity Documents Securely Trax Print Protected to provide Fraud + Litigation Prevention? ➲ It's a No-Brainer!

How to Protect your Reputation + Copyright Online ➲ 24/7 Active Monitoring + TakeDown Notice Options

Step-Up to Sophisticated Intellectual Property / Privacy Protection ➲ Geo-fence your Trade Secrets, Personal Data, etc.

Identity Theft Protection ➲ Smart List

Verification of Identity (VOI) [Authentic or Fake] ➲ Smart List

Digital Life ➲ The Law Playing Catch Up on Privacy + CyberSecurity

Social Sharing Image: Courtesy of Justin Clark on Unsplash

Credits: This blog article was mainly compiled from extracts taken from the published GPT-3 article by James D. Ford GAICD | Principal Solicitor, Blue Ocean Law Group℠.

Important Notice:

This blog article is intended for general interest + information only.

It is not legal advice, nor should it be relied upon or used as such.

We recommend you always consult a lawyer for legal advice specifically tailored to your needs & circumstances.