Cyber Security |

I got phished: hackers hit right note with streaming music bait

By Darren Pauli August 17, 2020

I was so confident in my ability to spot a phishing email that I told my cyber security team I’d make sure to click theirs and not instinctively report or delete it. I knew I’d been had when I saw my colleague smiling an hour later.

Even I need to remember to always be sceptical of the unexpected.

Scepticism comes instinctively after a decade in journalism and so I was confident I’d spot the phishing email the team needed me to click for testing.

Scams Awareness Week: five ways in five days to free and easy cyber security

Be sceptical of unexpected communications, regardless of the sender, and on what platform it is made and sent. Contact the sender on official sources and report any suspected phishing breach to your security or IT teams.

They sent a phishing email offering six months of free music streaming. It was perfect bait since I was deciding what service to use.

I was fully expecting free music. My face fell into my hands as realisation dawned.

Falling victim to that phishing email popped my bubble of subconscious confidence, but it doesn’t make me an idiot or even an easy mark.

Phishing emails, like any advertising, work best when their well-crafted pitch hits the right audience at the right time.

Look for tpyos typos

Phishing often contains typos and offers too good to be true, but traditional advice to look for these indicators misses the mark.

Many security practitioners, myself included, argue there are now no rules to phishing and no useful hallmarks for spotting it. Traditional indicators could even be harmful if they lull people into thinking well-written emails are more credible.

Discover for yourself and imagine the role of a criminal writing a phishing email. What lure would you write to interest your target? Could you write one free of typos? What lure would you pick if you were emailing 20,000 people?

My team wrote a good lure. It copied branding that didn’t seem out of place for my inbox. But ultimately the email’s chance timing coinciding with my hunt for a music service was so good that I probably would not have noticed typos or wonky logos.

Better advice than hallmarks of phishing is to be sceptical of unexpected communication, regardless of the sender and on what service the message appears.

An email from your bank, an SMS from your energy supplier; a phone call from your telecommunications provider; or direct message on your social platforms should be treated as untrusted.

Confirm whatever the communication claims with the entity’s official phone or email address and not those offered in the unexpected contact.

The inconvenience will go far to increase your cyber security defences.

Simple superweapon

Phishing is not going away.

It is the simple superweapon behind most successful cyberattacks from basic scammers to the most well-resourced nation-state intelligence agencies.

Technical controls can do much by blocking phishing and limiting the potential damage from successful attacks. But much comes down to your ability to detect and react.

Emotet, one of the most dangerous cyberattacks at present, spreads a variety of malicious payloads using phishing. These emails may come from people you know delivered as replies to email threads. But they may still raise some suspicion.

Always report any possible phishing to your security or IT team, even if it is days or weeks after the incident, especially if you have entered your logins or run attachments.

Security teams can utilise the window between phishing and stolen usernames and passwords being used in attacks to protect you and your organisation.

Scams Awareness Week runs from August 17 – 21. Make sure to check out our Cyber Security Hub for the latest info on staying safe from threats. Also see the ACCC’s ScamWatch podcast series on identity theft by the team at the ABC’s The Chaser.

Business and Enterprise | Cyber Security | Enterprise | Small Business |

Five steps to cyber-secure a hybrid workforce

By Michael Ebeid AM July 28, 2020

Professional working remotely from home

The scramble earlier this year to shift entire businesses to remote working almost overnight showed just how nimble and adaptable Australians can be, and that we can be productive working from just about anywhere. But it also put many Australian businesses in a more cyber-vulnerable environment. As employees and employers felt the benefits of logging-on from the home ‘office’, it became clear the way we work will never be the same. These benefits however, are not without risk. In a new study, Telstra commissioned Forrester Consulting to look at the implications of remote working on cyber security and the steps businesses can take to secure a hybrid workforce.

The way we work was already changing before COVID-19 hit us. While the digitisation of our workforce was slowly evolving, few companies were prepared for a full shift to remote work. What COVID-19 has done is dramatically accelerate the shift to working from home as a new normal. In March 2020, in just shy of a month, almost every Australian office worker found themselves operating from home and connecting with colleagues over video.

