Young professional working from home in living room on laptop
Consumer | Cyber Security | Small Business |

Watch out for COVID-19 remote work scams and phishing

By Darren Pauli April 2, 2020

Cybercriminals are targeting staff ordered to work from home amid the COVID-19 pandemic, with convincing phishing emails that reference the victim’s workplace.

The email’s subject line, a malicious link, and a sign-off signature include the domain found in the intended victim’s email address – for example, the ‘Telstra’ in our own email addresses.

The URLs, however, are just a mirage. When opened, they launch a different URL loading a page that resembles a Microsoft Office 365 login screen. Any usernames and passwords typed into this fake Office 365 login screen will be captured by the scammer.

Cybercriminals may sell those logins to other hackers or use them in a bid to access email, documents, and other data.

It is important to note that phishing emails rapidly change their contents (known as pretext), URLs, and sending addresses to avoid detection and blocking.

Therefore, this phishing example should be considered a current attack that may slightly or significantly change in the coming days or weeks.

We have been working hard with the Federal Government’s Australian Cyber Security Centre to block new malicious domains as they surface to protect customers across mobile and broadband services.

Look out for COVID-19 scams online

Cybercriminals are increasingly capitalising on the COVID-19 outbreak to make their phishing attacks more attractive. Attacks have occurred over email and SMS, and included dangerous malware embedded in Word documents.

Yet regular phishing emails faking missed packages, tax bills, and account recovery remain more numerous and successful. Telstra Cyber Security has observed those attacks snagging tens of thousands of victims from government, enterprise, and small businesses, and across all sectors and countries.

Anyone who fills out their logins on the malicious page should immediately alert their cyber security or IT teams, and change their Office passwords.

Multi-factor (or two-factor) authentication should also be enabled wherever possible. This defence requires a code, often generated in an app or sent via email, to be entered along with the usual username and password.

Consumers can use multi-factor authentication for Microsoft and Google products, along with all major social media sites. A comprehensive list can be found here.

A business woman in her office working on her laptop
Cyber Security | Small Business |

How to identify, avoid and recover from a phishing attack

By Smarter Business January 16, 2020

Getting snagged by a phishing scam is never pleasant. It usually involves a cybercriminal using emails, texts, social media or phone calls to lure someone into handing over sensitive information. And as we become more and more dependent on technology and digital alerts, this scam builds up its confidence. Thankfully, there are ways to identify, avoid and recover from a phishing attack if it happens to you.

Cyber attacks in Australia are more common and pervasive than ever before. The Telstra Security Report 2019 reported that 65% of Australian businesses have been affected by some kind of cyber security breach. What’s more shocking is that close to 90% of them went undetected.

At the heart of Australia’s cyber security problem is phishing (pronounced ‘fishing’): frauds devised to steal confidential information – such as passwords, credit card details and banking details – from unsuspecting recipients. In 2018, the Australian Competition and Consumer Commission (ACCC) received over 24,000 reports of phishing. And the numbers are getting worse. In 2016, around $370,000 was lost to phishing scams in Australia, while in the first nine months of 2019, that number exceeded $1 million.

Be aware of the bait

You’re probably familiar with classic419 ‘Nigerian Prince’ scams– emails with fanciful promises to get you rich quick if you just help transfer some money. Amazingly, this hustle isstill workinglong after it first appeared: in Australia in 2018, close to$1.4 million was stolenthrough this type of scam. For the most part, though, these are fairly easy to sniff out if you know to be wary of anyone pleading for help in exchange for some kind of financial reward.

Phishing, on the other hand, is far harder to detectAccording to the Australian Cyber Security Centre (ACSC), the poorly written, unofficial-looking phishing scams that first appeared in Australia in 2003 are a thing of the past. Today, these scams are far more sophisticated. They come in the form of emails, text messages and even social media direct messages that masquerade as correspondence from legitimate organisations or institutions, like banks or government departments, and request personal information or prompt you to click on a pernicious link.

Phishing scams are designed to look legitimate, and predominantlygo after peoplevia phone (in 2018, 41.2% of phishing scams were phone-based), email (29%) and SMS (24.6%).

