Online scams have become a lot more sophisticated since we first started browsing the world wide web. And they go well beyond the domain of rich Nigerian princes. Internet deception today is much more cunning and convincing. Modern-day scammers also set their sights on specific industries – and Australian councils are now well and truly on their target list.
The good, the bad – and the really bad
Let’s start with the bad news: we’ve seen a dramatic increase in claims that fall under the Crime Scheme, and our sister insurance mutual in South Australia has reported the same.
The scams being reported mostly fall under two categories – ‘social engineering’ and ransomware attacks.
The really bad news? Councils are being fooled. And they’re losing substantial amounts of money to the hands of these online con-artists.
While we can help councils claim back their financial losses, these scams can also ruin reputations. And there are often gray areas around who’s at fault, which can make compensation difficult.
But thankfully, there’s good news too: we’re here to help.
Although it can be tricky to identify when you’re being targeted, it is possible to prevent an attack on your council. And it all starts with arming yourself with the facts.
Social engineering scams explained
Several councils have fallen victim to social engineering scams. So, what does this phrase mean?
You might think it sounds like something a Nonna would do to find her single granddaughter a nice Italian boy. But in the context of information security? It’s a lot more sinister.
According to Google Dictionary, social engineering is ‘deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes’.
Most social engineering scams we see involve emails being sent to council staff that appear to be from someone they know and trust (such as a colleague, vendor or client). Staff members are typically asked to update their bank details and, not realising anything is amiss, they comply.
A true story: online scammer poses as a council employee
A rural council received an email from an employee (well, someone they thought was their employee) asking for their bank details to be changed.
The council sent a change of details form, received it back from the ‘employee’ – and updated the details accordingly.
You’ve probably guessed where this story is heading…
Lo and behold, a few weeks later the council’s actual employee contacted payroll asking why they hadn’t been paid. That’s when the council discovered the initial request was bogus.
Ransomware attacks explained
As you may have already guessed from the word ‘ransom’, this type of scheme holds its victims hostage.
Ransomware uses software to attack your computer system. It could delete files, take over your most used computer program – or destabilise your entire network.
And here’s where the ransom part comes in: the attacker usually demands a payment to release the system or return the files or documents that have been deleted.
A true story: ransomware shuts down a large council for days
A large inner-city council was targeted with a high impact ransomware attack – which led to near total IT shutdown for several days.
Staff could not connect to the server. They had limited or no access to IP phones. And many were unable to use technology at all.
But most alarmingly, the council’s IT provider had maximum network security in place. Yet, due to the targeted nature of the attack, the council was not protected from this ruthless takeover.
Can you image the impact this would have on your workplace? What about the flow on effect to your ratepayers?
The red flags in a scammer’s email
As these stories show, when it comes to online fraud, things aren’t always what they seem. However, there are some tell-tale signs to look out for. Questions to ask yourself include:
- Does the email address look legit? Check the spelling and email domain. Commbank@gmail.com isn’t likely to be your bank provider sending you an update.
- Is it addressed to you? Be cautious of emails that start with ‘Dear Sir/Ma’am’ or other generic salutations.
- Can you contact the sender? Look at the email signature and check for a name and contact number. If they don’t want you to reach them, it’s not a good sign.
- Is it written professionally? Check for spelling and grammatical errors.
How to reduce your risk
If you have any doubts about an email you’ve received, verify its legitimacy by doing the following:
- Pick up the phone: Call the sender and ask if they sent you the email. And don’t call any number listed in the email. Instead, use the one on the organisation’s website.
- Take it slow: Perpetrators count on their targets acting quickly. If the request conveys a sense of urgency, be suspicious. And take all necessary steps to verify the request – even if it takes time. Do your research before clicking on a link or downloading a file.
- Review your IT security: Seek expert advice to ensure you are fully protected against targeted attacks.
In summary, be sceptical. If it looks like a fish and smells like a fish, chances are things are a bit fishy.
Fact checking and diligence are your best friends when it comes to not falling victim to these online scams.