What followed, however, was a nationwide heightening of cyber security risk. In the rush to secure organisations and ensure overnight remote digitisation, many businesses and their teams unintentionally took part in behaviours that put themselves and the companies they work for into a cyber-vulnerable position. This included signing up for multiple free tools and collaborative online applications, to securing sensitive work devices to vulnerable home networks.

As though waiting in the wings, cyber criminals quickly swooped in to take advantage of digital environments made vulnerable by COVID-19, with a host of scams and complex attacks. The stark rise in hacking attempts grew and triggered a response from the Federal Government announcing multiple businesses had been targeted by sophisticated online attacks and increased diligence was required.

The Federal Government established an Industry Advisory Panel to provide strategic advice on Australia’s 2020 Cyber Security Strategy, which recently delivered its recommendations ahead of the Strategy being announced.

While Australia’s 2020 Cyber Security Strategy will play a part in helping, we know that cyber security is everyone’s responsibility and businesses require a comprehensive and long-term response to ensure remote working security.

To really understand what this looks like for Australian businesses, we asked Forrester Consulting to explore the challenges of cyber security and remote working and how businesses can secure their new-look workforce.

The rush home

Professional working remotely from home office

The research revealed a rush from businesses to patch holes and support a remote workforce facing increased risk and exposure. From an estimated 16 per cent remote workers pre-pandemic to a staggering 68 per cent at the peak of restrictions in Australia to date, many businesses say they weren’t ready for a scenario of this magnitude. Many simply did not have essential security practices in place to safeguard an increased remote workforce.

Unsurprisingly, businesses revealed they were unprepared for cyber attacks. Just 52 per cent said their organisations’ business continuity plans were equipped to address cyber attacks and/or other security incidents. What’s more, 46 per cent said they did not feel they had sufficient tools in place to support employees’ use of mobile devices – pre-pandemic.

The reality is cyber security is an ever-evolving chess game and as businesses committed to mastering the rules, the game suddenly changed.

The five immediate priorities

Hybrid working looks like it is here to stay. Australian businesses are anticipating a higher rate of remote workers post COVID-19. Some 42 per cent of businesses expect they will permanently maintain an increased remote workforce. Quick fixes that have helped businesses tread water in the face of unprecedented displacement won’t cut it for a permanent hybrid workforce.

As COVID-19 restrictions adjust in Australia, our report found five immediate priorities businesses can explore to secure their hybrid workforce.

  1. Streamline security investments
  2. Train employees to be cyber safe at work and on the move
  3. Keep VPNs running and as secure as possible in the short-term
  4. Invest in Zero Trust network access to replace aging VPNs in the long-term
  5. Build a reliable security foundation for personal devices

Streamlining security investments can make things simpler and more cost-effective for businesses facing COVID-19 economic realities. For example, businesses can concentrate spending with their strategic partners. Trimming down a vendor list forces us to think about which vendors provide the solutions that are critical to future growth, and also builds deeper relationships.

As the Telstra Security Report 2019 found, employees can be a company’s best asset, but also the greatest risk when it comes to cyber-security. Above everything, it’s critical to train and advise employees to be cyber safe at home, at work, and on the move. And this isn’t a once-off. It’s on-going and evolving. Earlier this year, the report cites a 600 per cent global increase in phishing and malware attacks. This means we need an equal increase in employee alertness and preparedness. By running regular phishing simulations team members grow more and more aware of what to look out for. Anti-phishing best practices include a strategic mix of technical controls, employee education, and incident response.

The report recommends that in the immediate term, businesses keep their VPNs running and as secure as possible – this is vital. But in the long term, there’s an opportunity to invest in Zero Trust network access to replace aging VPNs. These reduce the network threat surface and have features that are more secure than VPNs, such as least-privilege.

Finally, it all comes back to building a reliable security foundation for personal devices. This includes not allowing unmanaged devices on business networks, enhance security posture with multifactor authentication, and revisit security threats in the business continuity plan.