5 common phishing scams

  • Spear phishing:individualised messages from a seemingly trustworthy sender, such as a bank or employer, and usually targeted at employees in an organisation
  • Whaling:targeted spear phishing, where a senior person in an organisation is phished by a cybercriminal masquerading as someone trusted, like a colleague
  • Pop-up phishing:deceptive pop-up ads that contain malware
  • Clone phishing:messages that closely resemble previously received legitimate ones – for instance, a phisher might send a fake promotional email from a brand to a known customer of that brand
  • Voice fishing:also known as ‘vishing’, where a phisher will attempt to solicit sensitive information over the phone

Identify, avoid and recover

Fortunately, while phishing scams can be well disguised, there are red flags you can watch out for. Grammar errors, misspelt names and incorrect facts are common giveaways. You might receive anemail from ‘’; a strange‘competition winner’ alert SMS from JB Hi-Fi, when you haven’t entered a competition; ora cold call from a foreign or private number.

An organisation or institutionwill generally never ask a customer to sharesensitive information through unsolicited correspondence. So as arule, never give out personal details unless you are 100 per cent sure you know who you’re dealing with – in other words, you called them or have verified their identity. Likewise, never click on a link or open an attachment from an unsolicited message unless you are confident it’s legitimate – for example, you know you’ve safely received correspondence from this brand or person in the past.

According to ACSC, the best way to prevent phishing scams in the workplace is to “educate employees at all levels”. This includes instructing people to not click on links or open attachments on their work phone or computer, or through their work email, that have come from unknown parties.

If you’re unclear about how legitimate an email, text or phone call is, play it safe and simply delete or ignore it. You can always offer to call the institution back – after a thorough vetting.

If you have become the victim of a phishing scam, it’s important to act quickly. Change any compromised passwords across all your accounts, contact relevant parties (like your bank), and report the incident to the ACCC or ACSC.

Further protection tips

Do you know how secure your digital workspace is? Take our cyber-security quiz to see where you stand.

Looking to secure your digital workspace? Check out our range of business security apps.

Security Operations Centre
Consumer | Cyber Security |

Stay savvy to scams over the New Year break

By Luke Hopewell December 27, 2019

It’s the end of the year. You’ve got your feet up. Your out-of-office is on and so is the cricket. But just because you’re taking a bit of time to relax and recharge doesn’t mean scammers are doing the same.

Scammers often take advantage of our “holiday-mode”: the time of year when our guard is most likely down. That’s when they can slip in under the radar and do real damage.

They like to take control of your accounts – including bank, phone, email and social media – at a time when you’re less likely to notice something’s out of the ordinary. They can slip in through a link in an innocuous-looking social media post, or socially engineer you based on the information you’ve posted online about your identity.

First and foremost, before you put your feet up, you should enable basic safeguards to defend yourself such as two-factor authentication. This helps protect your accounts by implementing a second-layer of authentication – such as a temporary access code generated by a secure app or delivered via SMS – before a login is authorised.

Anyone is susceptible to a scam, not just someone who you might perceive as a “larger target”. If you’ve got dollars and cents in your accounts and personal data that can be on-sold, you’re a target! From businesses to kids and everyone in-between, scammers are looking to nab as much data on you as they can.

To keep yourself safe online over the break, we recommend reading our advice from this year’s Scam Awareness Week to keep yourself safe.

In the meantime, always follow our checklist for spotting scams:

  • Listen to your gut. If you encounter something unsolicited, unexpected, too good to be true, or coercive – or anything that asks for personal or financial information – hang up and call the organisation on its official number or searching online for any background information on the sender or offer.
  • Beware of unsolicited requests for sensitive information – don’t give this information up on calls and don’t open attachments or click on embedded links in emails or sites you don’t know or trust.
  • Unsolicited calls that contains a threat, like a fine or disconnection of internet service and also feature:
  • Pressure to hand over financial or personal information.
  • Demand for immediate payment, generally through unusual methods like gift card vouchers (iTunes, Google Play, Netflix or Steam, for example), wire transfer, or Bitcoin.
  • Request for remote access to your computer to ‘fix a problem’.

For more information, visit the Federal Government’s Scam Watch page to learn about and report scams.

Man calling on his mobile phone from a cafe
Consumer | Cyber Security | Enterprise | Small Business |

A solution to reduce scam calls across Australia

By Michael Ackland September 16, 2019

Getting suspicious calls on your mobile from faraway countries or long-lost relations is nothing new – everyone is aware of phone scams. We believe there’s more that our industry can do to reduce the number of scam calls in Australia, and we know that a fix is well overdue.

