With millions of Australians now working from home to maintain social isolation, a QUT expert is warning employees and employers to ensure they exercise the highest level of ‘cyber hygiene’.
“Working remotely to access corporate systems is the new normal,” said Dr Leonie Simpson, a cyber security specialist with QUT’s School of Computer Science.
- Check before you click
- Keep a hardcopy list of important phone numbers, including the IT helpdesk
- Be security/privacy aware with video conferencing, including what your background reveals
- Never give out personal information like passwords, banking details etc
- Never open a link or file from an unknown source
“This has all happened very quickly and many of us are using software and systems that we are unfamiliar with. We are receiving more email and requests for teleconferences. And we may be working in a space shared with kids and/or housemates, and the accompanying distractions.
“All of these factors present a perfect opportunity for scammers and cyber criminals to gain access to our digital assets, and one of the biggest threats we face when working from home is phishing.
“Phishers use email, phone or text messages. They impersonate legitimate organisations – health services, government agencies, law enforcement agencies, your workplace – seeking confirmation of information like work log in details, bank account or credit card numbers and passwords.
“According to the ACCC’s Scamwatch, phishing cost Australians more than $1.5M in 2019 and that figure is set to rise significantly as we navigate the new world of the COVID-19 workplace.
“We can see a big increase between the number of phishing scams reported in February 2020 compared to the February 2019 figures, and I expect March 2020 will continue this trend.”
Dr Simpson said the scammers behind phishing could be extremely convincing.
“We are all taking the time to wash our hands thoroughly, to help prevent the spread of the virus. When it comes to our work habits, taking the time for cyber hygiene is also important,” she said.
“When you receive messages asking for information, take twenty seconds to look at the message and think about the action it is asking you to perform.
“Who does the message claim to be from? Is the sender’s email address correct (although these can be spoofed)? Would that person ordinarily make such a request? If it seems unusual, check before you click. Contact the supposed sender (not by reply email, which will go straight to the scammers) using contact details you’re sure are legitimate and ask them if they made the request.
“Do not click on any links or open any attachments if you are uncertain. These are common ways cybercriminals use to install malware, including ransomware, onto your device. If you receive an email that seems even a little bit odd, alert your IT support team.”
Dr Simpson said that with more shopping being done online, emails with attachments related to invoices or supposed failed delivery attempts are also common scammer tactics.
“Security concerns have also recently been raised about the use of video conferencing, as face-to-face meetings and seminars are replace with Zoom or Skype meetings,” she said.
“Check the meeting security settings - limit who can join in and stop anyone but the host from screen-sharing, to avoid some of the issues, such as Zoombombing. Avoid sharing links to the meeting through social media and do not share any confidential information this way.
“It is also useful to think about your own personal security and privacy, when you’re participating in virtual meetings. What is your background giving away about where you are working, and whether you are alone or not? Many companies provide a standard background for employees to use as a virtual backdrop, but you can also set these within the videoconferencing app or online.”
Dr Simpson said if you do click on a link in an email and go to a website that does not look quite right, or if you do respond to a phisher and provide details, make sure you have the contact details for the workplace IT Security team, so you can contact them and let them know about the breach.
“If you are the victim of a ransomware infection, you may not be able to use your device to access your workplace directory. Keep a hardcopy list of important phone numbers, including your manager’s number, the IT helpdesk and the IT Security notification number,” she said.
Media contact:
Amanda Weaver, QUT Media, 07 3138 3151, amanda.weaver@qut.edu.au
After hours: Rose Trapnell, 0407 585 901, media@qut.edu.au