Telstra has been a leader in cyber security for over a decade, not just protecting our own network, but also helping our Enterprise customers manage their risk and protect data. In addition to our range of security products and services, Telstra Purple, our professional and technology managed services businesses, can provide guidance and help develop your strategy on how to address these priorities for your business, right through to providing a fully managed service. If you need help or more information please contact your Telstra account executive.

The way forward

Australian businesses have been thrust into an incredibly challenging situation. To help hybrid workforces succeed, I believe there’s an opportunity to scale solutions that not only maximise the productivity of workers, but also maintain security wherever they choose to work — at home, in the office or on the move.

Download your copy of the full Forrester study ‘Act now: Your five immediate priorities to secure a hybrid workforce’.

Consumer | Cyber Security | Small Business |

Watch out for COVID-19 remote work scams and phishing

By Darren Pauli April 2, 2020

Cybercriminals are targeting staff ordered to work from home amid the COVID-19 pandemic, with convincing phishing emails that reference the victim’s workplace.

The email’s subject line, a malicious link, and a sign-off signature include the domain found in the intended victim’s email address – for example, the ‘Telstra’ in our own email addresses.

The URLs, however, are just a mirage. When opened, they launch a different URL loading a page that resembles a Microsoft Office 365 login screen. Any usernames and passwords typed into this fake Office 365 login screen will be captured by the scammer.

Cybercriminals may sell those logins to other hackers or use them in a bid to access email, documents, and other data.

It is important to note that phishing emails rapidly change their contents (known as pretext), URLs, and sending addresses to avoid detection and blocking.

Therefore, this phishing example should be considered a current attack that may slightly or significantly change in the coming days or weeks.

We have been working hard with the Federal Government’s Australian Cyber Security Centre to block new malicious domains as they surface to protect customers across mobile and broadband services.

Look out for COVID-19 scams online

Cybercriminals are increasingly capitalising on the COVID-19 outbreak to make their phishing attacks more attractive. Attacks have occurred over email and SMS, and included dangerous malware embedded in Word documents.

Yet regular phishing emails faking missed packages, tax bills, and account recovery remain more numerous and successful. Telstra Cyber Security has observed those attacks snagging tens of thousands of victims from government, enterprise, and small businesses, and across all sectors and countries.

Anyone who fills out their logins on the malicious page should immediately alert their cyber security or IT teams, and change their Office passwords.

Multi-factor (or two-factor) authentication should also be enabled wherever possible. This defence requires a code, often generated in an app or sent via email, to be entered along with the usual username and password.

Consumers can use multi-factor authentication for Microsoft and Google products, along with all major social media sites. A comprehensive list can be found here.

Consumer | Cyber Security | Small Business |

Internet Explorer users urged to watch out for phishing attacks

By Clive Reeves January 22, 2020

Microsoft is warning Internet Explorer users to be hyper-vigilant to phishing attacks after it discovered a major flaw in the web browser was being actively exploited by hackers.

The company is yet to issue a patch for the remote code execution vulnerability, which affects all supported Windows desktop and server versions, as well as the out-of-support Windows 7 and Server 2008.

The flaw exists in the way Internet Explorer’s scripting engine (the browser component that handles JavaScript code) deals with objects in memory, Microsoft says.

An attacker who successfully exploits the flaw could gain the same user rights as the current user and run code of their choice on the victim’s system.

“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said.

One way a hacker could exploit the flaw is by sending a phishing email or other message that drives the user to a specially crafted malicious website in IE.

Microsoft said it was working on a fix for the vulnerability, expected for its next Patch Tuesday update in early February. In the meantime it has suggested several workarounds and mitigations, including restricting access to the JavaScript component JScript.dll, to safeguard against attack.

While Microsoft said it was aware of hackers actively exploiting the flaw, it described these instances as “limited targeted attacks”, believed to be part of a wider hacking campaign also targeting Firefox users.

Internet Explorer is no longer the default browser in the latest versions of Windows, but still comes installed with the operating system and remains the browser of choice for many legacy applications.