Scam calls are frustrating, particularly to those who may fall prey to one or more of the scams currently in circulation. What might just seem like an annoying phone call for you can turn into money for scammers, too – whether it is through convincing you to share personal information that can then be used for fraud, or by engineering a call to a premium number that charges high rates.

A technology and industry solution

There are some things that telcos can do to reduce the number of scam calls that reach our customers. We don’t let our customers in Australia use fake numbers, for example, which makes it very difficult for scammers to operate from Australia. We also block calls using numbers that are known to be used for scam calling.  As an example of how prevalent scam is – we block millions of scam calls from reaching our customers each month.

We are also working hard with other carriers, and liaising closely with the ACMA and the ACCC, to better identify the sources of scam calls that still get through and then take appropriate action to disrupt and prevent those sources from scamming in future.

However, we cannot fix this on our own. We need all telcos, big and small, to work together to help identify the source of scams to resolve this situation and make Australia safer for everyone.

We are calling on all telcos to help our industry stop scam calls reaching our customers and proposing ways we can work together to fight this issue. If we can get this fixed, we’ll be able to significantly reduce the more than $500m Australians are expected to lose to scam this year.

Education to assist our customers

Man working on laptop in coffee shop on mobile phone

Until we have reached a consensus and implemented a solution, our customers can take steps to protect themselves in the interim. Everyone should understand how scams work so that they can understand when to hang up and not to call back.

There are three main phone scams currently popular around the world.

Getting you to call them back: Here, the scammer will call your mobile phone, making it look like the call has come from another country. Often the phone rings once or twice and then hangs up. In this scenario, particularly prevalent at the moment, if you do call the number back you’ll be placed on hold or play a recording. What you don’t know is that you’re calling a premium number which costs you a lot of money – and the profits go directly to the scammers. 

Getting your details: These scams are simply about trying to get access to your personal details. Scammers might call and claim to be from a major company (like Telstra) or government department (like the ATO) seeking to provide you with information. Before they can do that, they’ll ask you to complete an identity verification process by providing your personal information. They’ll use this information to try and access your bank account or online services to steal your money.

Variations of this scam include calls saying your computer has a virus and asking you to provide access so they can remove it. The scammer will then download your personal data or implant a virus that will collect data they can use at a later date to access your money or identity.

Getting you to pay for services: These scams are about convincing you that you owe a company money and that you must pay immediately. Often, the scammer will claim to be from a major utility or telecommunication company – scammers know the chances are high that you’ll get a call relating to a company where you have some services. Callers often talk in an aggressive manner or with a sense of urgency, or they may threaten to cut off your services, so you panic and pay immediately.

We know that education is only part of the battle because it is often our most vulnerable customers who are preyed upon by scammers. That’s why, in addition to operating our misuse of service and cyber scam reporting services, we’re calling on all of Australia’s telecommunications industry and its partner organisations to work together to find an effective technology solution to scam calls.

The opportunity for all telcos here is to set the bar high for what we do with our customers to make sure we never miss a heartbeat and no customer ever gets left behind.

Cyber Security | Small Business |

Patch or pay: super-critical Windows RDP flaw fixed

By Darren Pauli May 22, 2019

Organisations should urgently apply a Windows update released by Microsoft last week, which fixes a severe vulnerability that hackers are actively attempting to attack.

The flaw (CVE-2019-0708) exists in Windows’ Remote Desktop Protocol (RDP), and can allow criminals to perform a variety of attacks such as installing malware and stealing data.

You may have enabled RDP to allow functions like logging in to the office from home. If the service is active, attackers can send a special packet that grants them remote code execution.

Researchers say there are some three million RDP services exposed to the internet – each of which is at heightened risk of compromise.

The vulnerability is also wormable, a phrase given to attacks that spread from victim-to-victim such as the Wannacry ransomware or NotPetya wiper malware of 2017.

Professional security researchers and hackers of ill intent are actively researching ways to exploit this vulnerability. Attacks have not surfaced as of the time of writing, but it is likely they will over coming days and weeks. Criminals are showing active interest in this flaw.

Microsoft releasing a patch for its long-since unsupported Windows XP operating system speaks to the severity of this vulnerability.

Our cybersecurity team at Telstra has worked hard to ensure our systems and those of our managed customers are patched.

We urge everyone in the community to prioritise this patch so that their data, and that of their customers, will remain protected.