Cryptodef, Cryptowall, Waltrix, Zeus, Matsnu. No, they are not cartoon characters, rather they are the supervillains of malware and ransomware, the tricky characters that infect digital devices.
Australia is at the forefront of digital attacks. In 2016, it was the main target for Malware attacks in the Asia Pacific region, most likely due to its economic growth and high adoption of technology. Indeed, last year there were 606 million online banking transactions with just one of Australia’s big four banks, 15,000,000 active Australian Facebook users, and over 85% of all Australians used the internet. It seems there is no escaping the digital creep in all aspects of our lives.
Even official records are increasingly online. Since 2009, Medicare shopfronts have been significantly reduced amid a coordinated drive to move activity online. There was an equally aggressive push to have Australians complete the 2016 Census online. This push resulted in one of the most high profile cases of an Australian cyber-attack. On the night of the 2016 Census, a distributed denial of service (DDOS) attack caused a 40-hour outage of the Census website, creating chaos and triggering a Preliminary Inquiry.
Attacks aren’t limited to large corporate and government databases. On May 13 2017, an attack originating in Russia quickly spread around the world infecting at least 75,000 computers in 99 countries. Several weeks later another attack spread, infecting another laundry list of individuals and companies, including the Cadbury factory in Tasmania which – horrifyingly – halted the production of chocolate.
So what is it that is attacking us?
Malware targeting individuals and corporations is a booming industry and email phishing continues to be the most popular delivery method for cyber-attacks. Phishing is the use of email or malicious websites (clicking on a link for example) to collect personal and financial information or infect your machine with malware and viruses.
The second most popular delivery method for cyber-attacks is known as an exploit kit. A typical exploit kit provides criminals with a user-friendly interface to deliver malicious software. They are primarily used for ‘drive-by’ downloads where a user is unknowingly redirected to a malicious website from a legitimate, but vulnerable, website.
So if you can’t trust your emails and you can’t trust legitimate websites, then how can you continue to trust a world so dependent on technological evolution to ensure our personal and financial details are secure?
Avoid being a victim
The US Department of Homeland Security is currently running a public awareness campaign aimed at increasing understanding of cyber threats and empowering the public to be safe and secure online. According to their partner, Cyber Security Alliance, there are a number of simple steps that can help to generally protect you online and to specifically shield you from malware and phishing attacks.
General safety tips
- When in doubt, throw it out: Links in email, tweets, posts and online advertising are often how cybercriminals try to compromise your information. If it looks suspicious, even if you know the source, it’s best to delete or, if appropriate, mark it as junk.
- Think before you act: Be wary of communications that implore you to act immediately, presents an offering that sounds too good to be true or asks for personal information.
- Make your password a sentence: A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!
- Unique account, unique password: Having separate passwords for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords.
- Lock down your login: Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking and social media.
- Use your own devices: Avoid accessing your personal or bank accounts from a public computer or kiosk, such as the public library. Don’t reveal personally identifiable information such as your bank account number, social security number or date of birth to unknown sources.
- Pay attention to web addresses: When paying a bill online or making an online donation, be sure that you type the website URL into your browser instead of clicking on a link or cutting and pasting it from the email.
- Stay in the secure zone: Make sure website addresses start with “https,”;s stands for secure.
- Keep clean machines: Prevent infections by updating critical software as soon as patches or new operating system versions are available. This includes mobile and other internet-connected devices.
- Conduct regular backups of systems: Systems can be restored in cases of ransomware attacks and having a current backup of all data readily speeds up the recovery process.
- The same rules apply on social networks: Phishing and other scams aren’t limited to email. They’re also prevalent on social networking sites. So, when in doubt, throw it out. This rule applies to links within online ads, status updates, tweets and other posts.
- Don’t reveal personal or financial information in an email and do not respond to email solicitations for this information.
- Pay attention to the website’s URL, even when typing it yourself. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com versus .net – and the notorious www.faceboook.com).
- Don’t just trust, check: If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Contact the company using information provided on an account statement, rather than information provided in an email.
Protection is a job for all of us.
Protecting Australians online is not just a job for individuals. The Australian Government is making moves to address the country’s cyber security record at an organisational level, introducing The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) amending the Privacy Act 1988 (Cth) (Privacy Act) to introduce mandatory “eligible data breach” notification provisions for entities regulated by the Privacy Act.
An eligible data breach happens if there is unauthorised access or disclosure of information held by an entity; or if information is lost and there is likely to be unauthorised access or disclosure. Furthermore, a reasonable person must conclude that disclosure would likely result in serious harm.
This legislation is designed to ensure that cyber security becomes a priority for any organisation handling personal data.
Trilogy Funds takes investors’ privacy seriously. The Investor Relations team occasionally receive phone calls requesting personal information be sent to postal or email addresses different to those we have on our system. In these instances, we must first receive a Change of Details form in order for us to comply with our privacy obligations and to protect your data.