Cyber Security | Small Business |

How to identify, avoid and recover from a phishing attack

By Smarter Business January 16, 2020

Getting snagged by a phishing scam is never pleasant. It usually involves a cybercriminal using emails, texts, social media or phone calls to lure someone into handing over sensitive information. And as we become more and more dependent on technology and digital alerts, this scam builds up its confidence. Thankfully, there are ways to identify, avoid and recover from a phishing attack if it happens to you.

Cyber attacks in Australia are more common and pervasive than ever before. The Telstra Security Report 2019 reported that 65% of Australian businesses have been affected by some kind of cyber security breach. What’s more shocking is that close to 90% of them went undetected.

At the heart of Australia’s cyber security problem is phishing (pronounced ‘fishing’): frauds devised to steal confidential information – such as passwords, credit card details and banking details – from unsuspecting recipients. In 2018, the Australian Competition and Consumer Commission (ACCC) received over 24,000 reports of phishing. And the numbers are getting worse. In 2016, around $370,000 was lost to phishing scams in Australia, while in the first nine months of 2019, that number exceeded $1 million.

Be aware of the bait

You’re probably familiar with classic 419 ‘Nigerian Prince’ scams – emails with fanciful promises to get you rich quick if you just help transfer some money. Amazingly, this hustle is still working long after it first appeared: in Australia in 2018, close to $1.4 million was stolen through this type of scam. For the most part, though, these are fairly easy to sniff out if you know to be wary of anyone pleading for help in exchange for some kind of financial reward.

Phishing, on the other hand, is far harder to detect. According to the Australian Cyber Security Centre (ACSC), the poorly written, unofficial-looking phishing scams that first appeared in Australia in 2003 are a thing of the past. Today, these scams are far more sophisticated. They come in the form of emails, text messages and even social media direct messages that masquerade as correspondence from legitimate organisations or institutions, like banks or government departments, and request personal information or prompt you to click on a pernicious link.

Phishing scams are designed to look legitimate, and predominantly go after people via phone (in 2018, 41.2% of phishing scams were phone-based), email (29%) and SMS (24.6%).

5 common phishing scams

  • Spear phishing: individualised messages from a seemingly trustworthy sender, such as a bank or employer, and usually targeted at employees in an organisation
  • Whaling: targeted spear phishing, where a senior person in an organisation is phished by a cybercriminal masquerading as someone trusted, like a colleague
  • Pop-up phishing: deceptive pop-up ads that contain malware
  • Clone phishing: messages that closely resemble previously received legitimate ones – for instance, a phisher might send a fake promotional email from a brand to a known customer of that brand
  • Voice fishing: also known as ‘vishing’, where a phisher will attempt to solicit sensitive information over the phone

Identify, avoid and recover

Fortunately, while phishing scams can be well disguised, there are red flags you can watch out for. Grammar errors, misspelt names and incorrect facts are common giveaways. You might receive an email from ‘’; a strange ‘competition winner’ alert SMS from JB Hi-Fi, when you haven’t entered a competition; or a cold call from a foreign or private number.

An organisation or institution will generally never ask a customer to share sensitive information through unsolicited correspondence. So as a rule, never give out personal details unless you are 100 per cent sure you know who you’re dealing with – in other words, you called them or have verified their identity. Likewise, never click on a link or open an attachment from an unsolicited message unless you are confident it’s legitimate – for example, you know you’ve safely received correspondence from this brand or person in the past.

According to ACSC, the best way to prevent phishing scams in the workplace is to “educate employees at all levels”. This includes instructing people to not click on links or open attachments on their work phone or computer, or through their work email, that have come from unknown parties.

If you’re unclear about how legitimate an email, text or phone call is, play it safe and simply delete or ignore it. You can always offer to call the institution back – after a thorough vetting.

If you have become the victim of a phishing scam, it’s important to act quickly. Change any compromised passwords across all your accounts, contact relevant parties (like your bank), and report the incident to the ACCC or ACSC.

Further protection tips

Do you know how secure your digital workspace is? Take our cyber-security quiz to see where you stand.

Looking to secure your digital workspace? Check out our range of business security apps.

Get all-in-one cyber security for your devices with Telstra Cyber Security Device Protect.